The internal audit profession is an instrumental function as it relates to managing risk and providing insights. The onset of COVID-19 and its impact on organizations and their employees demonstrates the need for a robust internal audit function and CPAs are ideally situated to provide guidance and independent assurance on the effectiveness of response and management of crises.
While external auditors provide assurance on traditional financial matters, internal auditors provide considerations surrounding operations and management. These enterprise-wide evaluations provide stakeholders including management, audit committees, and board members with information to make informed decisions. The risk management function principally requires companies to identify, monitor and mitigate risks, while the compliance function ensures operations fit within legal frameworks, as well as internal and ethical contexts.
Areas in focus for many internal auditors in response to the current pandemic include risk assessment, continuous monitoring, cybersecurity and communication. The audit environment is not static and is accustomed to tackling changing landscapes. Emerging technologies such as artificial intelligence, data analytics and automated monitoring is changing risk management and the rapid adoption of these systems poses new risks for many organizations.
Furthermore, COVID-19 has required a reprioritization of cybersecurity, as organizations are forced to adopt remote work technologies and expand their reliance on technology. Despite cybersecurity being a consistent threat even before the pandemic, adverse actors are now targeting organizations involved in Covid-19 response. A statement issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency noted threat actors frequently target organizations that collect bulk data, intellectual property, and other national data sets, emphasizing the internal audit function’s role in risk management through the health crisis. COVID-19 has also unveiled deficiencies in a variety of areas despite ongoing annual audits conducted in the past.
Many organizations found themselves reorganizing service delivery and operations and many internal audit departments have provided their expertise to minimize risk as operations have dramatically changed throughout the course of the pandemic. Investment in data analytics has made it possible to measure key performance metrics and to implement automated monitoring. Continuous monitoring has aided internal audit to assess operational risk assessments as the risk profile has changed. As firms adjust from reactionary measures to new operational baselines, internal audit has been focused on changing risk profiles and reprioritizing their audit plans. As original audit plans are revisited, certain tasks may require immediate completion to facilitate recovery and market reentry. Resources therefore have been reallocated to ensure these priorities are met.
For many industries, governance, operation and process risks have also been influenced. In particular, exceptions to controls of certain risks and acceptance of these risks including supply chain disruptions and third-party services, have been immediate concerns of internal audit. New guidance has in turn forced internal audit to delay internal audit plans while communicating with stakeholders as they prioritize emergency response measures. In addition to this internal audit is also having to deal with new and emerging risk areas as a result of operational changes, transforming the established framework of original audit plans.
The internal audit function serves stakeholders by communicating data and insights from the front lines of the organizations. Their findings are essential in crisis management and COVID-19 has been no exception. Audit committees provide perspective on implementation of activities and their outcomes as it relates to planned risk management strategies. Reportable items include ensuring compliance with regulatory demands, as well as identifying controls that may have been temporarily suspended to track and eventually restore these controls. During an unprecedented service interruption throughout the initial lockdown phases, vendor resiliency has also become a chief concern as committees revisit SOC1, SOC2 and internal reports supplied by vendors to reevaluate vendor capabilities.
The communication between the internal audit functions and stakeholders therefore is more critical than ever especially when immediate decisions are necessary to ensure the resiliency of organizations. The expertise and enterprise-wide knowledge of the internal audit committees and internal auditors serves as a significant resource to organizations during predictable business cycles providing stability and discipline in governance and even more critical during times of crisis.