Following the COVID-19 outbreak, things have changed drastically, and the working environment of organizations and their ways to work has evolved. Internal auditors are no different and will follow the same route.

The internal auditor must focus on things that are important for the organization during these unprecedented times. Therefore, the internal auditor shall collaborate with the departmental heads, managers, senior management, and key stakeholders to understand new risks and their impact on the organization.

Auditors have to pick which audits are important including mandatory/regulatory audits.

Assessment of risks is a continuous process, and internal auditors shall be vigilant of new risks while performing the audit. It might be possible that during the planning stage, certain risks are unknown to the auditor, while during the actual fieldwork, new risks emerge, and the auditor needs to include those risks in his audit for further testing.

This will help the internal auditor to re-assess his audit plan, which best suits the organization. It is better to replace the existing audit plan with a new one that better addresses new risks and supports the organization-wide objectives.

During these difficult times, the auditor should keep the audit committee, and management informed about the difficulties being faced by them. If required, reduce the scope of work, limited to emerging risks that are more critical than those that are assessed a while ago.

The auditor should always focus on quality over quantity and reduce the number of audits.

Embracing technology

The use of virtual meetings, webinars, digital documentation, etc. has helped everyone in performing business as usual activities. The rise of collaborative tools has spiked, and popular software companies offer affordable and reliable solutions to embrace the new ways of communication.

Therefore, the internal auditor should consider the following:

1. To perform audits virtually and obtain audit evidence mostly in digital format. However, the auditor has to re-assess the impact of remote working by employees on the control environment. During the planning stage, the auditor shall give the management enough time to copy or scan paper documents.
2. Conduct virtual meetings with the auditee, understanding the business processes and relevant risks, and gather evidence. If possible, record such meetings, keeping in mind the Company and local regulations. Some employees may not like the idea of being recorded.
3. The use of a unified platform for collaboration and communication further enhances the auditors and the auditee experience and minimizes the time required for in-person meetings.
4. Keeping the library of documents, templates, audit programs, and workflows in one place, accessible virtually from anywhere, reduces the auditor’s time significantly and can be reused several times.
5. The automation of audit workflows by integrating various stages (Planning, Fieldwork, Reporting) will help the auditors and audit managers to update and review the audit. Therefore, maximizing the efficiency of the whole audit team.

Supporting the business

Internal auditors possess in-depth knowledge about the business processes and the holistic view of the organization. During the pandemic, the internal audit resources can be re-purposed to provide support to essential business functions and processes. This may include:

1. Supporting the first line of defense- Internal Audit functions usually possess variable skill sets, which may include data analytics, finance & accounting, project management, knowledge of IT systems, and business operations.
2. It is inevitable to review business continuity plans, and internal auditors can review those plans and suggest recommendations.
3. Supporting the second line of defense-Internal Auditors are good at performing the risk assessment and compliance testing. Thus, reassessing new risks will help risk, compliance, and the internal audit itself to better understand the width of risks and its impact on the organization.
4. Live auditing-The auditors can scrap the post-dated audits and perform live monitoring of core business processes under stress. Even the key performance indicators may be re-assessed under new stressful conditions.
5. Secondment-The auditors are seconded to the first and second line of defense to keep the core function going.

However, the internal auditor should keep his independence at utmost importance, and the auditor shall refrain from designing and implementing any process and control.

Challenges for Internal Audit

It is the Chief Audit Executive's responsibility or a similar position in the department to gel the team as one unit. Following are a few things which can be done:

1. Weekly meetings-Although too many meetings might be counter-productive; therefore, a thoughtful online meeting might help get fresh ideas or opportunities to catch up on the status of audits or work in progress.
2. Individual check-ins-During these tough times, meeting with different team members may help the Audit Head gain insights into the challenges faced by the audit staff. This may include working in isolation, workloads, and balance between work and family.
3. Coffee sessions-Having a virtual coffee session with the audit team will ease the workload pressure, and it is another way to connect with the team.

During the remote working, the internal auditors shall keep their corporate presence within the organization by having virtual meetings with the key stakeholders, helping them to built trust.

Internal auditors shall prioritize their work and focus on those areas where they can help the organization. Instead, interact with the stakeholders more frequently and provide simple and easy to implement advisory solutions.

Risk of override of internal controls

Internal auditors are required to develop a substantive approach and be pragmatic in gathering audit evidence and consider alternative ways to collect the information. The likelihood of management override of internal controls is high. Still, the auditor has to see the rationale behind such overrides and validate whether the management is fully aware of such overrides.

The overrides taken by the employees may be in the best interest of the organization. Are you sure? Validate it.

During the pandemic, organizations are forced to terminate their employees or reduce the financial benefits. The disgruntled employees may pose a severe threat, and the probability of fraud and misappropriation has increased. Therefore, the auditors need to be vigilant in the early identification of such risks and suggest recommendations.

Post COVID era

As the uncertainty prevails, but slowly, things will come back to normal. Internal auditors should take this as an opportunity to learn new skills, especially their communication skills, and adopt those techniques and practices they were performing during the pandemic.

It is expected that organizations and employees will still prefer working remotely, and auditors have to adopt a flexible and pragmatic approach in performing their internal audits. Nevertheless, the auditor should work with the management and focus on new & emerging risks that the organization faces.

Photo by Hunters Race on Unsplash