Guiding principles for conducting a remote internal audit

As the organization adjusts its operations to cope with the impact of COVID-19, IA may need to reprioritize and reassess its audit plans and revisit its risk assessment methodology to respond to the changing landscape. This includes dialoguing and collaborating with key stakeholders to identify emerging, shifting, or net-new risks and determining how to work with the business most effectively in planning mitigation strategies.

The pandemic has likely rendered the current internal audit plan obsolete. Accordingly, IA should reprioritize the audit plan as soon as possible to provide assurance over the most consequential risks while being cognizant of the impact on operations; this includes determining where remote auditing can be employed versus those that absolutely require an in-person presence. From an assurance perspective, internal auditors should also consider how operational changes may affect the audit timeline. For instance, process owners may need to move their controls to a virtual environment, which takes time. Importantly, IA should be actively engaged in advising the business around such changes and update its testing plans accordingly.

By utilizing tools that enable collaboration and establishing mutually agreed-upon protocols, IA can efficiently work with process owners to gather and review requested documentation in a remote environment. Select a collaboration tool, establish a turnaround protocol, and leverage screen-sharing and screen recording to assess processes that would typically be reviewed in-person with the process owner.

Obtaining testing data and documentation can be difficult during remote internal auditing, especially if key stakeholders are not used to providing IA complete read-only access in the first place. Given the business focus on operational continuity amid the global pandemic, relying on stakeholders during this period to obtain testing data can further jeopardize timely delivery. This is an opportunity for IA to establish continuous access to key sources of business data and move away from the conventional model of internal auditing. With a higher risk of nonapproved devices accessing the network in a remote environment, IA may need to put new standards in place for data access and information-sharing. Change may not be immediate, but these standards will pave the way for future audits that are driven by analytics and automation.

As audit teams find themselves working remotely, the value of exception-based monitoring and analytics-driven process analysis is becoming readily apparent. IA departments possessing these capabilities are generally demonstrating greater resiliency and flexibility in these challenging times, and they provide inspiration for others to continue their digital journeys. Target analytics and automation toward audit areas that require standardized and repeatable tests, reflect on the current use of digital tools and determine if testing workarounds may be needed.

As the IA organization shifts toward remote internal auditing, it is imperative that its communication strategies shift as well. This often implies modifying the frequency and means of communicating with stakeholders. Compile a list of all stakeholders who should stay informed, consider increasing the frequency of communication, and use interactive dashboards to report on audit findings.

Unexpected events like COVID-19 create a confluence of effects that can disrupt or slow business activity. Historically, many IA functions rely upon simple formulae for their annual risk assessments, working within the same parameters, and repeating the same interviews year after year. This staid approach can hamper internal auditors from anticipating emerging risks spawned by a crisis. Using data and analytics to drive the risk assessment can help internal auditors to be more proactive. Rather than relying on an annual risk assessment, these tools enable IA to constantly engage with the business to understand the changing risk landscape.

Developing a risk hypothesis within the planning phase and revisiting it throughout the audit life cycle can enable the audit team to stay focused throughout the audit. When seeking insights from data, it is important to ask the right questions and to remain skeptical about the value of any particular finding, always inquiring, "So what?" Linking questions to key testing hypotheses—or statements of what might go wrong—can help drive the analytics approach. By embedding analytics in every phase of the audit process, which is also known as "insights-driven auditing," IA can help the business navigate a world that has become vastly more volatile, uncertain, and complex.

Flexibility in response to changing business needs has gone from a nice-to-have to a have-to-have in this environment. The traditional top-down model of organizing and managing an internal audit function does not adapt well to disruption, and for most IA departments, going to a 100 percent remote model is not something they planned for. Agile IA is a way of working that has a built-in ability to pivot to whatever the circumstances call for. Strong communication and collaboration protocols are established within the team, as well as with leadership and key stakeholders.

"We have more risks than we have time to cover them" is a constant refrain for internal auditors, and this constraint is likely to tighten. Increasingly, stakeholders expect coverage of strategic, operational, and emerging risk areas, but these new demands come in addition to IA’s ongoing role in providing core assurance, such as assuring that the finance and operational accounting areas are working properly (for example, procurement, payables, payroll, and health and safety) and that the organization’s most-challenging risks are being managed appropriately (such as cyber, digitalization, and change management). Automating core assurance by harnessing analytics, robotic process automation (RPA), and artificial intelligence (AI) allows IA to monitor controls and flag nonconformance in real-time. Through automated reporting, these findings can be rapidly communicated to the business for immediate remediation.

In the wake of an unexpected event, companies often want to identify operational areas that can be optimized or streamlined. This can be challenging because business processes are complex. Even with large-scale ERP investments intended to automate and standardize business processes, root causes of problems can be difficult to detect. IA can leverage process analytics within the testing environment to detect complications and provide insights into fundamental deviations from established processes and controls.

Many organizations are seeking strategies for maintaining a highly effective risk management program during tough economic times. Continuous controls monitoring (CCM) may be one such strategy. It can allow companies to reduce risk management costs without impairing effectiveness. Much of its power lies in enabling the first line of defense to take ownership of their risk profiles and empowering the second and third lines of defense to become strategic advisers.

For many IA organizations, virtual communication methods are not only unfamiliar but also intimidating. Visualization techniques, such as dashboards, can help bridge the gap between IA and its stakeholders. Presented properly, graphical representations of data can provide compelling insights and be understood much faster than written text. However, in order to communicate clearly, correctly, and efficiently, dashboards should be carefully designed.