Internal audit can strengthen non-financial corporate resilience during disruptive events

Our Take Special Edition - March 31, 2023

The ripple effects of the current bank stress are being felt across the economy, reigniting fears generated in the 2008 financial crisis when interruptions to payments and flows of funds impaired the ability to do business.

To be resilient during this period of stress and to be better-prepared for any future stress events, getting risk and crisis scenario modeling right is essential. Internal Audit (IA) functions are well positioned to connect the dots across risk factors within the organization, independently identify potential impacts of the current environment and craft forward-looking considerations for executives and the audit committee.

How can IA functions help formulate a crisis response?

The stress in banking has revived concern about the fragility of critical relationships and how single points of failure might cascade through a supply chain or an industry. 

IA teams should consider revisiting how they define risk in the current environment and within their respective industries, recognizing that tail risks in a financial services crisis could manifest in a number of ways, and how the enhanced risk definition impacts the scope and timing of their audits.

Below we share our point of view on areas of immediate Internal Audit consideration, in conjunction with management. Chief Audit Executives (CAEs) may view these as conversation starters with first and second line risk response teams, yet the crucial point is to begin to talk about the issues. The conversations may illuminate other topics to investigate for potential weaknesses and remediation. In turn, that work can spur dialogue with the audit committee about the outcome of IA’s impact analyses.

  • Work with leaders in finance and treasury to assess the organization’s direct and, potentially more important in the current environment, indirect banking relationships for potential liquidity risk that might affect operations, suppliers or customers.  

  • Assess the effectiveness of management’s business continuity plan activation to meet payroll or vendor payments in the event that a short-term cash shortage is caused by issues in the banking industry.

  • Determine if management has cataloged bank accounts globally and whether the extent of deposit diversification aligns with leadership’s treasury management strategy and concentration of risk appetite.

  • Evaluate with controllers and finance the impact of bank exposure on customer liquidity and whether process enhancements are needed for bad debts provisioning in the case of a severe crisis affecting an important customer (see PwC’s How should corporate treasurers respond report).

  • Assess how management established internal fraud prevention procedures when communicating to vendors new bank routing and account numbers if the organization is in the process of changing or diversifying its bank accounts.

  • Work with leaders in supply chain and finance to avert fraud by tightening disbursement and vendor management controls, and include verbal confirmation with vendors who are changing ACH and wire transaction instructions. (see PwC’s Strengthening bank fraud defenses report).

  • Work with supply chain and finance leaders to tighten change control procedures governing the vendor master file to limit fraud risk; confirm appropriate segregation of duty controls are in place.

  • Align with management on detective controls and monitoring procedures to identify inadvertent activity or any unusual patterns and to label duplicate vendors which may indicate attempted malicious activity.

  • Evaluate how management is considering the extent of reliance on particular third parties to support operations and whether diversification is needed from a third-party risk management program perspective.

How are internal audit plans affected by bank stress?

No matter the industry, audit plan priorities are shifting amid the crisis. IA teams should focus on testing the risk mitigation activities and controls in areas such as:

  • Enterprise risk management - How is the program supporting risk assessment and the continuous monitoring and reporting of risk exposure against the company’s defined risk appetite?

  • Liquidity and asset-liability management - These areas could include testing for the issues that factored into the current bank stress such as quickly changing interest rate levels, inadequate investment risk management (corporations are likely concerned about their access to supposedly “safer” Treasury bill and/or money market accounts), and communication missteps to investors and the public.

  • IA methodology updates - Confirm that liquidity and crisis management risks are incorporated into IA projects. The aim is to build longer-term capabilities for analyzing these risk themes on a continuous basis.

What's next?

Macroeconomic forces continue to shift and IA’s perspective will be needed to navigate the emerging reality. 

IA can be reactive or proactive, but either way we believe that having a plan is the cornerstone of an effective response to this or any crisis. CAEs, with their organization-wide pulse on risk areas, can bring independent, holistic perspectives to crisis management and be the voice that communicates insights from the lines of defense to executive leadership and the audit committee. 

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide