How Internal Audit can continue to add value during a pandemic

The first quarter of 2020 presented the world with the COVID-19 pandemic that has morphed into a significant macroeconomic crisis. Only businesses deemed critical remain open. All non-critical businesses have closed, and unemployment is growing weekly. To slow the spread of this deadly virus, governments have required families to shelter in place. Adults, parents, and students alike are working from home or attending classes online. Simply put, COVID-19 has changed the way we work and live.

Within the walls of businesses, Chief Auditors and Internal Audit Executives are seeing their audit plans for the quarter or the year superseded by management’s daily focus on crisis management. Additionally, executives and Boards have turned their attention toward financial viability. However, now is the time for Internal Audit functions to shine. Internal Auditors have cross-organization visibility into procedures, processes, and technology and can provide valuable insights when collaborating with management teams during times of crisis. Risk identification, risk management, and risk mitigation is a sweet spot for Internal Auditors.

The following are some action steps that Internal Audit functions can take to provide value to the organization during a time of crisis.

1. Step up. Make sure that executive management and the Board know that Internal Audit is there to help the organization. Internal Audit brings to the table objectivity and perspective along with a wealth of knowledge on risk management, the organization’s operations, and working with remote teams.

   • Internal Audit should be proactive and have a thoughtful plan of what role they can play to assist management in developing their response to the crisis and in monitoring how they are doing in the execution of their plan

   • Internal Audit should also address the impact COVID-19 has on the current audit plan, and perhaps even include a proposed new audit plan for the year that focuses on Internal Audit’s role in organization’s COVID-19 response and plan execution

2. Risk Management. Internal Audit can assess management’s ERM response to the recent pandemic. Where possible, Internal Audit can support the ERM process, including identification of emerging risks and proposing responses to those risks. Direct and indirect risks, including the unthinkable, and the responses to potential impacts should be a consideration.

3. Assess the organization’s crisis management and business continuity plans. When performing these assessments, consider the following areas:

   • Assignment of designated roles

   • Communication plans

   • Decision-making protocols

   • Emergency action plans

   • Addressing gaps identified in the plans

   The initial focus should be on the Company’s efforts to address the COVID-19 pandemic. Once that plan is running smoothly, the focus should shift to updating the overall business continuity plan, as applicable.

4. Discuss with management the longer-term implications of business interruptions resulting from COVID-19. Areas to consider here include:

   • Supply chain disruption

   • Significant spikes and drops in demand for goods (e.g., foodservice closures, retail closures, plant closures, etc.)

   • Workforce availability

   • Facility closures

   • Preparing for post-epidemic spikes in demand

5. Continue to support management in the monitoring of the situation inside and outside the organization. Agility is vital during emerging situations, and management may get consumed in execution and lose sight of what else is changing. Internal Audit is well-positioned to support management through identification and monitoring of risks during crisis situations.

6. Assess management’s internal workforce communications plan as it is being executed. Internal Audit can actively assess and monitor the internal communications during emerging events, asking questions such as: Does employee and stakeholder safety come first? Are employees being kept in the loop? Is the cadence of communications appropriate? Are line leaders staying in touch with employees routinely? Are they addressing employee needs in various countries, regions, levels, and work situations? Are communications coming from the top? Is the tone truthful and trustworthy and providing a level of appreciation? Are virtual face-to-face communications occurring?

7. Assess management’s transition to a remote working environment, looking at tools, technology, and cultural challenges. The COVID-19 outbreak and shelter in place orders have forced many organizations to transition workers to remote workspaces, bringing a new set of challenges to everyday work life. Internal Audit can support this transition through advisement and through assessing the infrastructure put in place to support a remote workforce. Areas to consider include: Have applicable policies and procedures been adopted? Are remote workers connecting through a secure means? What has been put in place to secure company data and company servers? Can Internal Audit support this effort by sharing lessons learned and tools or techniques for remote work?

8. Assess operations. As with the transition to a remote work environment, Internal Audit can support management through assessments of internal operations impacted by the pandemic. Areas to consider include: Is operations actively identifying alternative supply chain options as the virus spreads? Are substitution or secondary raw materials identified and approved? Are goods moved from quarantine zones and accessible for shipping? Are raw material futures being assessed? Are transportation methods being evaluated? Adjusting for current and future expected demands? What is the impact of quarantine on production facilities? The impact on production facilities with decreased skilled labor availability. Opportunities and risks of retooling to produce high demand goods.

9. Assess how well the organization is demonstrating flexibility and agility with customers and vendors. Other areas where Internal Audit can assess supporting management’s initiatives include relationships with customers and vendors. Possible opportunities include: Safety protocol alignment. Have pandemic response plans been implemented? Are communication plans in place? What impacts are resulting from remote workforces, furloughs/layoffs, or absenteeism? Are effective technology and collaboration tools being utilized? Are there delivery schedule impacts? Communication internally and externally is critical, including the utilization of internal or external public relations to share information both internally and to clients / other stakeholders.

10. Assess cybersecurity awareness of the organization in the wake of COVID-19 phishing emails. Cybersecurity awareness is critical as numerous entities and individuals are looking for ways to exploit this situation. Internal Audit’s IT specialists can assist here, ensuring viruses and potential attacks are closely monitored. Things to consider: What are the policies, tactics, and training involving the threat of social engineering? How are these enforced? Is the threat of social engineering adequately communicated to all levels of employees at the organization? Are certain systems or processes particularly vulnerable to social engineering? What key processes have the potential to be exploited? What testing does IT do to identify social engineering attempts?

11. Sharing of resources. As noted in action step 1, where can Internal Audit step-up to support the organization. Are there analytical tools and models utilized by Internal Audit that could be shared with management for identifying trends and variations caused by the current situation within and across business lines to support proactive decision making? Are there opportunities for auditors to support business lines bringing a fresh perspective and to backfill where typical remote work may not be feasible? Internal Audit can work as part of the task force along with key management personnel to identify the appropriate key metrics with the focus on outliers or exceptions through continuous monitoring.

While not exhaustive, the action steps highlighted above provide some insight into how Internal Audit functions can be actively involved during these trying times. Now is the time for Internal Auditors to roll up their sleeves, put on their “Trusted Partner” ballcap, and support the organization with their expertise and experience. Besides, risk management and mitigation during an event like COVID-19 is what Internal Auditors dream about.