COVID and Internal Audit
I don’t understand why some Chief Audit Executives and internal auditors think that this is the time for audit to stop auditing. Certainly, it is not business as usual for anyone and should not be so for internal audit. The risk environment has changed, and control mechanisms have likely been modified to adjust to all sorts of operational changes. So, audit should not be carrying out the planned audits from six months ago. However, to do ‘nothing’ is not the answer.
Internal audit is primarily concerned about Governance, Risk and Compliance – and these should still be the driving force for audit’s activities. In some industries, compliance is still a requirement and audit should be addressing these compliance concerns. When this is over, and it will end, the company will likely be asked to provide evidence that it complied with legal, environment and financial requirements.
In many organizations, the current environment and the operational adjustments and reactions have dramatically changed the control environment. Audit can provide invaluable support to management by examining the revised control framework to ensure that the organization is not taking on more risk that it wants. (Note, I also assume that management’s risk tolerance levels have changed, and this must be considered).
Internal audit also can perform consulting engagements. Are there things that management wants to understand better? Perhaps they are concerned about employee health and welfare. Audit could analyze the data to see what is happening; or could verify that self-distancing rules and other health measures are understood and being followed. The point here is, if you don’t ask management how you can help – then you are probably not be helping.
Using data analytics can minimize the impact of your audit work and still provide valuable insights that will assist management.
Finally, if you can’t figure out how your auditors can support management at the current time by performing audits or consulting engagements, then offer up your staff. Auditors can work in the warehouse - fulfilling orders; on the production line; making deliveries; work in customer areas – taking orders, processing orders, doing AR and AP functions. The benefits would be twofold: helping the organization cope; and getting better insight into operations.
If you have concerns about audit independence get off your high horse and recognize that audit must do whatever it can to support the company and its people. Now is not the time to do ‘what was on your plan from six months ago’ or to do ‘nothing’; now is the time to do the ‘right’ things – the analysis and verification that will help management make better decisions and manage existing and emerging risks.
Internal Audit Superintendent at Samancor Chrome
4 年I certainly agree that internal audit should do whatever it can to assist a company achieve its objectives, however we should maintain our independence. There is a lot which internal audit can do without compromising its independence.
Director Technology (Information Security & IAM) at Ameriprise India LLP
4 年I agree every word you say here, David. No one other than Internal Auditors could understand the risk better in an organisation. In the difficult time, Internal Auditors should extend thier assistance (without wearing auditors hat) to various functions in the organisation and highlight the risks, whlle management working hard to recover the business from disruption.
Manager Audit Analytics at CSX
4 年I couldn't agree more. If your audit risk assessment was performed prior to a global pandemic, then it is safe to say that the risk landscape has changed. The audit plan needs to be adjusted to reflect the current circumstances. I also agree that there may be opportunities for auditors to jump in the trenches with management but we still need to model complying with our own governance standards. This could be done by strategically lending out staff that would not typically audit that function. We should not hide behind the Red Book but we cannot suggest a complete disregard to governance in these times.
Operations Director at TECHNOLOGY4BUSINESS LTD
4 年Well said David. At times such as these, with so many staff working remotely, there is nothing that can deliver real time impactful assurance like data analytics, Particularly if those analytics can provide assurance over, or bridge a gap in, the businesses own reporting mechanisms at this difficult time..