color dots


Internal Audit considerations in response to COVID-19

Navigating crisis: An unprecedented challenge

As organizations adapt to dealing with the initial impact of COVID-19, Internal Audit (IA) functions have an important role to play. Learn about Deloitte’s high-level views on key IA considerations given the mass scale of business disruption caused by COVID-19.

The role of Internal Audit in crisis response

As organizations adapt to dealing with the initial impact of COVID-19, IA functions have an important role to play to continue to provide critical assurance, help advise management and the board on the shifting risk and control landscape, and anticipate emerging risks.

The plans that organizations are putting in place to contain and respond to the outbreak are likely to be in place for a period of time. Internal Audit should be prepared to adjust to this period in a sustainable way and adapt to this "new normal." Individual country situations differ greatly and are changing rapidly and dramatically, so it is imperative for IA functions to keep abreast of governmental and regulatory announcements, as well as to follow centrally coordinated organizational responses when devising IA-specific work.

As the COVID-19 pandemic continues, a number of key considerations have been set out in terms of the evolving role of IA during this crisis, the challenges created for IA as a result, and the emerging risk areas for IA to consider.

In this POV, explore Deloitte’s responses to key crisis-related questions such as:

  • How does IA recalibrate its approach to cyclical audit planning and coverage of risk?
  • How does IA continue to deliver its ongoing assurance activities without disrupting critical operational areas at a time of crisis?
  • How might a gap in coverage affect the ability for audit committees to meet annual reporting requirements on controls?
  • Can members of the IA function support crisis response teams?
  • When should IA engage with broader stakeholders including regulators and audit committees to be clear on how IA can best add value or changes to the IA plan?

And more. . .

Back to top

Internal Audit considerations in response to COVID-19

Challenges for Internal Audit during the COVID-19 crisis

Countless challenges for IA have presented themselves during the COVID-19 crisis. It is possible that business may never return to the same business as usual (BAU) they once knew—there will likely be more remote working, less travel, greater use of technology, and many other changes, depending on the industry (for example, closing physical points of sale, rethinking offshoring, reshaping TOM, pushing people to digital channels, dealing with other fundamental and permanent changes to customer behavior, changes to regulatory approaches, and people strategy). These are just a few of the many factors IA needs to consider and their impact on a go-forward basis.

IA functions should take the opportunity to adopt many of the practices that have been utilized effectively during the crisis as the "new normal," examples being more remote working, video conferencing, and remote data analysis. This can have ongoing benefits in terms of efficiency, lower expenses, better work-life balance for IA teams, and environmental benefits arising from less travel.

Discover Deloitte’s approach to COVID-19 related challenges such as:

  • How should IA functions keep staff motivated and supported while working in remote environments?
  • How can IA continue to provide assurance to organizations where stakeholders have competing priorities?
  • Should IA be more substantive in its approach?
  • How does IA respond when asked to help with support work that might challenge their position on independence?
  • Does IA need to get better at assessing the reliability of evidence provided to IA?
  • How can IA continue to deliver high-quality reviews through remote working?

And more. . .

Back to top

color plates

Emerging risk areas for Internal Audit to consider

During a crisis, it is critical for IA teams to be proactive and prepared when it comes to assessing emerging risks and potential responses. This POV explores key considerations for the following risk areas: User access controls, finance, internal controls, cyber, insurance cover, risk management, business continuity, supply chain, customers, contracts, and human capital.

Examine some of Deloitte’s recommended considerations for the mentioned risk areas:

  • Monitoring controls in place—while it may be necessary to modify segregation of duties rules in place, it is critical for organizations to maintain an audit trail that can be referred to later and/or implement mitigating controls
  • Challenging the completeness of management’s accounting and reporting impact analysis, particularly in the context of finalizing December 2019 year-end financial statements and forthcoming quarterly reporting deadlines
  • IA should understand the changes, both temporary and permanent, being made to the organization’s internal control environment
  • Does the organization have sufficient and appropriate licenses in place to cover greater use of tools, technology, and software to support remote working?
  • Does the risk assessment process need to become more agile and adopt more dynamic risk assessment methodologies?
  • Developing and/or testing appropriate scenarios, plans, or measures, including wargaming designed to help to restore business operations (disaster recovery plans)
  • Assessing whether sufficient resources, including third parties, are in place to maintain critical activities at sufficient levels
  • Has the organization adopted a clear communication plan for its customers, including those customers who are particularly vulnerable?
  • The adequacy of plans being put in place by organizations to maintain the health and well-being of their workforce, including implications for the mental health impacts of remote working

Back to top

color bowls
Did you find this useful?