There are many unanswered questions regarding the short and long-term ramifications on organizations regardless of geography or industry. We encourage you to assess the possible scenarios in which the virus may impact your team, colleagues, customers and business, in a holistic and collaborative manner.
This is also the time to review departmental and organizational Business Continuity Plans, and quickly involve yourself and your team to execute those plans, as needed. If the current crisis management program does not contemplate a pandemic scenario, then the experience, tools and views of the Internal Auditor may be invaluable in developing such plans.
Extraordinary times require extraordinary leadership. It is important that Internal Audit leaders and key business leaders communicate with each other and work as a team. For example, your organization may be diverting critical facility operations to another location or creating redundancies in its supply chain for scale. There may be additional risk factors in these operational changes that need to be considered. Changes in the organization as a response to challenges create a need to refine and enhance the risk management processes to better protect the organization.
The recent events that have unfolded as a result of the corona-virus are an important reminder that neither audit plans nor the ways of accomplishing work are static. We need to scrutinize the upcoming audit plans and re-prioritise any upcoming audits based on their significance, regulatory requirements and the ability to execute them in a potentially disrupted environment. As the situation evolves and travel restrictions change, we may need to consider how to complete audits without physical access to corporate locations.
• Careful consideration should be given to how data analysis may be performed utilizing centralized source systems to execute internal audits without the need for a traditional site visit. For example, the use of analytics may involve evaluating locations or processes that exhibit a more mature control environment based on historical performance compared to those which present more risk to the organization.
• Consider replacing in-person meetings with video-conferencing and project management software to reduce time spent reading and responding to e-mail.
• Review the internal audit plan and re-visit the approach to the internal audit. If an internal audit team can not physically visit a site, think of creative ways to still gain risk coverage. For example, if production plants have video surveillance, would internal audit be able to use those feeds to check whether critical physical controls are still working?
• Plan virtual team-building and socializing activities the same way you would in the office. Set aside time to catch up on each other’s personal lives. Create an open format where people enjoy sharing recent experiences that allows for that sense of belonging and enjoyment of being part of a team.
• Identify ways for the organization to cut costs to avoid layoffs by focusing on a combination of smaller reductions, such as eliminating pay increases and reducing unnecessary spending, rather than larger, disruptive changes.
Under normal circumstances, around this time risk professionals and internal auditors might find themselves preparing for a yearly ERM exercise and a 3 year audit plan, but these exceptional times call for a different set of priorities and an occasion to use those skills in new ways.
The virus is a vivid example of the emerging risks; Some are very difficult to foresee, and their ultimate impact is hard to judge. But this difficulty does not mask the truth that COVID-19 presents a clear and compelling danger, not only for the health and well-being of the general population, but for organizations around the world.
These types of risks need attention, and internal audit's unique skills and positioning can be invaluable. There are key actions internal auditors should already be starting in support of their organizations.
Now is the moment to look beyond the annual routine and step up to help your organization using your specific set of competences and knowledge, which can make a valuable contribution in a number of priority areas over the coming months, including:
1. Understand and assess the full range of immediate risks. Management is responsible for managing risks. They should already have in motion expanded efforts to identify all possible risks, assess their potential impact, and think through responses.
Internal audit is a master at objectively addressing risks. Through conversations with management and participation in any variety of activities, internal audit can assess whether management has identified the full range of risks — direct and indirect — and the range of actions to manage these potential impacts, especially if the unthinkable might happen.
Management likely has started discussing risks relating to business travel, assessing the capabilities of employees working remotely for potentially long periods, determining whether critical business operations can be transferred to different locations, considering interruptions in supply chains, and ensuring effective two-way communication with staff. However, these are only a subset of the potential impacts. Internal audit can assess whether management is considering potential disruptions in offsite data-storage services, how an outbreak could affect customer-buying behaviours, or whether the organization's ability to provide customers with technical service will be disrupted.
2. Contributing to business continuity
Many companies are struggling to cope with the challenges we are currently facing, partially because of the limited attention given to Business Continuity in the past. Now is not the time for regrets, but constructive collaboration to develop agile responses and identify practical solutions. There is still a lot that can be done to catch-up in the response and recovery phases.
3. Providing insights in the changed risk and opportunity landscape
“Predicting the unpredictable: dealing with risk and uncertainty” has always been a key mantra, and this holds true today with the emergence of COVID-19. There are many associated risks which are impacted by COVID-19, for example: Cyber and Fraud risks, Reputation risks, Supply Chain risks, Health & Safety, to name a few. As a risk professional you are best placed to provide new insights to top management regarding the impact on your organization’s risk and opportunity landscape and to improve structured reflections on the measures taken and anticipated. These risks should be on your organization’s radar now to allow them to take these into consideration when making decisions. Please don’t wait for your yearly ERM update to address these.
4. Auditing the cash flow
Auditing the organisation’s cash management practices to assure there is a cash reserves policy and minimum cash holding limit in place to see the organisation through an unexpected crisis.
5. Risk mitigation and recovery
When an unforeseen crisis such as a pandemic occurs, provide immediate internal audit services to the mitigation, and then later to the return to business-as-usual effort.
6. Ensure technical capabilities are performing properly:
Simple tasks such as ensuring team members have the ability to work remotely, VPN access is working, and documents are placed in the cloud (such as OneDrive or Google Drive) are the basics which can sometimes be overlooked. Most organizations already have features such as Teams, OneDrive or Google Drive available which can be accessed should VPN services become unavailable. Ensuring working papers are maintained on the cloud can help avoid disruption should audit team members need to work remotely.
7. Promoting a risk culture
The human aspect of this crisis is fundamental and should also be explicitly addressed when implementing hard risk mitigating and BC measures. Risk professionals can actively take up the role ensuring that the risk management and business continuity measures:
· are clearly defined and understood,
· are made visible in the organization,
· involve the entire organization,
· are fully applied by top management,
· are executable,
· can be openly discussed,
· are enforced,
· are continuously improved.
When faced with COVID-19, internal audit executives may understandably feel they’re in uncharted territory. Companies are dealing with an avalanche of new challenges — which demand rapid responses in an environment that changes by the hour.
In these challenging times, internal audit executives have an obligation to help their companies manage the most critical risks COVID-19 has either created or magnified. While business leaders juggle the dual imperative of crisis response and operational continuity, internal audit executives can help them weigh risks and opportunities to inform their decisions.
Looking forward to your comments.
If you’re not yet a Aryan Consulting customer, we're still here for you. Check out our solutions, or let us know how we can help.
Comments