Fortifying business continuity in a COVID-19 scenario

20 Jul 2020

It’s been four months since the entire Luzon was subjected to the enhanced community quarantine. Only those private establishments providing basic necessities were allowed to open. Mass public transportation was suspended. Work from home arrangements were implemented.

Most organizations felt the effect of the pandemic. Without the normal revenue flows, companies are putting planned investments in technology, workforce, and capital expenditures on hold. Some are even forced to make tough decisions around staffing. Flexible work arrangements such as reduction of work hours and days, rotation of workers, and enforcement of forced leave as alternative coping mechanisms and remedial measures were implemented.

These flexible work arrangements and other business continuity planning (BCP) measures introduced a range of new risk areas. This creates a need for Internal Audit functions to stand with the business to provide the support it needs to deliver its services in a safe, secure and trusted way.

Changes to the control environment arising from activating BCP

The control environment of an organization will naturally change when BCP is activated. As such, it is essential to map the key processes and controls under a Business As Usual scenario and the impact of potential changes to these controls under various contingency scenarios brought about by BCP arrangements.

With process mapping and controls capability, Internal Audit (IA) is in the right position to initiate documentation of these key processes. Their knowledge of the business can help create contingency scenarios and the needed controls. For example, IA can document the impact of changes to management roles and structures on delegations of authority to guide the organization in case the scenario happens.

New or elevated cyber security risks

The increased use of remote working arrangement has brought about new or elevated cyber security risks to the organization. Internal auditors can contribute in this aspect by assessing the organizational readiness of the staff and other workers in continuing operations. They can review the current protocols and provide recommendations in areas such as access and communication, IT support, secure remote access, and incident monitoring and response.

Privacy and data protection

IA can also revisit an organization’s data breach policy and practices. They can likewise assist in reiterating privacy obligations to employees by facilitating refresher training sessions.

Fraud

As core processes are impacted by changes brought about by the pandemic, the potential for fraud is heightened. IA can maximize the use of data analytics to look for indicators and investigate in real time.

Time to act

Whatever is IA’s involvement in the COVID-19 response, the top priority of the Head of Internal Audit should be the continued safety and well-being of the team. A new delivery model should be established in order to address this. Transform the methodology using data and technology.

Maintain regular contact with your stakeholders, i.e. the Audit Committee and management. Proactively articulate the impact and limitations of the function due to COVID-19. Be transparent about whatever response IA is doing to support the business.

And as we plan for the post-pandemic environment, consider the following priority areas in recalibrating your 2020 audit plan and in your annual audit planning for 2021: