How Enterprises Can Manage Internal Audits Without Impacting Critical Operational Areas During COVID-19

The approaches that organizations are executing to contain and respond to COVID-19 are anticipated to be in place for a while. Therefore, it's imperative for internal auditors to stay up-to-date with governmental and new regulatory announcements and understand organizational responses when devising internal auditing tasks. The recent travel ban and restricted interactions are essential warnings that neither internal audit (IA) policies nor the ways of achieving these objectives are unvarying. Therefore, redefining the internal auditing strategy to reprioritize audits based on emerging organizational risks, continuing regulatory requirements, and the restrictions in executing audits can help address the most significant risks while also reinforcing future IA team's relevance and purpose.

Internal auditors and auditing firms were already revising strategies even before COVID-19 impacted regular working environments. Digital transformation, RPA, software solutions, and other emerging innovative technologies challenged several internal audit functions. For many auditors, the pandemic necessitated reprioritizing preferences to respond to resiliency issues. Yet as enterprises explore more digital opportunities to collaborate with customers and employees during lockdown, internal audits must continue to manage these risks. Cost-effective and virtually efficient internal audits were always on most executives' minds, and the current economic pressures from COVID-19 have enhanced attention to this area.

How has COVID-19 affected internal auditors?

COVID-19 presents an opportunity for enterprises to embrace technology to implement innovative ways for auditing. These technological enhancements won't only help auditors during the pandemic but will also enable them to work efficiently and effectively even after returning to business as usual. For internal auditors, the outbreak also provides an opportunity to reaffirm the significance of their responsibility by actively and flexibly responding to evolving risks in a changing environment.

When reprioritizing and updating the audit plan, internal audit functions also require you to reassess their resources, knowledge and capabilities. They should evaluate whether they have the tools and technology to deliver the audit work remotely and securely. Enterprises should make sure their auditors have sufficient resources to perform the audits remotely. They must also acknowledge and mitigate the auditing crisis they currently face in the context of their own obligations and change priorities for internal audits, based on relevant insights acquired from other successful strategies.

Can enterprises manage internal audits during COVID-19?

IA should undertake the following key actions to manage internal audits during COVID-19:

• Assess crisis management and business continuity plans
• Advice on upcoming risks and think beyond immediate risks
• Adapt to remote working and internal audit software
• Monitor and update the organization's requirements and audit plan

Assess crisis management and business continuity plans

Organizations should have implemented existing crisis management and business continuity plans by now. For many enterprises, having to administer a majority of employees working from home was something spontaneous. This brings several IT challenges which internal audits should assess. For example, IA should evaluate the changed risks related to the stronger dependency and use of IT as a core enabler in the crisis, which may include the following areas:

• Whether security settings for remote connections and secured individual access mechanisms are in place and operating effectively
• Determine the sufficiency of network capabilities for a large number of employees working remotely for an extended period
• Due to flexible working and remote arrangements, individuals require extensive access to systems; therefore, critical user access controls should be maintained

Advice on upcoming risks and think beyond immediate risks

While enterprises are often concentrated on their immediate risks and challenges, IA should support them in thinking beyond this. This could be to the immense risks that enterprises face as they adjust to the new normal. 

These risks could include:

• Cyber threats
• Bandwidth unavailability
• Network barriers
• Health and safety

Given the quick change for many enterprises to remote working, auditors should initially consider fraud and phishing risk, which can be caused by the change of administrations, segregation of duties, or overriding usual approval procedures.

IA should assess and help organizations by providing advice regarding communication and revised audit practices, such as adopting emerging guidance regarding virtual audit evidence and audit policies.

Monitor and update the organization's requirements and audit plan

IA should work closely with management to continually monitor operations and support enterprises to look beyond the current crisis and consider resumption planning. Going forward, it's likely that enterprises will look at their processes to ensure that internal audits are conducted in an agile, remote way. This will incorporate further digitalization and automation, as enterprises will likely introduce audit software solutions to re-evaluate manual processes that improve efficiency, reduce expenses, and overcome reliance upon on-site resources.

Adapt to remote working and internal audit software

Embracing technology is critical at this time, as the implementation of data analytics, RPA, and AI allows practitioners to continuously monitor and detect fraudulent activities remotely.

During virtual meetings, internal auditors should understand the level of electronic documentation available and request evidence from management in the form of scanned paper documents, images, or videos.

Arrangements should be made to allow auditors to work remotely, have direct access to necessary data, and have the right technology such as internal audit software that enables virtual evidence submission, cross-platform integration, teleconferencing, and automatic report generations.

Conclusion

Enterprises operate in a constantly changing environment with the need to prepare and plan for a wide range of strategic and operational risks and respond quickly to crises. Building resilience is imperative for all companies and requires an effective combination of risk management and continuous improvement. Regardless of size, every organization requires a resilient framework that addresses critical operational areas and maintains effective and regular communication with its auditors.