COVID-19: Internal Audit’s response in a time of crisis | Deloitte UK has been saved
Watch our latest webinar recording ‘COVID-19: Moving into Recovery’ here: www.deloitte.co.uk/fsiawebinar
This blog outlines Deloitte’s high level views on key Financial Services Internal Audit (IA) considerations given the mass scale business disruption caused by COVID-19. As our businesses adapt to dealing with the initial impact of COVID-19, IA functions have an important role to play to continue to provide critical Assurance, help Advise management and the Board on the shifting risk and control landscape, and Anticipate emerging risks. However, the function’s first priority is to the team - without a functioning IA team, there is no IA function.
Individual country situations differ greatly and are changing rapidly and dramatically, so it is imperative for IA functions to keep abreast of governmental and regulatory announcements, as well as following centrally-coordinated organisational responses and devising IA-specific plans.
IA Team Considerations
Unlike other forms of crisis, a pandemic of this nature doesn’t only cause operational and technology issues for firms, but also has a major impact on both the health and day-to-day work of our teams.
Approach to crisis support
Assure – Regulators are indicating that they expect the three lines of defence to continue operating throughout the period of emergency measures. In our view, IA functions should do two things:
Review the 2020 audit plan to focus on the Truly Greatest Risks (i.e. those critical to the survival and success of the firm) and required regulatory audits. Functions should differentiate between short term and longer term audit needs. In the short term, many functions are also reviewing their skill set and capacity, offering assistance to support business critical functions (noting potential individual independence issues that this may create for the future).
Identify and audit high risk areas that emerge as a result of the emergency measures. Below, and over the page, we outline examples of some potential risk areas, noting there will be many more, varying by business:
Notwithstanding there may well not be a requirement to agree changes to the Audit Plan with a regulator, functions should consider the impact of short term actions on their ability to deliver adequate audit activity (including assurance) under the annual Audit Plan. Later this year and in 2021, audit functions will be held to account, with the benefit of hindsight, by Audit Committees, regulators and other stakeholders, for the coverage achieved. Regular communication with management and Audit Committee Chairs is very important to ensure short-term actions taken are thought through and have support.
Advise – IA functions are well placed to have a role on Crisis Management Boards to highlight emerging risks and to apply a risk and control mind-set to new / developing processes as management create workarounds to cope. IA may also be more able to ‘step back’ and consider a bigger, longer-term or more clearly structured picture than members of management that are in detailed ‘crisis mode’.
Deloitte’s crisis management framework uses three time frame periods to help firms navigate through the crisis: Respond, Recover and Thrive. The post COVID-19 working environment will look very different to today. As firms move through each of these time frames, Internal Audit has a role to advise on future control considerations in light of the new landscape, especially as firms move out of the continuity planning of the Respond phase and into the medium term state of Recover.
Anticipate – IA’s risk lens has never been more important as it plays a role in horizon scanning, supplementing the first and second line in identifying potential risk areas arising from the immediate business impact, including financial risks; different working behaviours; remote customer interactions; and a push towards an increased digital environment.
Click on the image to enlarge.
COVID-19 information:
Aaron is a partner in Deloitte’s Financial Services Internal Audit practice in the UK and has over 19 years of dedicated internal audit experience. He is responsible for the delivery of outsourced, co-sourced and one-off internal audit assignments across the Financial Services sector in the UK. He also supports the development of in-house internal audit functions through consulting activities and the delivery of bespoke training.
Russell is a partner in Deloitte's Financial Services Audit Group. He has specialised in Banking and Capital Markets for over 22 years, in the UK and overseas, providing a range of audit, assurance and advisory services. Russell provides assurance services to banking and capital markets clients, with a particular focus on retail, commercial and private banks. He has significant experience of working with financial services institutions in the UK, the US and Western Europe. He leads Deloitte's UK Financial Services Internal Audit Team, which provides cosourced, outsourced and advisory internal audit services (including reviewing and reengineering Internal Audit methodology; and performing External Quality Assurance Reviews) to a broad cross-section of clients.