We are currently facing a major change in our personal and work lives. As the international response to COVID-19 continues to develop, we know that organisations are facing significant challenges, to which they must respond rapidly. As a trusted advisor and assurer to the business, Internal Audit has a vital role to play in the response approach - guiding decision making at the highest level.
All businesses will be affected to varying degrees. Many will face challenges around working capital, workforce management and the supply chain. Internal Audit functions will need to navigate those challenges carefully to ensure they are focussing on what is going to be of the most value to the organisation.
The involvement of Internal Audit corresponds perfectly with the function’s strengths: aligning with stakeholders’ values, taking a risk-based approach, having a flexible and dynamic Internal Audit Plan, and providing both assurance and consulting services.
We highlight below a few strategic areas that Internal Audit (IA) functions should be considering during these times.
Contribute to the organisation’s crisis response activities and review the Internal Audit plan
Almost inevitably, there will be an impact on the annual audit plan - whether as a result of management being busy responding to COVID-19, the change in working practices with many working remotely, or travel restrictions where audits were planned in different locations.
A few factors to consider when reviewing the audit plan:
Determine the level of assurance you have on the company’s response strategy based on IA’s involvement in the process. Then carry out reviews of response activities to help management validate the approach being taken - such as pre and/or post implementation reviews of changes to the disaster recovery process, systems changes, or even reviews of supplier contracts terms and conditions. IA can further support with effective scenario planning as the situation continues to evolve
Identify new risks arising from COVID-19, add them to your universe and assess whether new audits should be included in any current or post crisis plans. Some companies may realise that they have a key supplier risk or a customer concentration risk. Also consider including a fraud risk assessment, and understand activities being undertaken to proactively monitor key fraud risk controls - such as payments, supplier management and payroll.
Identify audits that are impacted one way or the other by COVID-19 and assess them on a case-by-case basis to come up with a recommendation for the Audit Committee. Undoubtedly some audits will have to be cancelled, others will have to be deferred and some can be brought forward. Consider if you can bring forward system configuration and IT application controls work that may be easier to perform remotely. Also, identify any business areas that can be audited on a real-time basis.
Use your findings from the above three areas to refocus your Internal Audit resources. This may include areas such as IT resilience and capacity, supply chain, working capital, cash forecasting, cyber and privacy.
Identify any activities that can be expedited in the immediate term, and conducted remotely in order to create capacity in the future once the business recovers, such as follow-ups. Assess the most efficient and effective ways to deliver your plan using various communication technologies, file-sharing tools, and remote-access mechanisms.
Progress strategic and/or internal IA initiatives
While most chief audit executives have an IA strategy in place with clear planned strategic initiatives and a list of internal projects they aim to run during the year, the main focus and priority is always on achieving the audit plan. With many parts of the business busy responding to COVID-19, IA may find itself having more time to progress, or even plan and implement, such strategic initiatives. Areas you may want to consider:
- Governance and methodology
- Quality assurance improvement programme
- Technology
- Integration
- Awareness sessions
- Digital upskilling and training
Governance and methodology
Review and refresh the key elements of Internal Audit governance. Review and update your charters, policies and manuals, refresh your methodology (e.g. shift from functional audits to process audits, or from process L3 to L2 etc.), and update your templates and report classification ratings.
Quality assurance improvement programme
Review your Internal Audit function to assess quality (via internal / external quality assurance reviews, maturity assessments and benchmarks), identify areas for improvement, and document an improvement plan aligned with the Internal Audit Code of Practice.
Technology
- Establish or enhance continuous auditing and digitisation activities.
- Upgrade, enhance or implement an audit management system or other systems.
- Embed data analytics or action tracking capability. Take the time to consider how you might embed continuous data monitoring across key areas of the business.
- Improve management information by developing dashboards for the IA function, management and audit committee.
Integration
Start or progress integration efforts with other lines of defence and assurance providers within the organisation, such as risk management or compliance. Start by Assurance Mapping and progress to developing a framework and system.
Awareness sessions
Hold virtual awareness sessions for management on relevant matters such as audit, governance, risk, compliance etc. and the role they can play to help.
Digital upskilling and training
Take the opportunity to assess the IA team’s current skill sets, identify gaps and develop plans to meet any training requirements, as well as upskilling and reskilling the team to emerge stronger. Many training options are available online.
Also consider seconding your team members into other parts of the organisation to focus on business processes that have increased in importance during COVID-19. For example, working capital, workforce management and supply chain management. This will not only enhance your team’s skills and perspectives but will ensure Internal Audit is at the sharp end of the business response.
The organisation will of course be under great pressure during these uncertain times. But now provides the opportunity for the internal audit function to provide relevant, strategic and timely advice to management. Effective prioritisation of activities during this time can support the business not just to survive, but in fact to emerge stronger.
Contact us
Adnan Zaidi
UAE Risk Leader and Middle East Assurance Clients & Markets Leader, PwC Middle East
Tel: +971 56 682 0630
Ahmed AlKiswani
Partner, Regional Financial Services Leader, PwC Middle East
Tel: +97450098446
