Internal Audit considerations in response to COVID-19
As organisations adapt to dealing with the initial impact of COVID-19, Internal Audit (IA) functions have an important role to play. With their organisational knowledge and highly relevant skillset, they can support teams and help the organisation to adjust to this period of change and adapt to the ‘new normal’.
Navigating change: an unprecedented challenge
Following the COVID-19 outbreak, there have been rapid changes in organisations, their environments and their ways of working, in ways that had not been foreseen. Chief Audit Executives (CAEs) and Heads of Internal Audit (HIAs) are faced with new considerations and challenges.
- How should IA adjust its coverage to take a pragmatic and balanced consideration of risk in times where stakeholders have competing priorities?
- Can members of IA functions support crisis management teams?
- How can IA avoid having to defer a large part of the IA plan until later in the year and get more involved now?
- Where IA work is deferred, what impact does this have in terms of regulatory requirements and the ability of CAEs to comment on the controls environment?
- How to deliver high quality reviews through remote working?
- How to keep staff motivated?
How Deloitte can help
In these unprecedented times, Deloitte is committed to helping our clients identify solutions to the new challenges and find answers to the emerging questions about IA. Below we outline some proposed responses to the most burning issues.
IA can adjust its coverage to take a balanced consideration of risk and provide assurance by:
- Focusing on the things that really matter,
- Collaborating with key stakeholders to understand any new and/or elevated risks,
- Embracing short-term prioritisation,
- Reducing stakeholder input and producing short, sharp advisory pieces.
IA functions may support crisis management by playing a part in a ‘Look Ahead’ team:
- IA can use its broad knowledge of the business to help ensure that key risk areas have been identified by crisis response teams.
IA should avoid deferring a large part of the IA plan until later in the year through:
- Performing work remotely, adjusting work patterns and utilising new technologies,
- Prioritising emerging risk areas,
- Considering how IA resources can be re-purposed to support critical activities or the organisation’s response to COVID-19 (for example, supporting the front line, undertaking response/preparedness reviews, scenario planning, etc.).
In cases where IA work is deferred:
- Be guided by the Audit Committee,
- Be clear about what has not been considered: with a risk-based approach, adopt a limitation of scope and focus on priority areas,
- Keep abreast of the regulator’s views and comments as the situation evolves.
In order to deliver high-quality reviews through remote working, consider:
- Increasing budgets to factor in the additional effort required for remote working,
- Increasing the use of technology capabilities, e.g. Zoom or Microsoft Teams,
- Prioritising work based on risks and reducing the number of audits completed in the year.
Keeping staff motivated:
- Implement measures such as weekly team catch-ups, check-ins, daily stand-ups, and virtual coffee sessions,
- Share success stories.