Internal auditing is also referred to as management or operational auditing because its scope goes beyond traditional financial auditing considerations to consider business and management issues. By applying core auditing, accounting, and business competencies, internal auditors can provide unique organization-wide perspectives to stakeholders that include management and the audit committee of the board of directors. To foster independence, the chief audit executive should report directly to the audit committee.
Cybersecurity was a persistent threat before COVID-19, and not surprisingly, organizations continue to face increasing risks in this area.
To serve its internal audit practitioners, the NYSSCPA maintains an Internal Audit Committee. Members of the committee recently met to discuss their experiences and produce recommendations for how internal auditors can address the impact of COVID-19 on their organizations. Focus areas include risk assessment, continuous monitoring, service delivery, people, and stakeholder communications.
A Changing Environment
Internal auditors were already experiencing changes and revising strategies before COVID-19. Digital transformation and other emerging technologies challenged many internal audit functions. For many, COVID-19 required reprioritizing priorities to respond to resiliency issues relating to the virus. Yet as organizations seek even more digital solutions to interact with customers and employees, internal audit must continue to manage these risks.
Cybersecurity was a persistent threat before COVID-19, and not surprisingly, organizations continue to face increasing risks in this area. The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) recently issued an alert warning that “actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments. APT [advanced persistent threat] actors frequently target organizations to collect bulk personal information, intellectual property, and intelligence that aligns with national (Alert AA20-126A).” Despite the global pandemic, threat-actors continue to pose threats that require an internal audit to assess the organization’s risk management program.
Cost-optimization was always on the mind of most executives, and the economic pressures from COVID-19 enhanced attention to this area. Optimization does not necessarily mean reduction; instead, it ensures the appropriate alignment of expenditures with strategic organizational initiatives. Typically, it also requires enhanced governance and automated monitoring tools to identify and question expenditures.
Reconsidering Threats and Risks
Annually, and sometimes more frequently, internal auditors perform a risk assessment of their organization and communicate results of the evaluation to the audit committee and other stakeholders. Among other purposes, the risk assessment helps chief audit executives monitor their organization’s risk profiles and determine the annual audit plan as the situation dictates. At the onset of the virus, some internal audit functions reacted by lending their risk management expertise to help resolve immediate service delivery and operational issues. Leveraging investments in data analytics to identify relevant key performance indicators facilitated the automated monitoring of risks. Continuous monitoring tools, which include attending management committee activities and participating in organizational task forces, enabled internal audit’s ability to contribute to updating the organization’s enterprise risk assessment.
As their organizations pivot from the reaction phase to the establishment of new operational baselines, internal auditors continue to adapt their assessments and audit plans. This requires that internal auditors focus on their organization’s changing risk profile, resulting in the reprioritization of their original plans. This revised focus can include allocating resources to priorities that require completion as soon as possible to assist with recovery and reentry efforts. Depending upon the industry, events could impact credit, cyber, market, and liquidity risks, as well as their tolerances. For many sectors, operational, governance, and process risks were also affected. Especially of concern to internal audit were questions of how exceptions to controls and risk acceptances were granted, as well as third-party risks, including supply chain disruptions.
As a result of these changing guidance, internal auditors are reconsidering their annual audit plans and communicating with stakeholders to take any necessary triage actions. Flexible internal audit risk assessments increasingly consider current business impact analysis, including the impact of the pandemic on organizational profitability, service delivery, and overall enterprise risk management.
Not only does the risk assessment involve postponing audits and audit projects; it also involves providing audit services for new and emerging risk areas. For example, some organizations made temporary changes to service delivery models to quickly restart operations, which made up for shortages in employees. These events led to the curtailment of specific traditional controls, requiring new risk mitigation strategies and enhanced audit monitoring. Other identified concerns were the ability of vendors and other third-party service providers to remain resilient. Finally, recovery and, in some cases, survival planning is another example of internal auditors lending their expertise in facilitating organizational objectives.
Using Data Analytics to Enhance Monitoring
For years, internal audit has considered the adoption of data analytic technologies. These often require some type of manual involvement to extract data and cleanse it for further analysis. Sometimes these extracts resulted from the inability of the business unit to provide an automated feed. On the higher end, some internal audit departments have been able to implement tools, including those that use robotic process automation, that facilitate continuous monitoring over organizational activities. Either way, internal auditors continue to adopt available tools to monitor risk exposures on a real-time basis.
For example, larger financial service organizations may focus on credit and loan activity trends. Based on the data available, internal auditors can monitor portfolio performances, identify payment trends, and uncover suspicious activities. Many internal auditors are enhancing their understanding of core systems to identify data that can be useful in developing continuous monitoring programs. In smaller entities, internal auditors focus their reviews on identifying trends and providing a risk-based perspective of information supplied by these systems that line-of-business managers may not have time to review.
To the extent available, internal auditors are also using data provided by vendors and third-party service providers to enhance monitoring capabilities. These can include performance reports, information feeds, industry benchmark activity reports, and compliance with service-level agreements. Analytical review over financial activities, including key industry ratios and cash management, may also be available from the organization’s banking relationship managers.
Audit Operations
Not only must the internal audit focus on the organization; it must also ensure that its service delivery strategy promotes a practical function that delivers respectable, valuable, and reliable results. As a result of COVID-19, these functions adapted and implemented procedures to provide the expected level of service demanded by their stakeholders. Many audit functions modified their plans from a traditional basis to one that focuses on the current year only, adapting a quarterly plan to prioritize services.
In the first quarter of 2020, internal audit functions responded to immediate needs and concerns, including temporarily redeploying staff to the business. For example, internal auditors have helped management to get recovery programs—e.g., the Paycheck Protection Program (PPP)—and activities started, and fill in gaps when needed and appropriate. Fortunately, due to the nature of their work, many internal auditors were already experienced at working remotely and able to adapt quickly to the new working environment.
As the second quarter unfolds, many internal auditors continue to expand their continuous monitoring programs.
As the second quarter unfolds, many internal auditors continue to expand their continuous monitoring programs. They are also focusing on the increasing use of cloud services with the security implications, such as confidential video conferences. Enhanced use of cloud technology provides the opportunity for internal auditors to review contracts and service-level agreements for compliance. To account for these changes and reprioritizations, chief audit executives are delaying audits and audit projects where possible to the third or fourth quarter.
Audit Reporting and Stakeholder Communication
Any major change requires clear communications with stakeholders; the current crisis is no exception. Internal auditors are often called the “the eyes and ears of the audit committee.” To achieve this requires strong relationships, credibility, and trustworthiness, qualities aspired to by chief audit executives. During the crisis, audit committee members continued to rely on their internal audit functions to supplement and confirm status reports provided by management. In regulated industries, many internal auditors have comparable communications with their regulators.
Communications include providing perspective on an organization’s activities and communicating the effectiveness of planned risk management strategies. Some areas of focus include ensuring compliance with regulatory expectations, despite the challenges caused by COVID-19. Other reportable items include identifying control activities that have been suspended and tracking their eventual restoration, and ensuring the resolution of related risks. Another concern involves increased oversight of suppliers and other third-party service providers. As a result, internal auditors have dedicated more time to reviewing external assessment reports, such as Service Organization Control (SOC) 1, SOC 2, and internal reports provided by vendors. The COVID-19 crisis exposed concerns at several organizations that discovered unexpected weaknesses in their vendors’ resiliency capabilities.
Caring for and Managing People
Not surprisingly, the human factor has had the most dramatic impact on internal audit during the COVID-19 crisis. Recognizing the personal impact is vital to enabling internal audit staff to contribute to the organization’s and department’s objectives. Fortunately, many internal auditors have been able to work remotely. Like other professions, internal auditors have mostly overcome the strain that everyone has experienced.
An organization’s capability to provide employees with appropriate technology has been critical for productivity, an overall sense of community, and general mental well-being. A sense of teamwork and enhanced collegial relationships have resulted from shared concern, and a sense of community has developed through nontraditional communication channels, such as periodic “virtual” social hours.
Although many organizations report increased productivity levels, others continue to investigate tools to monitor employee activity while working remotely. A more significant challenge facing internal audit is helping organizations understand and manage the risks of bringing employees back to the worksite. Internal audit’s unique skills in risk assessment can be applied to the complexities of working remotely. Strategically, internal audit will also need to develop new relationship management skills within an organization—not just for conducting interviews or issuing reports, but also for monitoring events effectively.
Uniquely Positioned
Given their well-practiced skills in risk assessment and cumulative enterprise knowledge, internal auditors can deliver significant value to their organization and their colleagues. All businesses will face many challenges in the recovery phase of the virus. Management will need to prioritize and assign resources to a changed business environment. The focus on controls may be surrendered in the name of efficiency and creativity. These are no doubt critical for organizations to survive; but so are discipline, governance, and the need to manage risk. Internal auditors can respond to this crisis by helping the organization and its people navigate the challenges, and eventually succeed.