and that applies to internal audit as well…

The following article has had over 500 views in 2 days on LinkedIn, I hope you find it helpful.

I’ve just facilitated a two-day head of audit event, with only one person pulling out because of COVID19. However, it was inevitably a key topic of conversation, and here are some reflections that might be of interest:

COVID19 has reinforced, again, the problem with a “failure of imagination” in many risk management processes.

A failure of imagination was one of the key learnings from the 9/11 tragedy, and it looks like many organisations have found themselves with a similar problem with COVID19, and all its knock-on impacts. It may not be a big priority right now, but all organisations who have felt blind-sided by what has happened should be prepared, at the right time, to take a long hard look at their risk management processes.

What other risks are there where might we be thinking “that will never happen”?
How do we make sure we prioritise impact over probability? 
How good is your organisation in thinking through the knock-on consequences of one risk on other aspects of its operations? 

A new coronavirus was first identified on 31 December 2019; when did it start to get on your organisation’s radar screen?  

CNN have done a great timeline of the COVID19. See it here.

Key points include:
11th January 2020: First death
16th January 2020: In Japan
17th January 2020: Selective screening in the US
21st January 2020: First case in the US
23rd January 2020: Emergency committee of WHO formed
29th January 2020: White House task force
30th January 2020: Person to person transmission in the US
2nd February 2020: First death outside of China (in the Philippines)
14th February 2020: COVID19 found in Egypt
Etc..

The evolving news story has been well publicised across the world and was effectively an early warning that a pandemic might happen and could have prompted organisations to look at their business continuity arrangements.

So, when, in fact, did your organisation start to make preparations in earnest?
Are there other areas where more attention could be paid to early warning signals?  

Are past assurances given about continuity arrangements proving to be too positive?

Hopefully, most organisations are working flat out to prepare themselves for COVID19 and double-checking past plans and assurances. If these are proving to be too positive, and are needing to be revisited, it would suggest that the amount of assurance that is being given needs to be thought about more carefully. This may apply to back-up plans for payroll and IT and home-working as well as third party suppliers and service providers.

When you ask others for assurance, have you defined what assurances you are expecting in terms of service levels – and what assumptions have been made about staffing levels etc.
When you look at arrangements relying on third parties, what do the contractual arrangements say; are there any “force majeure” clauses and are you clear about fall back contact/ emergency cover details? 

Turning to Internal Audit

What adjustments are needed to the audit plan?

This is the obvious one, any planned audits that are not business-critical should probably be seriously challenged and/or postponed since there are undoubtedly key risks/ new projects where internal audit’s skills could be invaluable, either to assure progress of business-critical continuity plans or to advise on process changes that will maintain operations and compliance where fewer staff are available.

Heads of Audit should urgently clarify with Senior Executives and Audit Committee areas which audits should continue and which should be postponed as well as the key areas it might be sensible for audit to get involved in. These adjustments should factor in possible staffing shortages in the audit team, as well as arrangements for remote working as much as possible.

Assignments should focus on just the key exam questions

With everything going on at the moment, it is crucial that audits do not progress per business as usual. Ask tough questions about which scope areas are really essential to be covered (particularly in areas not linked to COVID19) and focus only on these. Few business managers will have an interest in “nice to have” matters for the next 3-6-9 months. Likewise, audit reports should recommend only the most critical issues are remediated; anything else will likely be challenged “you auditors are not living in the real-world”.

Look at open issues and the follow-up process

There are two key considerations. With everything else that’s going on consider the amount of open audit issues and determine which really must be remediated, notwithstanding COVID19. Based on this engage key stakeholders on two key points:

• Which lesser issues should probably be deferred given everything else that is going on?
• How to make sure critical issues will be remediated, even if there are staffing and other disruptions.

In summary, although COVID19 poses many fundamental challenges to organisations it also provides a very important opportunity for internal audit to “step up to the plate”, so I hope you are planning to discuss these issues with your audit team and key stakeholders in the near future if you have not already done so.

Finally, my thoughts go out to all of you in these unsettling times.