IA at a distance: conducting audit engagements remotely

Each week sees even more internal auditors get to grips with the realities of working remotely. Some internal auditors are supporting their organisation through helping the first and second lines directly.

Whereas, you may well be conducting business-critical internal audit engagements instead. These could be part of the annual or periodic plan, yet so important that even in the current crisis, you must retain them. They could also be new assurance or consultancy engagements that the crisis has prompted. In either case, carrying them out remotely imposes new ways of working – and thinking.

Three essential elements – communication skills, auditing tools and basic auditing principles are no different from what you already use. It’s all about tweaking them to be just as effective remotely.

Communication skills

Any engagement will require these skills as you interact with members of staff at all levels. The main difference is that instead of face-to-face meetings and interviews, you will have to rely on – at best – software such as MS Teams, WebEx, Zoom and Skype. If these are not available, for whatever reason, then traditional telephone calls and email exchanges will have to suffice.

For many people, this offers advantages. One can (with permission) record Zoom meetings and telephone calls or consult email exchanges to confirm what other parties said – although will not instill trust or enhance relationships!

Better to acknowledge we do lose information when not interacting face to face. Even using the applications mentioned earlier, we typically see only the face – not the body language. Subtle hints we pick up on in person can be lost, and this is even more the case in telephone and email exchanges.

The Institute guidance on communication skills covers different communications channels. This will help you adapt your message to the medium – allowing, for example, longer pauses. You are likely to need to prepare more open-ended and follow-up questions than usual, too. Someone you speak to by telephone may need to be coaxed more than would be the case in person.


You may have full access to the software your function uses for internal audit management, or CAATs and data analytics. However, some teams may need to extend the number of licences needed for the entire function to have remote access. Others may discover that some colleagues who are working from home do not have organisation-issued laptops.

If authorised to work from a personal laptop, home-working staff may still face problems such as no secure access or VPN, or unreliable broadband. This has been more common in some rural areas. However, it is also problematic in areas with good coverage but currently experiencing high broadband use.

If this is the case, it’s a simple matter of documenting your work offline, then uploading it when you have secure access. The IIA guidance on working papers should make it clear the criteria are the same, whether you have uninterrupted, secure access to your entire suite of audit software or are relying on pen and paper.

If you work for a large, multinational organisation, you may have some overseas colleagues who have to do this anyway. Think of how many countries have intermittent or unreliable electricity supplies – any colleagues you have working in such locations could share their working practices with the wider team. They will have come up with solid processes that document their work to the required standard, without relying on 24/7 secure network access.

Assessing evidence

None of the above should come as news to internal auditors. We do all of this to a greater or lesser extent under normal circumstances. After all, we may find ourselves travelling to remote areas to conduct onsite testing and have to improvise how we document our work.

However, even if working comfortably from home with access to all we need, we will feel unmoored from many of our usual practices. One of these may be to conduct on-site testing. Where we are testing electronic controls and transactions, CAATs should have long ago stepped in to reduce this burden. Whether it’s for continuous monitoring or specific data analytics, accessing and interrogating the organisation’s systems is now the norm for most functions.

Carrying out tests on physical elements, however, may require creative thinking. If you need to review physical access to a site, you may normally rely on a combination of electronic records (for swipe card access), security camera footage and physical observation. Remote video linking can replace on-site observation for the last elements, and screen-sharing allows you to walk through processes.

If you would normally handle paper documents, you may need to ask whoever has access to photograph or scan them and send them to you securely. One CAE, of a marine construction company, issued his team with digital cameras before iPhones became commonplace. Given that so much of their testing was of physical assets and practices, he found a picture really is worth a thousand words – and his audit committee agreed.

One photograph, of a fire door propped open with a fire extinguisher, carried one simple caption: '11 out of 13 sites’. Another showed a sign-in and sign-out sheet for site staff – every signature in the same handwriting, signing in and out at the same time, and using the same name!

As with any document, you can check the provenance and other attributes by inspecting document properties. Photographs of signed documents should give you a sense of their reliability. If, for instance, a signature looks erased and overwritten, follow up as you would normally.

You may still be unable to perform necessary tests because the systems and – more likely – the staff aren’t available. Consider to what extent this will affect your audit opinion, and how you will communicate this to the first line and audit committee. Use your professional scepticism as you would in person – and maybe consider using these techniques once many of us return to office-based practice.

At all levels of internal audit, we are having to adapt what we normally do. No matter how much technology has changed our working lives, we are now only just realising the extent of our daily face-to-face interaction. Re-thinking how we use technology to deliver our assurance, without losing the human element, proves that internal audit will still deliver.

Further reading

Communication skills

Conducting an interview: Top tips

Working papers: Top tips

Computer assisted audit techniques (CAATs)

Content reviewed: 8 April 2021