Managing risks for organisations impacted by COVID-19

As the global spread of the Covid-19 is significantly affecting organisations as well as individuals, knowing how to reduce the accompanying risks is key.

The dynamic spread of COVID-19 and the uncertain developments ahead are causing all of us a hard time. As well as its effect on people, the coronavirus is rapidly disrupting business and consumer activity in the affected areas and beyond.

With more risks arising – such as cyberattacks, data transfer confidentiality issues, concerns about the resilience of primary service providers, project delays, or struggles with maintaining service and supply levels – it is important to take the right actions to organise your business as well as possible.

For this purpose, we have created an overview, with key questions for you to consider and suggested activities for you to conduct.

You might find practical guidance for some of your impacted key functional areas here.

Internal audit (IA)

The impacts of COVID-19 are being strongly felt in the areas of IA and cybersecurity.

The necessary changes in working practices and organisational arrangements in response to COVID-19 will introduce a range of new or enhanced risk areas, and they will also have the potential to disrupt existing systems of internal controls in significant ways. In turn, this will create a need for agile IA functions to better enable the continuity of services by means of remote working – minimising the impacts on, and maximising the value of, the IA activities that are conducted by management and teams across the organisation. IA must stand with the business to provide the support that it needs to deliver its services in a safe, secure, and trusted way.

With remote working, greater dependency on technology, and online interactivity comes the increased risk of cyber threats. As more information and data is transmitted online, and fewer on-site support systems are readily available, the IT management must be ready to provide the safeguards and support that are required in order to ensure that cybersecurity, data protection, and IT operations controls are not compromised, especially when they are particularly vulnerable to external threats in this period.

As the duration of the present circumstances remains unknown, a number of critical areas will need special attention.

Key Questions to Consider

  • What are the options for your Heads of IA to conduct audits, fulfil your remits to stakeholders, and keep your IA teams safe?
  • How have you adapted your operating model to continue delivering on your IA mission?
  • How do you maintain continuous and efficient interactions with IA stakeholders?
  • How do you manage remote working?
  • How do you manage any resource and competence shortages?
  • What technological solutions are in place in order to provide the organisation with a secure and seamless remote working environment?
  • How has the IT team been structured and assigned so that they are able to effectively operate their IT support and control functions remotely?
  • Are there sufficient safeguards in place to ensure that all remote working services and transfers of data are not compromised?
  • How do you plan to manage the effectiveness of the controls of your third-party providers and the security surrounding your data and services if those providers have also been impacted by the COVID-19 disruptions?

Critical Services

  • Safeguarding the IA mission: the IA mission must be maintained (in terms of the regulatory requirements and the IA charter) or, at the very least, be refocused on the critical items.
  • Conducting virtual IA reviews: use PwC technology solutions to conduct virtual reviews in order to inspect the general control environment at the organisation, then use the results to determine where deep dive on-site audits should be conducted.
  • Keeping IA staff safe: most IA engagements are performed on-site – the current circumstances may prevent the execution of IA engagements as they were initially planned, jeopardizing the traditional ways of delivering IA.
  • New types of risks: organisations may face new types of risks – and, as a result, the risk assessment and audit plan will need updating and require IA attention, although IA departments may lack the bandwidth and competences to address those new risks.
Hide

Required fields are marked with an asterisk(*)

By submitting your personal data to us, you acknowledge that you have read the Privacy Statement and that you consent to our processing in accordance with the Privacy Statement. If you change your mind at any time,you can send us an email message using the Contact Us page.

Get in touch

Nguyen Phi Lan

Partner, Assurance Services Leader, PwC Vietnam

Tel: +84 24 3946 2246

Xavier Potier

Partner, Risk Services Leader, PwC Vietnam

Tel: +84 28 3823 0796

Yu Loong Goh

Director, IT Risk Assurance Services, PwC Vietnam

Tel: +84 28 38230796