Internal Audit: a crucial part of the COVID-19 crisis response
The COVID-19 era is changing every aspect of business – and one of the normally less visible areas, internal audit (IA), is no exception. The IA function should – and is – standing up to become a crucial part of organisations’ crisis responses.
Over the past fortnight KPMG has held webinars with well over 100 organisations to glean current experiences and share learnings – and what is clear is that IA’s staff’s role is necessarily adapting to unique circumstances.
Across all sectors we are seeing significant adaptation of IA work. Usual risks are being displaced in priority by emerging COVID risks. The clarity of the traditional ‘3 lines of defence’ of the internal audit/controls function (management team, risk team and IA staff) is breaking down in this crisis – management may be fewer; the risk team may be diverted to other roles; IA staff may be deployed elsewhere.
The advent of widespread working from home is a real issue for many companies which are not really geared up for it – segregation of duties, is especially difficult where usual controls such as senior people signing off hard copies cannot be done, and where fewer staff may be also taking on higher/additional roles.
This can create a ‘perfect storm’ for mistakes to be made. We are seeing manual workarounds to just ‘get things done’ – which can potentially compromise the overall integrity of the control framework.
More than half of attendees in the sessions said they were now undertaking, or are part-way through a ‘critical control’ (CC) review – especially core cyber issues caused by remote working, along with basic IT hygiene, virus and data management.
Critical control analysis is also needed for payment controls, where some organisations have adjusted delegation levels and approved arrangements. Some may have learned that their critical control has not been good enough and needs to be strengthened.
One thing is clear – Audit Committee chairs want the IA function to step up. Many organisations are now repositioning the IA function to directly support crisis management teams – and I believe they should be doing this. IA has access to so much information within the entity – and it is right it should be playing a more pro-active role now as a function and providing bodies support to the crisis team.
Audit Committee chairs still want assurance but the areas of need from IA are changing – it’s now real time assurance and data input they need. Timely and succinct information is the order of the day, not 40 page glossy reports or end to end documents.
A crucial role IA can play is to provide constructive challenge to decisions (and underlying assumptions) which are necessarily being made in haste in many cases. In one case study in our webinars, a health organisation said new processes were being brought in almost every day – there has to be some internal checking of these, and this here is where IA can stand up.
Issues abound – for example, mass home-working needs cyber security education of staff, with different mobile devices being brought into the mix. And if lockdown extends to 6-9 months, mental health of staff is a risk – how does IA address that? Can we place the usual amount of trust in our controls? Succession planning in case of sickness?
Other issues among many include brand/reputation risks is important – how has your company been seen to respond? Health and safety risks – how can this be done virtually? Are Business Continuity Plans being reconsidered in light of fewer staff?
And of course the potential for fraud has never been greater. My forensic colleagues told the webinars that it was the biggest opportunity for fraud in their career. The long-established ‘fraud triangle’– opportunity, motive and rationalisation are now coinciding. There are echoes of GFC experience – headcount reduced, processes rationalised and controls under pressure – but the advent of widespread homeworking make the strain on controls worse than in 2008-9. Segregation of duties doesn’t always travel well and technology must play more of a role – it is better suited to Working from Home than physical checks and shrewd use of Data & Analytics can identify suspicious trends.
So what to do in this unprecedented situation?
It is vital that the workforce understands the impact of the pandemic – and that new requirements and policies that result in change are effectively communicated. Wider pandemic planning and preparedness could include business areas such as virtual teams, BCP, financial stress-testing, supply chain and procurement, and internal/external communications.
Encouragingly we are observing IA playing two vital roles in crisis management, in conjunction with crisis management teams (CMT).
1. Providing ‘arms and legs’.
- Pausing some IA projects and redistributing resources to front-line assistance.
- Conduct risk scanning over the changing risk profile and providing assurance over the appropriateness of activities.
- Supporting with scenario and impact analysis with key risks and control overlay.
- Providing project and change management support for crisis response – and running ad hoc analytics.
2. ‘Enabling and assuring’.
- Providing agile, informal feedback – checking and challenging changes in process.
- Challenging CMT assumptions and forecasts made over impact of crisis and adequacy of response.
- Review adequacy of short-term ‘workarounds’ implemented by CMT in response to unique circumstances.
- Assessing critical controls’, and giving health checks on performance of those controls.
Longer term, IA should be involved in post-event reviews to ensure learnings from the COVID-19 era improve crisis response. But that is for the future. In the here and now, the IA function is adapting to the unique circumstances we all find ourselves in.