Internal audit and the health crisis has been saved
Under the current circumstances, dialogue with other internal control departments, which would normally be regarded as facilitating the detection of potential risks and weaknesses, should now be considered as a genuine opportunity to reduce duplication and minimize contacts with management and/or critical operational departments.
An approach based on a more systematic review of the relevance of the work carried out by these departments (focusing mainly on the second line of defense – essentially compliance and risk management) will provide an up-to-date overview of the scope of their work and of the coverage and depth of the tests already carried out.
Where capacities are under pressure, it may be appropriate to reconsider the implementation of the internal audit plan in order to avoid any delays. By the same token, internal audit may be able to take advantage of less busy periods for most of its work. Internal audit departments must plan for:
- having to rely on information-sharing technologies or accepting that the scope of some work will have to be altered or reduced in order to be able to complete tasks. Any face-to-face meetings needed may then have to be rescheduled or organized through the necessary communication platforms;
- prioritizing a review of the design and day-to-day functioning of emerging risk controls, such as an analysis of crisis recovery scenarios or the modeling of liquidity and financing needs.
In these unprecedented times, teams taking urgent decisions need impartial advice and reassurance, while the organization needs to remain focused on the future. Internal audit can play a key role here and should be involved in particular in the following cases:
- in project steering committees and when input from an independent, objective voice is required to challenge managers regarding crisis management. A critical review of project portfolios may also help with projects that provide greater added value for the organization;
- with critical reviews of new controls or controls that have been changed prior to implementation in view of changes in the working environment.
Internal audit’s overview of an organization's risk exposure has never been so important. This forward-looking analytical task rounds out the initiatives that form part of the first and second lines of defense in identifying areas at particular risk (e.g. stoppage or slowdown of operations, financial risks, changes in working behavior, remote interactions with clients, more digital environment).
For the internal audit department to be able to tailor its priorities, it must quickly establish close ties with its audit committee (if there is one) and with the board of directors and other stakeholders on which the organization is dependent, such as the regulator. These early exchanges will allow teams to more effectively define and approve the conduct of critical work and identify whether it is necessary to incorporate new and/or high risks into the internal audit plan. Moreover, any change to internal audit’s focuses can be agreed upon without delay.
If any of internal audit’s non-essential work has to be postponed or redefined, the department has to assess the impact this will have on compliance with regulatory obligations and the ability of the head of internal audit to issue an opinion concerning the control environment. This issue must be considered by either the audit committee or the board of directors and must take account of the head of internal audit’s duty to ensure adequate oversight. It must be possible to adjust the depth of controls, and thus the level of assurance provided in consultation with governance bodies.
It is important at this stage to consider and specify what has been or has not been covered, or what will or will not be covered, over the course of the year in order to adopt an approach for limiting the scope of work, where doing so is necessary and possible. The selected approach must then be clearly set out in the reports issued.
In some sectors, such as banking/investment fund management or financial sector professionals, an annual summary report must be drawn up and submitted to the regulator detailing the work carried out. Against the backdrop of the current crisis, however, the scope of the internal audit plan may be reduced. It is therefore crucial for internal audit departments to clarify what has and has not been covered over the course of the year and adopt an approach that addresses all the regulatory aspects to be covered at least once a year.
The stakeholders concerned must remain in contact with the authorities and keep up-to-date with the regulator’s published positions and opinions, even while the situation continues to evolve.