Internal audit after COVID-19

Coronavirus and lockdown

The COVID-19 Lockdown has dramatically re-ordered our lives in all sorts of ways. 54% of people participating in a YouGov poll, reported in the news in April 2020: hope to make changes in their lives and wanted the country to learn from the crisis.

The Chief Executive of the Royal Society of Arts, said that "we must use this time to imagine a better future."

Barclays CEO Jes Staley said that “There will be a long-term adjustment in how we think about our location strategy...the notion of putting 7,000 people in a building may be a thing of the past.”

Coronavirus has changed many things and for example, is set to hasten the decline in the use of cash (a recent report suggested this will leave only 20% of people relying on notes and coins, many of whom are vulnerable). Our perennial duty is to adapt and change but to manage the consequences as we do so.

The Office for National Statistics report: Coronavirus and the impact on output in the UK economy: April 2020 soberly painted a picture of an entire economy in crisis. April 2020 showed particularly sharp falls, as the negative impacts of social distancing and 'lockdown' led to a significant fall in consumer demand and business and factory closures, as well as supply chain disruptions. The month recorded the largest fall in GDP since monthly records began in 1997, reflecting record widespread falls in services, production and construction output. The public sector and charities also expected large reductions in activity.

Turning to just one example of a more specific crisis threat, the Financial Conduct Authority (FCA) concerns over algorithmic trading and market abuse have increased. Following COVID-19, the FCA reiterated its expectation that 'firms should continue to take all steps to prevent market abuse risks.’ Headlines included 'US stocks fall 12% in worst day since 1987' and the VIX index, the market's 'fear gauge', jumping to a record high on 16th March 2020.

Given that market returns can increase significantly for fast movers during periods of increased volatility, artificial intelligence algorithms could make a rational, though unintended, choice to engage in market manipulation for the benefit of their investing clients but at the expense of other investors; this could go beyond the wide-spread use of algorithms accentuating market volatility.

Many concerns for internal audit are arising across sectors. The question arises for us, how can this shape the future of internal audit? As we have all heard and said, things will not return to normal and new norms are to be expected. For all of us, we have a role to play in helping create better processes and specifically, better internal audit practices. One can ponder how exactly we might be more effective internal auditors and participants in the overall assurance process. Also, what risks might we all pose not only by changing too much but also by changing too little? 


Immediate changes

As occurred in the financial crisis, precipitated by the banking failures in 2017 and the building of leveraged debt instruments, inflated real estate prices and abundant credit, which preceded them, internal audit must come out of the current epidemic stronger as a result of the learning opportunities that crises afford us. In these early days, these may be seen as: 

  1. Greater use of remote auditing, with the efficiencies and benefits that this can bring.
  2. An accelerated adoption of agile audit techniques and much quicker reporting of control weaknesses, recommendations and opinions.
  3. Data analysis extensions going beyond those of the previous twenty years.

These will require risk mitigation by audit departments themselves, because of the change in working patterns and audit coverage. Change is not driven by failure of the audit processes ('comfortable irrelevance' enjoyed by internal audit, was an expression of the credit crisis, a decade earlier) but rather by the unrequested opportunity afforded by prolonged remote working. Internal audit must evaluate the increased risks inherent in work now being done remotely by colleague across the company. 

Internal auditors need to think more broadly about audit scope including prioritising operational resilience and considering more carefully a wider range of high impact, low likelihood scenarios and planned responses. 

The Mission of Internal Audit from the International Professional Practices Framework leverages the entire framework in normal times and can add value in managing through the pandemic, if we are thoughtful and decisive in our change agenda; it is:

“To enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight.”

Never before has the role of internal audit in reviewing and reporting on adverse events been so pertinent. Reflection on the lessons learnt and analysis of what went right and wrong are likely to be key drivers and inputs into identifying priorities and setting a forward-looking internal audit plan.


Remote auditing

The purpose of this paper is to offer guidance to internal audit management, once the current pandemic is brought under control and when proactive rather than reactive action is possible. Endorsement may be needed by others, including the audit committee but leadership is needed from within the function. Another factor to bear in mind is that other teams will change their patterns for remote working which may limit some of internal audit’s choices.

Based on a small survey yielding ten responses (27% - 10/37), conducted in support of the research undertaken for this paper, the experienced auditors who responded (whilst working from home during the COVID-19 epidemic lockdown that commenced on 23rd March 2020) gave various opinions on how this should shape future changes:  

  1. All respondents thought that internal audit teams should work from home more in the future, with 60% saying it should be considerably more.
  2. All respondents also thought that internal audit teams will be expected to undertake less business travel in the future, by auditing remote locations, analysing their data and reporting audit results, without having to visit them. 30% said it should be considerably less. 
  3. For the question as to whether internal audit’s contingency planning proved to be more or less effective in this pandemic crisis than had been expected, the range of answers was greater. 44% said it had been more; 44% said it had been as expected; 12% said it had been less effective.

The plan to increase remote working has many advantages for staff work life balance, reduced travel time and dedication to the task in hand. However there are risks that include: 

  1. Reduced contact with colleagues, albeit mitigated slightly by online interaction and video conferencing.
  2. Work life and home life melding into one, possibly dealt with to some extent by having a dedicated desk which can be left when working time ends each day or by powering down the 'work' computer.
  3. Reduced opportunities to work alongside internal audit customers/clients and to get under the skin of the activity being audited.
  4. Less chance to observe body language clues in internal audit customers/clients.

Further consideration is given to the latter two because controlling them will need greater input from internal audit management. One of the benefits of colleagues in different departments working in the same building is that it has always been relatively easy for the auditors and their laptops to locate to the trading desk or office area subject to audit, then to work on audit tests, whilst normal activity continues.

The auditor, whilst remaining productive, hears about any frequent problems as they occur and picks up on how they are resolved and errors are corrected. Sometimes people bounce ideas off the auditor and thus it is both interactive and educational. The process is informative and likely to assist in the drafting of reports and the formulation of recommendations.

If an auditor is working remotely, this drip feeding of knowledge and observation of culture, is harder or impossible and audit management may have to request and obtain minutes of team meetings that may discuss recurring problems, as a substitute, in the hope that such matters are covered and are fully documented.

Turning to feedback from internal audit customers/clients, this takes the form, like other communications, of a combination of the spoken word, the tone in which it is delivered and the body language (including facial expressions and eye contact; head movements; hand gestures; body posture) of the speaker and their colleagues, as they hear the words spoken. Dissonance and leakage may occur which cast doubt on part of what is being said and of any important omissions. This is not so easy for internal auditors to detect when working remotely even if the speaker is seen and heard in a small box viewed on screen. Heightened awareness of voice tone and a little more scepticism may be justified in controversial and risky areas without being overly cynical. Verification of responses needs to be rigorous.

Furthermore, audit management will need to consider carefully the degree of assurance that may be forgone and caveat any material gaps in that consistency of assurance. 


Audit technology

By using new technologies in cloud-based applications for collaborative working, video conferencing and remote access infrastructure, auditing will be effective if we ensure that adequate security measures are used for video conferencing and data access, transfer and storage.

The increased adoption of technological and digital tools may require better internal audit file management, workflow systems, data analysis and artificial intelligence. Furthermore, internal audit functions should take the opportunity to introduce strengthened continuous auditing activities, thus enabling internal audit to automate the monitoring of key risks and the operation of key controls, gaining time to concentrate on complex areas of risk.

There is an opportunity to improve audit effectiveness by building stronger internal audit teams. When auditing is done remotely, the location of auditors does not matter and audit teams can be built to ensure the most suitable auditors are assigned to each audit, irrespective of where they are based.


Fraud auditing

The risk of fraud increases now because criminals thrive on chaos, uncertainty and disruption and COVID-19 responses have provided these in abundance. During a paradigm shift, where everything has changed rapidly, unusual activity that could be red flags for fraud may go unnoticed. What has been noticed is that financial institutions have seen spikes in false positive alerts generated by their monitoring software which reflects the fact that customer behaviour has changed suddenly, but for good reason.

Lots of employees are now working remotely, so criminals who can use sophisticated analysis to seek out weak links will take advantage of any weaknesses in controls and in IT security. External fraudsters have sought to exploit people working from home by impersonating managers in order to give payment instructions.

IT governance data indicates that phishing e-mails increased by 667% in the three months after the end of February 2020. Internal audit may need to recommend that extra on-line training is given to employees to cover both the heightened fraud risks and appropriate responses when a suspicion is raised.

Supply chains have been broken and employees are under increased pressure, so it is easier for normal supplier controls to be circumvented and due diligence diluted. 

In its 24th June 2020 Guide for audit and risk committees on financial reporting and management during COVID-19, the National Audit Office offers some good fraud and error framework questions:  

  1. What exposure to fraud and error does the organisation have in its responses to COVID-19?
    a. Have controls been turned off or reduced?
    b. Are there new expenditure or procurement streams, or delivery methods that introduce new risks? 
  1. How is the organisation managing fraud and error risks?
    a. Are they logged, with a monetary estimate of the potential fraud and error exposure?
    b. Have options to reduce fraud and error been evaluated? Has management assessed the organisation’s risk appetite for losses through fraud and error? Are there any changes to this? 
  1. What processes are in place to measure fraud and error and evaluate the effectiveness of activities to prevent or detect this?
    a. How is management using this information to update risk assessments or inform controls?
    b. Does management have real-time indicators to support informed decisions on risks? 

Auditing for fraud events is harder when not done face to face and supplementary data analysis may be needed, some of which have been available for some time. For example Benford’s Law analyses may be used to search for anomalies and data patterns that are unnatural and which may indicate suspicious activity.

This may be more efficient but also more reliable than traditional control compliance testing based upon relatively small samples. Not only can this analysis be very effective and insightful but it has been recommended by the Association of Certified Fraud Examiners for twenty five years. 


Control circumvention

Past crises and watershed moments for the profession supplied internal audit with important lessons on where controls fail, which remain relevant:  

  • that good controls being overridden (may only be 1% or more likely 0.1% of the time) may be a greater risk than inadequate or ineffective controls because the latter can be understood and mitigated in practice
  • whenever controls fail the auditors must keep digging until they get to the root cause of the problem. 

In the June quarter of 2020 and because of the pandemic, management has concentrated on employee and customer safety, business continuity and financial resilience. The shift to telecommuting across the board and slowdown in activity has changed the risk levels and business operating practices. Some controls may no longer function as intended. It is necessary to evaluate how management has adjusted financial and operational procedures to cope with remote work arrangements and offices being unavailable.

This evaluation should include the:

  • adjustment of credit risk and payment terms to reflect changes in customers’ risk profiles
  • review, approval, and documentation protocols for changing static data and making accounting entries
  • re-alignment of IT security controls to deter social engineering attacks and mitigate the lack of employee experience with remote working and using internet communication methods
  • re-evaluation of separation of duties when many employees are ill, away from the office or furloughed.

The review should extend beyond the organisation to cover the continuity of services and controls from third-party vendors, including large business process outsourcing providers operating overseas. 


Agile auditing is a good solution

Agile internal audit planning involves a continuously updated schedule of audits and projects, prioritised by risk. Reporting is both very frequent and more informal, with communication through dashboards and update memos, rather than long form audit reports. 

The main difference between agile and traditional auditing is that inflexible, early stage planning is replaced by iterative planning and a series of sprints, incorporating short bursts of activity covering planning and testing. Typically, the eight weeks or so spent on planning, fieldwork and reporting are replaced with, say, three agile phases totaling six weeks. Read more on Agile auditing: Leading practices on the journey to becoming agile in IIA Global’s Knowledge Brief here.


Future opportunities

In future, internal auditors need to give:  

  1. Better assurance on high risk activity, at the risk of attending less to relatively low risk matters. The confidence to do this can be built on greater concentration on evolving risks and monitoring changing risk patterns. Cyclical assurance plans are yesterday's solution.
  2. Assurance on the effectiveness of remote working, emphasising such factors as team morale, control mind-set and communication.
  3. Clearer documentation of their modus operandi to allow strong challenge and review for those working remotely.
  4. Improved early confirmation of findings with management to ensure auditors who cannot see body language have properly understood the written word.
  5. Promotion of internal audits’ value based on the observed benefits during the pandemic of earlier internal audit findings and insights.
  6. Greater consideration of more extreme stress scenarios.
  7. Assurance on control resilience to circumvention and fraud.
  8. Better use of the reduced time that can be spent with internal audit customers/clients.
  9. Re-assessment of how organisations operate and have changed so that control effectiveness can be tested in this light. Auditors need to be wary of looking like generals who seek to re-fight the previous war, oblivious of new forms of attack, technology and techniques. 

The entirety of what has been set out may be a significant change agenda and greater for some departments than others, so it is best to get the audit team involved, individually and collectively.

As with any change, people who are actively involved in it, rather than simply subject to it, will be more content and effective in development and implementation. They can then assist it to be resilient and are more likely to surface weaknesses and resultant errors than if they had not been involved from the start. 

It is important that internal audit and audit committees re-evaluate previous audit actions. Work priorities have changed and the implementation of previously agreed audit actions may no longer be a main priority. Internal audit should consider:

  • reviewing and re-prioritising the action tracker with the audit committee
  • for high priority internal audit actions, talk to internal audit customers/clients to confirm the status of relevant actions and whether their deadlines remain achievable.

Internal audit’s role after the crisis should reflect the main lessons covering the:

  • ability of management to make appropriate decisions during times of stress
  • any cultural concerns arising from employees ability to adapt and respond to the crisis
  • financial resilience and liquidity
  • dependencies on suppliers and third parties
  • disadvantaged customers
  • effectiveness of business continuity plans
  • adequacy of IT systems.

Further reading 

Office for National Statistics: Coronavirus and the impact on output in the UK economy: April 2020

Financial Conduct Authority - Coronavirus (Covid-19): Information for firms, 'Market trading and reporting'  

Financial Conduct Authority

Association of Certified Fraud Examiners – Using Benford’s Law to detect fraud

The following guidance is only available if you are a member of the Chartered IIA:

Guidance - Root cause analysis

Articles and reports on agile internal auditing

Global Insights

Agile internal audit - Leading practices on the journey to becoming agile

Agility and innovation 

Download PDF