10 changing roles of internal audit after Covid-19 outbreak

The plans that organisations are putting in place to contain and respond to the outbreak are likely to be in place for a period of time. IA should be prepared to adjust to this period in a sustainable way and adapt to this ‘new normal’. It is important that IA is proactive and prepared, while remaining pragmatic, as the situation continues to evolve.

As such, IA functions should consider 10 changes in the role of IA. However, contents in this paper should not be considered comprehensive or definitive as the pandemic is evolving.

1. Re-calibrate its approach to cyclical audit planning and coverage of risk .

IA should consider adopting an agile portfolio management approach, eg agile audit planning in time-boxed sprints and continually updating backlog of the audit to be undertaken when goals are clear and resources are in place.

2. Adjust its coverage to ensure that it takes a pragmatic and balanced consideration of risk.

Due to the changing risk landscape, it is imperative that IA collaborate with key stakeholders to understand any new and/or elevated risks, and to assess how best to support with the provision of assurance.

3. Continue to deliver its ongoing assurance activities without disrupting critical operational areas at a time of crisis, for example:

▪︎Remote working to perform the audit, and what, if any, impact remote-working has on the assessment of the control environment being considered, and practicalities of how the audit will be undertaken with all key stakeholders;

▪︎Adopt and/or increase the use of new technologies to deliver work, such as Microsoft Teams, Skype or Zoom for virtual meetings/workshops;

▪︎Accelerate the deployment of analytics to deliver IA work remotely, increase coverage, focus on outliers, and reduce business interruption, whilst still providing valuable insights and assurance.

4. Work more closely with other assurance providers to reduce disruption to the business.

In these times of reduced management and organisational bandwidth, IA functions should seek opportunities to reduce overlap with other assurance providers including external audit, compliance, and enterprise risk management.

5. Avoid having to deliver a large part of the IA plan later in the year when capacity will be under pressure and get more involved now whilst they have time, for example:

▪︎Whether work can be performed remotely, leveraging technology available to them, and, if necessary, agree on amended or reduced scopes of work and have face-to-face meetings later when social distancing allows;

▪︎Prioritise providing assurance over emerging risk areas;

▪︎Where it is necessary to cancel and/or defer work, discuss with the board and formally agree with the audit committee if IA resources can be re-purposed to support with projects, critical activities or initiatives in response to Covid-19.

6. Provide an objective voice and real-time assurance to teams who need to make decisions quickly for the organisation to look forward, for example,

▪︎Attending project-steering groups and providing an independent, objective voice to help challenge management’s thinking on risk;

▪︎Critiquing the design of new and/or amended controls prior to implementation as a result of a changing work environment;

▪︎The need for long and time-consuming reports should be challenged, as IA functions can embrace agile reporting mechanisms to deliver points of view and insights sooner in order to maximise impacts to the organisation.

7. Engage with broader stakeholders, including regulators and audit committees to be clear on how IA can best add value/agree changes to the IA plan.

Early discussions will help teams understand any critical work required, and whether there are any new and/or elevated risks that need incorporating into the annual IA plan. Revised IA areas of focus should be agreed.

8. Function meeting of its regulatory/statutory requirements and the ability of CAEs to comment on control environments following impact of non-essential IA work is deferred or re-shaped to IA.

It is important to be clear on what has and has not been considered across the year (or indeed within a specific IA review) and to adopt a limitation of scope approach where needed.

9. Address a gap in coverage to impact the ability for audit committees to meet annual reporting requirements on controls.

In certain sectors, an annual opinion on controls or the control environment might be required. In such circumstances where IA work may be reduced, it will be important to be clear on what has and has not been considered across the year and to adopt a limitation of scope approach.

10. Form part of/or support crisis response teams.

Whilst in many organisations it would not be expected for IA functions to form part of the immediate response, IA should play a key role within the "Looking Ahead" team.

In summary, plans that organisations are putting in place to contain and respond to the Covid-19 outbreak are likely to be in place for a period of time, and IA should be prepared to adjust to this period in a sustainable way and adapt to this ‘new normal’. It is important that IA is proactive and prepared, while remaining pragmatic, as the situation continues to evolve.

(Contents in this article should not be considered comprehensive or definitive as the pandemic is evolving.)

The writer is director, risk advisory services, Deloitte Thailand