“Predicting the unpredictable: coping with risk and uncertainty” has always been a key mantra, and this is true today with the emergence of COVID-19.
Under normal circumstances, around this time, risk professionals and internal auditors would find themselves preparing for a yearly ERM exercise and upcoming audit plans, but these exceptional times necessitate the need to adapt and evolve beyond the annual routine. To adopt a distinct set of priorities, boost up and assist your organization by making use of your specific set of competencies, knowledge and contributing to business continuity plans. As it is well said, “A Disaster is too big an opportunity to miss”, this should not be the time for regrets, but constructive collaboration to develop an agile response, and identify practical solutions not just for this disaster time but even for perpetuity.
Bodies such as AICPA and PCI SSC have already allowed conducting remote audits for their various standards such as SOC1, SOC2 and PCI DSS.
With these uncertain times and unheard-of challenges faced by auditors in performing audits, auditors are encouraged to be more agile and inventive in performing audits and complying with the auditing standards. The secret is remembering that while the auditing standards outline the performance requirements for obtaining reasonable assurance, with the changing circumstances, auditors are now allowed to perform remote audits but the issue will always remain to attain reasonable assurance and save from future liability, for this, most auditors might rely upon technology in performing audit procedures
With these upcoming scenarios where many auditors are working remotely, audit firms are encouraging partners and senior auditors to less experienced auditors. This is to ensure the importance of staying attentive to the standard of evidence for confirming whether that evidence is sufficiently appropriate to cut back audit risk to an appropriately low level. An audit isn’t about merely checking off audit procedures, rather, it requires professional judgment about the gathering and evaluating evidence and understanding what that evidence indicates. While times are difficult for auditors, times also are difficult for clients.
Internal Audit considerations
As organisations adapt to dealing with the initial impact of COVID-19. Auditors should be prepared to adjust to this period in a sustainable way and adapt to this ‘new normal’.
It is important that Internal Audit is proactive and prepared, while remaining pragmatic, as the situation continues to evolve. Internal auditor, functions have an important role to play and continue to provide critical Assurance, help Advise management, help Anticipate emerging risks and temporarily focus more on their advisory role.
A few strategies
- Embrace short-term prioritisation and regular review/updates to the audit plan
- Collaborate with key stakeholders to understand any new and/or elevated risks, and assesses how best to obtain assurance
- Continue to deliver its on-going assurance activities by considering remote working to perform the audit and virtual planning meetings and understand the level of electronic documentation available.
- Undertake remote walkthroughs (‘talk-through’), progress updates, and to discuss emerging findings by Adopting and/or increase the use of new technologies to deliver work.
Internal Auditor can work more closely with other assurance providers to reduce disruption to the business. At these times of reduced management and organisational bandwidth, Internal Auditor functions should seek opportunities to reduce overlap with other assurance providers including External Audit, Compliance, and Enterprise Risk Management. Where possible, auditors to engage with such assurance providers to understand their scope of work, coverage, and depth of testing to be performed to identify and progress opportunities to collaborate and assist.
Internal Auditor functions can provide an objective voice and real-time assurance to teams by attending project steering groups and providing an independent, objective voice to help challenge management’s thinking on risk and critiquing the design of new and/or amended controls prior to implementation.
Challenges for Internal Audit
- Internal Auditor functions should keep their staff motivated and support them whilst working in remote environments by connecting to team through measures such as:
- Weekly team catch-ups, check-ins with individual team members to discuss any isolation issues, workloads, or any other challenges that may arise
- Virtual coffee sessions – A fun way to help stay connected as a team,
- Share success stories and positive events happening across the organisation to maintain a positive outlook,
- Planning for contingency arrangements on each key audit review and at the leadership/management level. Think of ways to keep things moving where an audit or other activity is business-critical and take steps now to ensure a smooth transition.
- There is also an opportunity to adopt a more flexible and iterative risk assessment and planning process to allow for more flexibility in how to deploy resources in the future.
It is not just Internal Auditor that will be changed by the COVID-19 experience. We don’t expect the business to ever return to the same “BAU” – there will likely be more remote working, less travel, greater use of technology, and many other changes, depending on the industry. Internal Auditor needs to consider these and the impact on their future strategies.
Hope this article helps in your endeavours. In our upcoming articles, we will cover strategies to conduct remote audits for SOC1, SOC2 and PCI DSS… Till then, stay home and stay safe.
