Internal Audit during COVID-19, a ‘partner in business’ for protecting business value

Internal Audit during COVID-19, a ‘partner in business’ for protecting business value

Internal Audit during COVID-19, a ‘partner in business’ for protecting business value

Amidst the COVID-19 global pandemic organizations across the globe are facing the impact of the crisis and are waging their efforts to the right response and mitigating measures of the diverse effects. Leadership of organizations typically call upon subject matter experts in Finance, Human Resources, Communications and Business Continuity related roles, but not many organizations involve the 3rd line of defense from the very beginning: The Internal Audit Department.

Given the Mission of Internal Audit, as formulated by the Institute of Internal Auditors (IIA), they could truly add value in managing the crisis at hand:

“To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”

Internal Audit in times of crisis management

To assess the role of internal audit during times of crisis starts with a fundamental question that typically lies with leadership in organizations: to what extent do you use the Internal Audit Function to add value in important decision-making processes during such hectic times? The definition of Internal Audit by The IIA clearly shows multiple angles from which Internal Audit can be appealed to:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

In the context of the COVID-19 pandemic all of these areas are important to address as part of crisis management which directly provides a role for Internal Audit as well. Although many organizations never (really and fully) dwelled upon the business impact of a pandemic aftermath, all hands are on deck to focus on the most critical business disruptions that need management’s attention. But how about the actual involvement of Internal Audit?

A poll by The IIA's Audit Executive Center (AEC), which looked at how organizations have reacted to COVID-19, provided a diverse picture of internal audit's role. While most chief audit executives surveyed reported that they are now involved in their organizations' responses to the coronavirus, 37% said they should have been brought in sooner to discuss the risks and potential responses. Only slightly more — 43% — felt they were involved in a timely manner[1].

Changes in Risk and Control environment

The risk and control environment of organizations is constantly subject to change, but without any doubt we can say that the impact of the current COVID-19 pandemic on the worldwide economy has a direct impact on the risks all organizations are facing. Not only a change in the existing risk landscaping most likely occurs but also new risks will arise, like:

  • Information Security (incl. personal data) Risk: as a result of the new way of working from home during lockdown instructions;
  • Reputational Risk: the importance of relationship management with clients and personnel through proper communication and taking the appropriate actions;
  • Outsourcing Risk: continuity of services being provided by supply chain partners is safeguarded;
  • Model Risk: Validity of financial models and used algorithms, especially in Cash Flow forecasts.

Controls might work slightly different as the working circumstances and availability of staff has changed. Assess the additional measures/compensating controls taken by management. A thorough review of the audit plan is recommended and identify the changes in risks and control environment, both temporary as permanent. Based on this assessment decide which audits are still feasible to be performed and plan for more ad hoc audits on those controls and areas that have been affected by the current situation.  

Audit plans therefore need to be flexible and sometimes it requires to postpone an audit or to do it differently (remotely). Do not forget to report the changes in the audit plan to the appropriate body in your organization, like the Audit Committee or the Supervisory Board of Directors.

In unprecedented challenging times like the COVID-19 pandemic, businesses are obliged to rethink their business model and way of working fundamentally for the sake of survival. We should call upon all the lines of defense, including Internal Audit to support leadership navigate the business to a post COVID-19 reality in which organizational value is enhanced and protected.

[1] Initial Pandemic Responses Didn't Leverage Internal Audit, Richard Chambers

An article by Herbert Beldman & Roy Jansen.

Related content