The COVID-19 Lockdown has dramatically re-ordered our lives in all sorts of ways. 54% of people participating in a YouGov poll, reported in the news in April 2020: hope to make changes in their lives and wanted the country to learn from the crisis.
The Chief Executive of the Royal Society of Arts, said that "we must use this time to imagine a better future."
Barclays CEO Jes Staley said that “There will be a long-term adjustment in how we think about our location strategy...the notion of putting 7,000 people in a building may be a thing of the past.”
Coronavirus has changed many things and for example, is set to hasten the decline in the use of cash (a recent report suggested this will leave only 20% of people relying on notes and coins, many of whom are vulnerable). Our perennial duty is to adapt and change but to manage the consequences as we do so.
The Office for National Statistics report: Coronavirus and the impact on output in the UK economy: April 2020 soberly painted a picture of an entire economy in crisis. April 2020 showed particularly sharp falls, as the negative impacts of social distancing and 'lockdown' led to a significant fall in consumer demand and business and factory closures, as well as supply chain disruptions. The month recorded the largest fall in GDP since monthly records began in 1997, reflecting record widespread falls in services, production and construction output. The public sector and charities also expected large reductions in activity.
Turning to just one example of a more specific crisis threat, the Financial Conduct Authority (FCA) concerns over algorithmic trading and market abuse have increased. Following COVID-19, the FCA reiterated its expectation that 'firms should continue to take all steps to prevent market abuse risks.’ Headlines included 'US stocks fall 12% in worst day since 1987' and the VIX index, the market's 'fear gauge', jumping to a record high on 16th March 2020.
Given that market returns can increase significantly for fast movers during periods of increased volatility, artificial intelligence algorithms could make a rational, though unintended, choice to engage in market manipulation for the benefit of their investing clients but at the expense of other investors; this could go beyond the wide-spread use of algorithms accentuating market volatility.
Many concerns for internal audit are arising across sectors. The question arises for us, how can this shape the future of internal audit? As we have all heard and said, things will not return to normal and new norms are to be expected. For all of us, we have a role to play in helping create better processes and specifically, better internal audit practices. One can ponder how exactly we might be more effective internal auditors and participants in the overall assurance process. Also, what risks might we all pose not only by changing too much but also by changing too little?
As occurred in the financial crisis, precipitated by the banking failures in 2017 and the building of leveraged debt instruments, inflated real estate prices and abundant credit, which preceded them, internal audit must come out of the current epidemic stronger as a result of the learning opportunities that crises afford us. In these early days, these may be seen as:
These will require risk mitigation by audit departments themselves, because of the change in working patterns and audit coverage. Change is not driven by failure of the audit processes ('comfortable irrelevance' enjoyed by internal audit, was an expression of the credit crisis, a decade earlier) but rather by the unrequested opportunity afforded by prolonged remote working. Internal audit must evaluate the increased risks inherent in work now being done remotely by colleague across the company.
Internal auditors need to think more broadly about audit scope including prioritising operational resilience and considering more carefully a wider range of high impact, low likelihood scenarios and planned responses.
The Mission of Internal Audit from the International Professional Practices Framework leverages the entire framework in normal times and can add value in managing through the pandemic, if we are thoughtful and decisive in our change agenda; it is:
“To enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight.”
Never before has the role of internal audit in reviewing and reporting on adverse events been so pertinent. Reflection on the lessons learnt and analysis of what went right and wrong are likely to be key drivers and inputs into identifying priorities and setting a forward-looking internal audit plan.
The purpose of this paper is to offer guidance to internal audit management, once the current pandemic is brought under control and when proactive rather than reactive action is possible. Endorsement may be needed by others, including the audit committee but leadership is needed from within the function. Another factor to bear in mind is that other teams will change their patterns for remote working which may limit some of internal audit’s choices.
Based on a small survey yielding ten responses (27% - 10/37), conducted in support of the research undertaken for this paper, the experienced auditors who responded (whilst working from home during the COVID-19 epidemic lockdown that commenced on 23rd March 2020) gave various opinions on how this should shape future changes:
The plan to increase remote working has many advantages for staff work life balance, reduced travel time and dedication to the task in hand. However there are risks that include:
Further consideration is given to the latter two because controlling them will need greater input from internal audit management. One of the benefits of colleagues in different departments working in the same building is that it has always been relatively easy for the auditors and their laptops to locate to the trading desk or office area subject to audit, then to work on audit tests, whilst normal activity continues.
The auditor, whilst remaining productive, hears about any frequent problems as they occur and picks up on how they are resolved and errors are corrected. Sometimes people bounce ideas off the auditor and thus it is both interactive and educational. The process is informative and likely to assist in the drafting of reports and the formulation of recommendations.
If an auditor is working remotely, this drip feeding of knowledge and observation of culture, is harder or impossible and audit management may have to request and obtain minutes of team meetings that may discuss recurring problems, as a substitute, in the hope that such matters are covered and are fully documented.
Turning to feedback from internal audit customers/clients, this takes the form, like other communications, of a combination of the spoken word, the tone in which it is delivered and the body language (including facial expressions and eye contact; head movements; hand gestures; body posture) of the speaker and their colleagues, as they hear the words spoken. Dissonance and leakage may occur which cast doubt on part of what is being said and of any important omissions. This is not so easy for internal auditors to detect when working remotely even if the speaker is seen and heard in a small box viewed on screen. Heightened awareness of voice tone and a little more scepticism may be justified in controversial and risky areas without being overly cynical. Verification of responses needs to be rigorous.
Furthermore, audit management will need to consider carefully the degree of assurance that may be forgone and caveat any material gaps in that consistency of assurance.
By using new technologies in cloud-based applications for collaborative working, video conferencing and remote access infrastructure, auditing will be effective if we ensure that adequate security measures are used for video conferencing and data access, transfer and storage.
The increased adoption of technological and digital tools may require better internal audit file management, workflow systems, data analysis and artificial intelligence. Furthermore, internal audit functions should take the opportunity to introduce strengthened continuous auditing activities, thus enabling internal audit to automate the monitoring of key risks and the operation of key controls, gaining time to concentrate on complex areas of risk.
There is an opportunity to improve audit effectiveness by building stronger internal audit teams. When auditing is done remotely, the location of auditors does not matter and audit teams can be built to ensure the most suitable auditors are assigned to each audit, irrespective of where they are based.
The risk of fraud increases now because criminals thrive on chaos, uncertainty and disruption and COVID-19 responses have provided these in abundance. During a paradigm shift, where everything has changed rapidly, unusual activity that could be red flags for fraud may go unnoticed. What has been noticed is that financial institutions have seen spikes in false positive alerts generated by their monitoring software which reflects the fact that customer behaviour has changed suddenly, but for good reason.
Lots of employees are now working remotely, so criminals who can use sophisticated analysis to seek out weak links will take advantage of any weaknesses in controls and in IT security. External fraudsters have sought to exploit people working from home by impersonating managers in order to give payment instructions.
IT governance data indicates that phishing e-mails increased by 667% in the three months after the end of February 2020. Internal audit may need to recommend that extra on-line training is given to employees to cover both the heightened fraud risks and appropriate responses when a suspicion is raised.
Supply chains have been broken and employees are under increased pressure, so it is easier for normal supplier controls to be circumvented and due diligence diluted.
In its 24th June 2020 Guide for audit and risk committees on financial reporting and management during COVID-19, the National Audit Office offers some good fraud and error framework questions:
Auditing for fraud events is harder when not done face to face and supplementary data analysis may be needed, some of which have been available for some time. For example Benford’s Law analyses may be used to search for anomalies and data patterns that are unnatural and which may indicate suspicious activity.
This may be more efficient but also more reliable than traditional control compliance testing based upon relatively small samples. Not only can this analysis be very effective and insightful but it has been recommended by the Association of Certified Fraud Examiners for twenty five years.
Past crises and watershed moments for the profession supplied internal audit with important lessons on where controls fail, which remain relevant:
In the June quarter of 2020 and because of the pandemic, management has concentrated on employee and customer safety, business continuity and financial resilience. The shift to telecommuting across the board and slowdown in activity has changed the risk levels and business operating practices. Some controls may no longer function as intended. It is necessary to evaluate how management has adjusted financial and operational procedures to cope with remote work arrangements and offices being unavailable.
This evaluation should include the:
The review should extend beyond the organisation to cover the continuity of services and controls from third-party vendors, including large business process outsourcing providers operating overseas.
Agile internal audit planning involves a continuously updated schedule of audits and projects, prioritised by risk. Reporting is both very frequent and more informal, with communication through dashboards and update memos, rather than long form audit reports.
The main difference between agile and traditional auditing is that inflexible, early stage planning is replaced by iterative planning and a series of sprints, incorporating short bursts of activity covering planning and testing. Typically, the eight weeks or so spent on planning, fieldwork and reporting are replaced with, say, three agile phases totaling six weeks. Read more on Agile auditing: Leading practices on the journey to becoming agile in IIA Global’s Knowledge Brief here.
In future, internal auditors need to give:
The entirety of what has been set out may be a significant change agenda and greater for some departments than others, so it is best to get the audit team involved, individually and collectively.
As with any change, people who are actively involved in it, rather than simply subject to it, will be more content and effective in development and implementation. They can then assist it to be resilient and are more likely to surface weaknesses and resultant errors than if they had not been involved from the start.
It is important that internal audit and audit committees re-evaluate previous audit actions. Work priorities have changed and the implementation of previously agreed audit actions may no longer be a main priority. Internal audit should consider:
Internal audit’s role after the crisis should reflect the main lessons covering the:
Office for National Statistics: Coronavirus and the impact on output in the UK economy: April 2020
Financial Conduct Authority - Coronavirus (Covid-19): Information for firms, 'Market trading and reporting'
Association of Certified Fraud Examiners – Using Benford’s Law to detect fraud
The following guidance is only available if you are a member of the Chartered IIA:
Guidance - Root cause analysis
Articles and reports on agile internal auditing
Agile internal audit - Leading practices on the journey to becoming agile
Agility and innovation