Updated: Apr 1, 2020
The latest guidance on COVID-19 from the UK government can be found here
The COVID-19 pandemic is affecting all of us both personally and professionally. We will all be impacted in different ways and the action you should take will depend on your individual circumstances as well as the situation your organisation finds itself in. In this post, we cover some key considerations for internal auditors.
1. Safety and Well-being of Internal Audit Staff
The health, safety and well-being of people is paramount and Internal Audit is no exception. The first question you should be asking yourself is are all of my team in a safe location?
Other considerations will include:
Are my team able to continue working in addition to any caring responsibilities?
Do my team all have an appropriate Display Screen Equipment (DSE) and other arrangements they may need to work from home successfully?
Are my team taking regular breaks? (Remember you’ll be missing out on those chats at the tea point and standing up to visit other people's desks)
Are any of my team likely to be more isolated or especially vulnerable in this situation?
You will need to be more flexible than usual and in the absence of physical proximity, regular calls/video check ins will be important to keep people on track, to identify any welfare issues early and to ward off feelings of isolation.
CIPD have some good advice on managing employees during COVID-19 here
You also need to remember to look after yourself!
Take regular breaks;
Don’t expect to be able to achieve all that you would normally;
Keep your working space separate from your relaxing space if you can;
Think about ways to build physical activity into your day;
Keep in touch with others even if it’s just for a social chat.
In all of this, be kind to yourself – it will take some time to adjust and these are difficult circumstances.
2. Reprioritise - Supporting your organisation’s COVID-19 response
Internal Audit as a provider of assurance, a trusted adviser and critical friend to leadership has an important role to play during a crisis. An independent mind without operational responsibility, but with the ability to see the organisation holistically is highly valuable - perhaps now more than ever.
Specific COVID-19 tasks internal audit might undertake include:
Risk assessments for COVID-19 impacts (considering immediate risks then medium- and long-term risks – there are multiple resources with prompts for key risk areas here);
Review the organisation’s existing crisis management and business continuity plans;
Review and update the organisation’s fraud risk assessment in the context of changes to key controls as a result of staff now working from home – see National Cyber Security Centre’s alert on COVID-19 phishing scams here;
Understand the level of redundancy built in to critical activities and whether this has been increased in response to COVID-19 – for example, if there is significant staff sickness can the payroll still run?
You can read a blog from Global IIA on what Internal Audit can do here
Top tips for supporting your organisation:
Liaise with the risk function if your organisation has one – at such a critical time, no one wants to be duplicating efforts; make sure other related teams haven’t already performed the work you are planning.
Focus on the key questions – In many cases Internal Audit can add significant value by asking the right questions, and the question alone might be enough. Don’t feel that you have to perform detailed testing on everything; providing a list of key considerations to leaders who haven’t had the time and space to think about it can be invaluable. There may need to be various iterations of this as the situation evolves – be agile!
Determine if there’s an angle that’s being overlooked – There will be lots of people, hopefully the top people in your organisation, focused on the charity’s response to COVID-19. In most cases, the obvious things will have been considered, but is everyone looking at the crisis from a single viewpoint? Is there an angle being overlooked? For example, many BCPs are centred around the building and key systems or people from your own organisation being unavailable but COVID-19 is affecting all organisations – has anyone thought about the key suppliers you are reliant on and what might happen if they fail or cannot provide their usual service?
Use the resources available – Many of the consulting firms have produced documents outlining potential impacts organisations should consider as well as specific guidance for internal audit functions. CIAN have collated useful examples in the Resources section of the website here
Give busy people space – Chances are that scoping for upcoming audits and action follow up aren’t top of leaders’ priority lists right now. Have a look at the meetings you have scheduled with stakeholders; can they be delayed to give busy people breathing space?
The UK Chartered IIA’s COVID-19 HIA forum notes also set out 10 guiding principles for internal audit here
3. Redeployment of internal audit staff and undertaking non-audit work
These are exceptional circumstances. BAU is out the window and some of the usual rules and protocols we observe will also need to be relaxed. There will be organisations who feel it is appropriate to redeploy internal audit resource to front-line activity; there may be HIAs who feel the most useful thing they can do is to pause the audit plan and support the organisation with non-audit activities, whether consulting or first/second line activity. So what should you do if you are being asked to or choosing to undertake activities you wouldn’t normally, or that may affect your future objectivity in breach of IIA standards?
Understand the specifics of any non-audit activities or redeployments
Determine the impact – how might activities affect independence and objectivity; and where do they deviate from the IIA Standards or Code of Practice?
Discuss with the Chair of your Audit Committee – make sure your Audit Committee is aware of and fully comfortable with the decisions being made before the non-audit activities take place. The Audit Committee should understand the implications, including current and future implications on IA resourcing and budget.
Document your approach – Write down what deviations from IIA Standards and Code of Practice are taking place, safeguards you are implementing, the expected impact on independence/objectivity/other and how you plan to manage resulting risks (e.g. future audits of the area seconded to will be performed by our IA co-source partner for 2 years).
Continual reassessment – Keep the plans under review, especially as the activities undertaken evolve. Reassess whether the risks and impacts to Internal Audit have changed and use your judgement on whether any changes need to be flagged to the Audit Committee.
4. Reassess your audit plan
All of us will need to review our audit plans. For those being redeployed, the decision may be to pause the audit plan entirely, for others the changes may be more driven by the logistics of which audit work can be performed remotely. As ever, risk assessment will be at the heart of our decisions.
Which audits from the existing plan remain a priority?
Are there any areas that have become high risk as a result of the pandemic and should be added to the audit plan to provide urgent assurance?
What are the resourcing and logistical impacts of the current situation? (make sure you build in contingency for future staff sickness/caring responsibilities etc.)
What is the availability of the auditees; will they still be able to make time for an audit? Can you relieve pressure on the organisation by delaying non-urgent reviews?
If you have an urgent audit but it cannot be performed as normal due to either staff availability or logistical issues, think creatively about how assurance can be achieved – can an outsource provider do it? Can the walkthroughs be done now to provide control design assurance even if detailed testing has to be postponed? Can some assurance be gained via self-review by the auditee?
What are the Audit Committee’s expectations and how can they support you in getting the resource you need?
In times of rapid change, agility is key so remember you may need to keep the audit plan under review for the foreseeable future.
5. What about action follow up and other IA activities?
As noted above, it won’t only be the Internal Audit team that is reprioritising, and you might find that the completion of management actions is not going to be at the top of people’s minds right now. We will all need to be pragmatic in our approach to following up actions. There will be some actions that remain high priority or even become higher priority in the current circumstances, but it is likely that many actions can be reasonably delayed while COVID-response activities take precedence.
Review the open actions, assess the current level of unmitigated risk, consider the organisation’s current priorities and availability, and make a decision about which ones it is important to close out/receive an update on.
Consider whether Audit Committee reporting should be streamlined or refocused for the duration of the pandemic.
If you are about to submit an Annual Opinion, are the conclusions of this still relevant?
If you have unallocated staff due to postponed audits, how can you best use this time? (have you compared your methodology to the new IIA Code of Practice? Can you prepare audit programmes for future audits? Have you reviewed your IIA Standards compliance recently? Is your IA Charter up to date? Can you develop data analytics approaches?)
Further information and support
Sign up to a CIAN IA social support group via email@example.com
Useful links – CIAN have compiled a listing of links you may find useful, you can see this here
We have also added COVID-19 and WFH related resources for members in the Resources section of the website. https://www.cian.org.uk/forum (scroll down to underneath the forum to find the Resources section; you should be able to see a ‘COVID-19’ folder with resources related to internal audit’s COVID-19 response as well as working from home and well-being).