Internal Audit Strategies & COVID-19 Recovery

As our businesses adapt to dealing with the initial impact of COVID-19, Internal Audit functions have an important role to play to continue to provide critical Assurance, help Advise Management and the Board on the shifting risk and control landscape, and Anticipate emerging risks. However, the function’s first priority is to the team – without a functioning Internal Audit team, there is no Internal Audit function. Individual country situations differ greatly and are changing rapidly and dramatically, so it is imperative for Internal Audit functions to keep abreast of governmental and regulatory announcements, as well as following centrally-coordinated organisational responses and devising Internal Audit-specific plans.

Unlike other forms of crisis, a pandemic of this nature doesn’t only cause operational and technology issues for firms, but also has a major impact on both the health and day-to-day work of our teams.

• Welfare of teams: Most Internal Audit functions are already geared towards remote working, but there is usually a face-to-face touch point with the auditee (and Internal Audit team) at various points in the audit – use the technology available to you and try to carry on. It is important to maintain regular check-ins with your teams and to do this via video if possible. Some team members live on their own and face-to-face contact (even if it is only via the laptop) is really important to maintain connection. These will be worrying times for team members, either because they are concerned about themselves/family members who are more at risk, or are fearful about the economic impact and their own job security.
• Staff contingency planning: Statistically speaking, some team members are going to fall ill. Plan now for contingency arrangements on each key audit review and at the Leadership / Management Team level. Think about keeping things moving where an audit or other activity is business critical and take steps now to ensure a smooth transition.
• Flexibility in reporting: As Internal Audit responds to the crisis and changing business risks in differing ways (these are outlined below), there may be a need for more agile auditing techniques or more flexible reporting mechanisms to allow stakeholders to receive Internal Audit’s points of view in a near real-time basis. During this period, Internal Audit should not be hamstrung by traditional reporting templates and should consider ‘hot reviews’, unrated reporting, e-mail reporting, mid-review audit points of view (POV reporting), and oral feedback. This, among other developments, could provide an opportunity to enhance audit methodology for the longer-term, i.e. not just a short-term or temporary response.

Assure – Regulators are indicating that they expect the three lines of defence to continue operating throughout the period of emergency measures. In our view, Internal Audit functions should do two things: 

• Review the 2020 audit plan to focus on the Truly Greatest Risks (i.e. those critical to the survival and success of the firm) and required regulatory audits. Functions should differentiate between short-term and longer-term audit needs. 
• In the short-term, many functions are also reviewing their skill set and capacity, offering assistance to support business critical functions (noting potential individual independence issues that this may create for the future).

Notwithstanding there may well not be a requirement to agree changes to the Audit Plan with a regulator, functions should consider the impact of short-term actions on their ability to deliver adequate audit activity (including assurance) under the annual Audit Plan. Later this year and in 2021, audit functions will be held to account, with the benefit of hindsight, by Audit Committees, regulators and other stakeholders, for the coverage achieved. Regular communication with Management and Audit Committee Chairs is very important to ensure short-term actions taken are thought through and have support.

Advise – Internal Audit functions are well placed to have a role on Crisis Management Boards to highlight emerging risks and to apply a risk and control mind-set to new / developing processes as Management create workarounds to cope. Internal Audit may also be more able to ‘step back’ and consider a bigger, longer-term or more clearly structured picture than members of Management that are in detailed ‘crisis mode’. Deloitte’s crisis management framework uses three timeframe periods to help firms navigate through the crisis: Respond, Recover and Thrive. The post COVID-19 working environment will look very different to today. As firms move through each of these time frames, Internal Audit has a role to advise on future control considerations in light of the new landscape, especially as firms move out of the continuity planning of the Respond phase and into the medium-term state of Recover.

Anticipate – Internal Audit’s risk lens has never been more important as it plays a role in horizon scanning, supplementing the first and second line in identifying potential risk areas arising from the immediate business impact, including financial risks; different working behaviours; remote customer interactions; and a push towards an increased digital environment.

As we continue to observe how the next steps of the COVID-19 crisis play out, firms are planning how best to recover from the unprecedented economic and operational impacts. Here we outline Deloitte’s views on Internal Audit considerations as firms move from a state of respond into a state of recover. How does Internal Audit position itself to support Management through the recovery phase? Having taken drastic and swift actions to respond to the initial crisis, moving to recover poses a more complex set of challenges. This phase does not consist of a linear approach to transition and is likely to result in some movement between initial recovery steps (potentially adapting actions in response to any further negative impact/resurgence of the virus) and a full transition.

A Deloitte survey of financial services firms found their focus coming out of the initial COVID-19 response to be in the following areas, creating new/changing risks and requiring appropriate assurance:

1. Future of work. Firms have been reviewing their operating model and working practices to adapt to whole-firm remote working. The Government’s guidance on ‘COVID-19 Secure’ environments will support this thinking, but the transition back into the office will create new challenges, which include:

• Internal Audit should play a role in providing assurance that workplaces are ‘COVID-19 Secure’ before reopening and an ongoing role in this assurance thereafter (or oversight of second line assurance). 
• This will include reviewing the design of controls and the impact of these new practices over time, as transition arrangements are likely to evolve significantly.

2. Technology investment. COVID-19 created a massive shift in the uptake and reliance of technology on all fronts. Massive investment is expected in order to sure-up and improve both front and back office digital capabilities. Previously committed improvement projects may be expedited and new transformational programmes will be born in the need to support changing ways of working and enhancing client experience. Prioritisation of project spend and project design will be critical and made more difficult in the home-working, changing environment.

3. Controls redesign. Financial services firms are fast realising that many of the most critical operational controls will need to be digitalised to function with an increased remote workforce. Internal Audit has a vital role to play ensuring the responses of the first and second lines of defence are aligned and support the wider firm objectives.

Internal Audit continues to have a crucial role to play in providing assurance, advice and risk anticipation as Management navigate what is the most challenging of situations. What does this mean for the delivery of Internal Audit’s 2020 audit plans?

In a recent Deloitte survey of Heads of Internal Audit, 20% of functions were broadly sticking to the original 2020 plan with a delayed timeline, the remaining 80% have re-planned to account for additional new risks, making some adjustments elsewhere in the Audit Plan to compensate. The changes and challenges are huge and demand focus, however, most (if not all) of the audits on original 2020 audit plans approved by Management and Audit Committees were significant and were there for a risk-based reason. This is creating a resource squeeze in Internal Audit functions and an emerging demand for Internal Audit resources across the market for the second half of the year.

Internal Audit functions should revise risk assessment and audit plans, allowing for sufficient contingency to deal with new and emerging risks that may yet emerge now and in the coming year.

The current COVID-19 situation presents new opportunities for Internal Audit functions to add more value around assurance, improve the advice they provide and increase their anticipation of risk. As organisations have navigated uncharted territory with often imperfect information, Internal Audit’s enterprise-wide viewpoint, ability to ‘join the dots’ and bring external industry insights has heightened its impact and influence. It has also highlighted what stakeholders really value from Internal Audit and challenged how functions provide this, within the boundaries of independence.

We’ve identified five areas which will become increasingly important as functions move through recovery and look to thrive in the future; Developing new products and more rapid insights; Being true to an organisation’s values; Culture and psychological safety; Lessons learned; and Looking forward.

Born of necessity, recent developments in these areas show the way to more permanently re-imagine Internal Audit’s remit in the provision of assurance, advisory insight and the anticipation of risk.

Adding new value through assurance:

New products and more rapid insights - In the current fast paced environment a traditional, rated, ‘3 months to deliver’, end-to-end audit report with pages of actions has not grabbed the attention of time-poor Executives or generated timely improvements to the risk and control environment. As a result, a number of functions have revisited their product suite.

However functions can’t leave their disciplines entirely. A function that gives opinions without grounding them in facts or evidence will quickly undermine its reputation for providing independent credible assurance, and will become just another opinion in the room.

Being true to an organisation’s values - Much has been said about business’s purpose in recent years.

It’s easy for a business to be true to its values and purpose when things are going well. It is much more difficult when things are not, or is it? If an organisation’s values, purpose and red lines are clear then decision making becomes in some ways simpler - certain options are closed off because they don’t align to the stated purpose or values.

For Internal Audit the pandemic has presented opportunities to add significant value to organisations by providing cultural insights or observations about how a Board or Management team are performing in their responses to the pandemic.

Culture and psychological safety - Like purpose, the topics of culture and psychological safety have been debated widely over the recent past. Over recent months, organisational cultures have been placed under new pressures in response to an increasingly volatile, uncertain, complex and ambiguous risk landscape. Concurrent global events have placed increased psychological pressure upon many different groups, including employees, customers, regulators, politicians and all other stakeholders.

Whilst some data points are factual (call volumes to a whistleblowing line for example), other information should be considered as part of both the response to COVID-19 but also the ‘new normal’ of a remote office environment.

Increasing Internal Audit’s advisory role
Lessons learned - The COVID-19 pandemic has been a test case for many recent areas of regulatory focus. During COVID-19, functions have needed to plan and deliver work to cover new risks and related activities in the business, including tactical responses to the launch of new lending schemes, responses to increased and contentious insurance claims, heightened fraud risk (including Cyber) and other challenges posed by remote working (Management, staff and customers alike).

Internal Audit is uniquely placed to perform timely, thorough and impactful ‘lessons learned’ reviews that will help the business drive continuous improvement in the risk and control environment and prepare for future incidents of this type. Whilst ‘lessons learned’ reports are nothing new to Internal Audit functions, the uniquely broad and fast-paced nature of the COVID-19 pandemic make this an area where Internal Audit can raise its impact across the organisation, specifically with key members of Management.

Anticipating new and emerging risks
Looking forward - Internal Audit also has the opportunity to challenge the business around potential forward looking pressures and the adequacy of Management’s response.

Examples include increased litigation or regulatory challenge to COVID-19 related decisions; operation of schemes implemented in a rapid, tactical control environment; legal and operational risks presented by ‘return to work’; expected long term changes to employee and customer behaviour; technical interpretation and application (including availability of reliable data) of accounting standards in financial and management reporting (e.g. impairment and expected credit losses, insurance reserving, fair / market pricing, going concern assumptions and other areas involving forecasting and management judgment); and the impact of the end of Government employment support schemes such as furlough.

The remit, scope and approach of audit functions is under increased pressure, with internal and external stakeholders looking to Internal Audit to play a vital role in providing robust, timely and valuable assurance over the response of controls and governance to the volatile risk environment brought about by COVID-19. As a result, the importance of a high quality Internal Audit function has never been higher. In addition, in much the same way that Internal Audit teams are providing assurance over how businesses have adapted their control environment as a result of COVID-19, Audit Committees and stakeholders want assurance that the Internal Audit control environment has evolved appropriately, with audit quality being maintained. 

In response, Internal Audit functions are refreshing their approach to quality assurance (QA). Going beyond assessing audit quality and promoting a culture of continuous improvement, QA should be used as a tool for providing timely insights into the impacts of remote audit working, identifying real-time improvement opportunities, and sharing best practice to support teams as they settle into new ways of working.

The impacts of the global pandemic have provided new opportunities for Internal Audit functions to add more value around assurance, improve the advice they provide and increase their anticipation of risk. With functions responding with new audit approaches and the increased provision of real time, “advisory” or “in-flight” opinions, the inherent risk within Internal Audit delivery models has increased. As a result, there is a significant need for real-time assurance around the quality and impact of these new ways of working, making sure that they are driving the value and impact of Internal Audit forward, while providing the right assurance at the right time to all stakeholders. 

Internal Audit is also experiencing the same challenges as other parts of the business, with prolonged periods of remote working and the function having to respond quickly to the dynamic and uncertain risk landscape that their business is operating within.

Whilst many Internal Audit functions are used to working remotely, the current prolonged period of remote working has restricted the ‘organic’ and informal face-to-face office interactions. As a result, sharing experiences, best practice and business insights between team members requires more discipline. The virtual office environment also introduces the potential for staff to suffer from isolated working and ‘home working fatigue’ which negatively impact on Internal Audit’s culture and quality. In this environment, QA offers a valuable avenue for communication and education. It provides a mechanism for identifying and sharing best practice and insights across the entire Internal Audit team, as well as addressing areas of audit need and audit quality. 

The impacts of COVID-19 are continuing to evolve at pace, exposing organisations to new, complex and rapidly evolving business risks. As such, Internal Audit must continue to respond and focus on the key risks, whilst delivering assurance in a way that is sympathetic to the operational challenges faced by Management. This is where QA can be of real value; providing real-time assurance over Internal Audit’s response, objectively concluding on the quality of the audit scope, approach and conclusions. 

Now more than ever QA programmes need to go beyond retrospective file reviews of methodology compliance and should cover all aspects of the Internal Audit cycle. They should also be responsive and tailored to the emerging risks associated with Internal Audit delivery in a global pandemic. As a result, QA programmes should consider including:

• In-flight reviews – shadowing key points of the audit cycle to provide continuous real-time feedback. QA teams work closely with audit teams to assess, challenge and resolve areas of potential audit risk during the audit process. This allows potential quality issues to be resolved before audit risk arises and impacts on the effectiveness and reputation of the IA function. The ‘live’ nature of in-flights reviews also allows the sharing of knowledge and best practice with audit teams without impacting on audit delivery or efficiency.
• Thematic reviews – focused on high risk and high impact areas of the audit process. The objective of thematic QA reviews is to perform a detailed assessment of specific areas of audit approach across a higher sample of Internal Audits. These are a fast, effective way of assessing quality and consistency; benchmarking Internal Audit teams to identify training needs and highlighting examples of best practice, which together support continuous improvement and increase the impact and efficiency of Internal Audit.
• Continuous monitoring – the tracking of QA KPIs, identification of emerging trends, and/or material issues, and the sharing of the results with Internal Audit Management to provide visibility on the whole audit function. For example, quality scores arising from the review of key audit deliverables and assessing the extent to which they consider the impact on the organisation’s strategy, provide a complete audit opinion in line with the audit objective, demonstrate and highlight the root cause analysis, and provide appropriate commentary on culture. The use of this continuous monitoring capability will help drive improved standards and proactively inform the future development needs of the audit function.
• Audit plan coverage – helping ensure the audit plan remains risk focussed, while provide adequate coverage in line with the original and revised audit plans agreed with the Audit Committee.

Covering these elements allows QA to become a more effective tool in facilitating positive change; keeping Internal Audit teams focussed on what matters, identifying real-time learning and development opportunities, and supporting the continuous improvement of Internal Audit. This will help ensure Internal Audit departments remain fit for purpose in the current environment, as well as ‘fit for the future’.

Organisations continue to face unprecedented times of change, risk and operational disruption as the impact of COVID-19 continues. Business responses to the pandemic and its associated economic impact have accelerated and accentuated an existing need for Internal Audit to be able to pivot and respond at pace to ever more complex and dynamic risk environments.

Whilst many functions showed impressive speed and flexibility during the initial months of the pandemic, this was often through an ‘all hands on deck’ period of, at times, quite stressful and labour intensive working. As Internal Audit looks to 2021 and beyond, functions should take the opportunity to challenge whether their current ways of working are sufficiently resilient to respond sustainably and with appropriate impact to future stakeholder needs. 

Agile Internal Audit has been successful in helping functions adapt to, and navigate complexity in a continuingly volatile, uncertain and ambiguous environment. An agile approach allows the function to appropriately plan by regularly re-assessing and focusing on stakeholder needs, accelerate audit cycles, drive timely insights and reduce wasted effort – in this sense it has the power to transform how we think and work, and ultimately, the impact that Internal Audit can have on an organisation. Over recent months, functions who have implemented Agile Internal Audit have noted that they have been able to quickly, and sustainably rise to the current challenges.

The feedback and benefits seen when functions adopt Agile Internal Audit include: 

• Better impact, quality, performance and decision making as agile teams are used to re-prioritising work based on new and emerging risks and ensuring a collaborative understanding of value and what really matters. 
• Faster team delivery, reporting, response to changing risks, and closure of control issues through the use of audit sprint cycles and more stable teams.
• Happier stakeholders and teams due to greater transparency, team empowerment and more sustainable ways of working. 
• Safer and more receptive environments for the delivery of other changes aimed at driving continuous improvement in Internal Audi, for example, the use and embedding of analytics, digitisation of Internal Audit processes, resourcing, planning, reporting, leadership structures and behaviours.