COVID-19 has disrupted most business areas and functions, including internal controls management. But the right combination of risk management, scoping, testing, and technology can help audit teams navigate these disruptions.
COVID-19 has turned large swaths of everyday life and business operations upside down, and that includes how organizations assess and test internal controls.
Since business processes have had to change in response to COVID-19 and previously stable business areas are now experiencing volatility, risk assessments now need to be more expansive. And at the same time, auditors may struggle to get assessment and testing done, thanks to work-from-home mandates, technology challenges, and swift, unexpected budget cuts.
That’s a lot of issues to confront as audit teams move ahead with internal control assessment, documentation, and testing. So how can they navigate these challenges?
Radically different risk assessment scoping
COVID-19’s impact on business operations means that many risks or business operations that previously hadn’t demanded attention now will. The scoping of risk assessments will look radically different this year.
For example, retailers could see a flood of adjustments to their leases. Publishers might see sales to retail outlets plunge while online direct sales soar. Consumer-facing companies might have to impair intangible assets or goodwill, possibly for the first time.
Leasing, revenue recognition, impairment—they’ve always been high priorities for internal control testing and remediation. COVID-19, however, changes which internal controls become more important to those items. Usually quieter lines of business may suddenly become material and in scope; small, rare transactions could become larger and more urgent.
What to do: increased communication
Before the pandemic disrupted global life, audit teams sent risk assessment questionnaires to various parts of the business, based on historical knowledge of organizational risks in previous years. With so much uncertainty, that won’t necessarily work now.
Audit teams will need to consult with more parts of the business, to ask questions and hear their concerns. Communication is key. As an example, for operational risks, the audit teams should talk with the board and management about the most pressing business objectives. Then, they can “reverse-engineer” a new risk assessment that ties those goals to facts on the ground provided by the rest of the business.
For financial reporting, audit teams can take cues from securities or audit regulators, who have published lists of high-priority concerns for financial reporting, and then cross-check those with the business unit to make sure they’re aligned.
“Someone must “own” the anti-fraud program. That could involve creating a new role, or assigning responsibilities to existing business units.”
New & increased fraud risk
COVID-19 has amplified some fraud risks and introduced new ones. For example, business email scams asking employees to wire money overseas are nothing new—but with everyone working from home, fraudsters have more opportunity to devise emails from senior executives.
Further complicating the situation, employees have less access to senior executives to verify transfer requests. So, policies and controls meant to confirm wire transfers will become more important.
Or consider a manufacturer that decides to start making personal protective equipment (PPE) to sell to the government. PPE now has great value, so the company would need better inventory controls to assure the PPE isn’t diverted off the back of the delivery truck. In addition, as a government contractor, the company would also now be subject to anti-fraud statutes such as the False Claims Act—so regulatory compliance risks increase.
What to do: go back and reassess everything
Internal audit needs to revamp its fraud risk assessment. Any process that could be vulnerable to fraud (even at low risk) should be examined. Ask: “How has this process changed because of COVID-19? Are we at greater risk because a fraud control is weaker or absent? Is there new risk, because we are providing a new product or service?”
Depending on the results of that assessment, the audit team will need to push for new controls to address the changed risks. For example, tighter limits on wire transfers, or chain-of-custody checks for physical inventory. The audit team should also consult anti-fraud frameworks and control libraries to see what’s sensible for the risks the organization has.
Above all, someone must “own” the anti-fraud program. That could involve creating a new role, or assigning responsibilities to existing business units.
Flexible testing procedures
At the bottom of every internal control test or remediation, an actual person has to be there—either to do the work or assure that technology gets the work done. But if employees are furloughed, laid off, or sick, their absences could derail your testing and remediation at critical moments. So, an ability to monitor changes in personnel and then shift remediation plans as necessary is crucial.
What to do: lean on technology
The best answer here is for the audit team to use technology that assigns responsibility for testing or managing controls to specific people.
That said, this idea works best when that internal control system is also tied into the HR function. This way, if a control owner is no longer present, the audit team is alerted to that fact promptly and can change testing or remediation procedures.
Without this level of integration, audit teams would instead need an alert function to know when testing or remediation isn’t undertaken on schedule, so the team could ask why. Then, as mentioned above, you would still need flexibility in planning to develop new procedures and push them out to new control owners.
Changing for the better
The irony here is that for all the turmoil COVID-19 brings to your internal controls program, the path forward is likely to accelerate two trends audit teams have been experiencing for quite some time already.
1. Increased collaboration with other business areas
Audit teams will collaborate even more with the rest of the organization. They’re the ones improvising new business processes on the spot, or witnessing broader economic trends that will affect the business. Whether the questions are about financial reporting, or supply chain stability, or even just how to redesign the office for social distancing protocols, the urgency of clear, prompt, and effective communication with teams in the first or second lines of defense has soared.
2. Increased use of technology
Audit teams will embrace innovation and technology in how they assess, test, and remediate internal controls. COVID-19 is forcing these teams to improvise, just like everyone else. Communicating with others, gathering test evidence, documenting remediation—all of it will require fresh thinking and strong technology capabilities. (My favorite idea: inspecting physical inventory by drone. Something more practical: more use of robotic process automation to automate testing or monitoring, which can be invaluable during times of furloughs or layoffs.)
Above all, audit leaders will need to seize the opportunities that present themselves. The evolution toward more collaboration with the business and more innovation in technology has been a long time coming. Now COVID-19 is forcing organizations to consider many of these questions all at once:
- How can audit help us?
- Who should redesign our processes?
- How can risk assessment get done?
The ride will be bumpy, and nobody has a clear sense of what the future holds. But on the far side of things, internal audit could end up proving its value to the organization more than ever.
Reaching internal controls utopia
Learn how to plan, implement, review, and test internal controls.
- Assess the maturity level of your internal controls.
- Create a thorough internal control system.
- Minimize internal control failures.