4 things internal audit should focus on during COVID-19


Organizations around the world are struggling to minimize business disruption from COVID-19 while navigating new realities—and a lot of this responsibility falls on internal audit.

What makes internal audit unique is its strength and experience in managing uncertainty. Uncovering and tackling risk is what internal audit teams were born to do. Surfacing issues to help organizations survive and thrive is all in a day’s work.

But right now—as leaders and boards grapple to identify direct and indirect COVID-19 related risks—and adjust to a new normal, internal audit’s assessment and assurance roles have become so much more invaluable. Here are four ways that internal audit can bring even more value to the organization.

1. Provide data-backed insights to drive decision-making

By now, most organizations would have redirected their risk expertise to respond to the pandemic. According to a recent COVID-19 Quick Poll by The IIA’s Audit Executive Center®, 78% of chief audit executives and internal audit directors said their initial strategic responses were focused on assessing short-term impact. Other short-term strategies included:

  • Providing COVID-19 updates to the board (72%)
  • Revising the business continuity plan (66%)
  • Evaluating third-party relationships (59%).

Internal auditors are key to providing the data-driven short-term risk perspectives that support confident decision-making during this uncertain time. This is obviously very important to both the leadership team and the entire organization, as it helps everyone stay focused on meeting objectives and mitigating risks.

“Your COVID-19 risk mitigation strategy will continue to transform in the coming weeks and months. Internal auditors must look ahead to future risk, as well as mitigate the present dangers.”

2. Don’t forget about the organization’s future state

Sure, COVID-19 brings countless risks (e.g., health and safety of customers and employees, disrupted supply chains, cost reductions, new processes, revenue loss) that needs immediate attention, but internal audit also needs to look at emerging or evolving risks that will impact the organization’s future state.

As a result of government initiatives to support organizations through this pandemic, audit teams in some sectors (e.g., government departments and financial services) are even experiencing increased workloads, requiring them to undertake real-time assurance work to effectively tackle emerging risks.

Here’s a good example of an emerging risk: The IIA Bulletin on COVID-19 recently noted, “Even as organizations are in the first stages of determining the potential impacts of the coronavirus on their operations, an ancillary risk is emerging—social engineering amid crisis. Cybercriminals are taking advantage of the growing concern over the deadly virus.”

Recent data from Barracuda Networks indicated a 600% increase in phishing e-mails. How will these emerging risks (from phishing emails designed to look like they’re from WHO to fake stimulus check emails) affect your organization in the long run? What internal controls do you currently have in place? Are they sufficient in light of moving to remote workforces and emerging cyber threats? A breach right now could derail the organization in the future. What do you need to do now and who do you need to work with to protect your organization?

Your COVID-19 risk mitigation strategy will continue to transform in the coming months. Internal auditors must look to future risk, as well as mitigate present dangers. Looking ahead includes impacts on 2020/21 internal audit plans, changes in internal audit methodology, and maybe even reducing overall internal audit activity to deliver value to a downsized organization.

3. Consider an agile audit plan

COVID-19 is causing organizations to adjust business operations and plans rapidly, presenting new ongoing challenges. One of those challenges may be to conduct auditing entirely remotely. The traditional audit plan might not work in this situation, so it might be time to investigate an agile approach, really understand how your organization operates, and ensure that you’re achieving the business acumen element of the IIA Competency Framework.

Instead of the rigid, single-phase planning of a traditional audit, agile auditing centers around fluid, iterative planning on an ongoing basis. There’s a core focus on collaboration and communication between the audit team and stakeholders throughout the entire experience.

While audit quality is always a key consideration, the priority is on speed and efficiency over delivering a perfectly polished project at the end. This “try fast, fail fast” design accounts for the unexpected in case the team needs to suddenly shift gears. And while everyone has a different role, the team is trusted to be self-organizing and cross-functional. Agile can be an ideal audit approach while COVID-19 risks and priorities shift quickly, and remote audit teams use technology to stay better connected.

Read more on agile auditing in our eBook, Sprinting ahead with agile audit.

4. Keep audits on track with technology

Some audit projects must go on, even when face-to-face interaction isn’t possible. Thankfully, technology can give auditors a serious advantage here, because it lets you:

  • Conduct audit interviews and meetings through secure video conferencing.
  • Get live video feeds of client inventory locations. COVID-19 has made inventory testing one of the biggest challenges for auditors; moving to live video feeds may be inevitable unless you can put off an inventory count. Using recorded video is not recommended; how can you prove authenticity and objectivity?

And, dedicated audit management software like AuditBond further facilitates these new ways of working when everybody is remote, through features like:

  • A single, united platform to increase collaboration and communication
  • Workflows that keep remote workers informed on all stages of the audit
  • A library of documentation, templates, and workflows at everybody’s fingertips
  • A complete audit trail, to track everything and ensure your audit work remains defensible to regulators and external auditors.

Of course, there are always upsides and downsides to all technology. On the upside, you’ll save on travel costs; have more in-depth documentation, paper trails, and reporting; and gain added benefits like data analytics and robotic process automation. But you won’t be able read auditees’ body language or build rapport quite as easily as being in person. It’s all a matter of adjustment and settling into a “new normal.”

Moving ahead, whatever that involves

Emerging COVID-19 risks are both unpredictable and unprecedented. Internal auditors and their organizations face unique challenges, but they’re also in a unique position to work collaboratively, and provide expertise and guidance as trusted advisors during this time. By embracing ambiguity and flexibility and looking at both the short-term and long-term impact of COVID-19 on the organization, internal audit teams can help the organization and themselves emerge from this crisis stronger than ever.

Special thanks

Special thanks to Liz Sandwith, Chief Professional Practices Adviser, Chartered Institute of Internal Auditors, for reviewing this blog and providing feedback during its development.


Sprinting ahead with agile auditing

Explore the benefits, challenges, and best ways to implement agile audit. Learn about:

  • Why you should consider adopting an agile approach in audit
  • How to overcome common transition challenges
  • 10 steps to get started with agile auditing

Download eBook

Related Articles


Galvanize is now part of Diligent.

To stay up to date on the latest product offerings, research and GRC resources please visit or to login to your Galvanize products please visit www.diligent.com

Visit Diligent Login