Adapting Internal Audit: An Outlook, Post COVID-19
October 15, 2020
Nina Kelleher, a director in Process, Risk, and Technology Solutions, speaks with Alan Frank, a partner in Process, Risk and Technology Solutions. Alan gives some insight on how internal audit professionals are anticipating the role of the internal auditor to change in a post COVID-19 environment.
NK: I previously hosted a podcast series discussing the challenges and risks that have emerged from a remote workforce, as a result of COVID-19, along with some possible solutions. In this podcast, I'd like to focus on what internal audit professionals are anticipating the role of the internal auditor will look like going forward. As we have seen in these past difficult months, every industry has had some effects of the pandemic. How do you think COVID-19 will affect the internal audit function?
AF: Well, I think the first thing that everyone needs to realize is that things have changed, and will likely remain changed even after the pandemic is over. It's important for people to remember that internal audit, despite the challenges that COVID-19 is presenting, still has a critical role in helping their organizations manage the risk. Certainly, COVID-19 has presented challenges to the internal audit function, particularly around how internal audit is delivering their value to their organizations. And many internal audit functions have adapted to deliver their services in a variety of new ways, which is kind of exciting for the profession.
I believe that this has highlighted the need for increased communication to the critical stakeholders within an organization, particularly management and the audit committee.
NK: You touched upon how organizations manage risk might change. Can you expand upon that a little bit, and let us know how you think this will impact their risk analysis?
AF: Sure. And I think before I start talking about the risk analysis, I'd like to begin with the fact that many organizations have established a COVID-19 response team to address the litany of operational challenges that have emerged during the pandemic. And I want to highlight that internal audit, similar to other special projects that organizations undertake can, certainly, play a critical role in helping organizations with their COVID-19 response plan, particularly around how those plans are being designed and rolled out throughout the organization. Internal audit can assess those plans from a design and effectiveness standpoint. And provide valuable recommendations, so they have maximum value to the organization.
But to continue on that around risk assessment, in a typical year, internal audit plans often change from the start of the year. Projects get added or dropped, resources need to be reallocated to areas of developing risk. And I would just say it's pretty obvious now that COVID-19 and the global pandemic, certainly, qualify as a factor that will most certainly reshape virtually every internal audit plan at the start of 2020. I can't imagine any internal audit plan that hasn't gone through a level of change based on the impact of COVID on their organization. So, I would expect internal audit departments to do more frequent risk assessments. I would imagine that organizations have put into place new procedures, new programs. Existing programs, and procedures have gone through a level of modification. And there's, certainly, new risks that have emerged during the pandemic that the internal audit plan developed at the beginning of the year most, certainly, has changed and has been modified.
NK: Like you mentioned, internal audit plans are dynamic, and risk assessments have been revisited and refreshed more frequently. How do you think audit committee meetings and communications are going to change?
AF: Well, internal auditors, in general, the chief audit executives at organizations tend to have a pretty fluid relationship with their audit committee chairs. And so, typically, the internal audit executive and the audit committee chair are speaking rather frequently as a normal course. What we've been seeing, or what I've seen with other organizations is the fact that there's been added questions by the audit committee chair in terms of how the organization is adapting to the new challenges. Are things still operating in the same manner in which they were prior to the pandemic? They want to be assured that policies and procedures are still being followed and adhered to. And that the organization is not struggling with anything that might pose an issue from an internal control perspective. So, although the level of communication has remained relatively consistent, there's just added questions being asked, and rightfully so. Obviously, there's a great deal of change and new risks that need to be discussed and dealt with.
NK: Recently, the Institute of Internal Auditors conducted a survey of many audit leaders just to get an idea of how they feel COVID-19 is going to affect their everyday operations. And while the survey was conducted across various industries, a quarter of the respondents were within the financial services sector. And one of the key takeaways were they were anticipating budgets to change. Can you discuss that a little more and what you're seeing with your clients, and how they're shifting priorities based on those budget changes?
AF: Certainly. So, many internal auditors have had to need to adjust their budgets in light of the impact of the pandemic. One thing's for certain, a component of most internal audit budgets is travel. And given the restrictions on travel due to the pandemic, much of that budget has been eliminated, or greatly reduced as we move back to a work in the office environment, but that's still down the road a bit. So, internal auditors have to do things differently. Instead of doing their work on site, have to do more work remotely which, obviously, has impacted their travel spend.
The other thing too is there's been, obviously, a view on the staffing levels of the internal audit function. And clearly what I would say there is that if the internal audit function hasn't pivoted and shifted, like I had mentioned earlier, hasn't adjusted their audit plan to address the new risks, clearly they might find themselves with over capacity because the projects that they would be working on are no longer going to be executed. But what I've been seeing is, though, the internal audit functions have shifted to deal with these emerging risks, and reshape their audit plan in a way that they're keeping their staff fully engaged on a variety of issues that have an internal audit need, as well as addressing special projects at the organizations in which they serve.
So, although we've seen a downsizing to some extent, we've also seen a lot of internal audit functions just become more versatile in adapting to the change, and redeploying resources to areas that are in need. And, also, what we've seen is that projects have, budgets have been reduced so that maybe they're hitting a variety of areas a little bit more so. So, time spent on an area is reduced, so they can allocate time to other areas. So, I think overall Nina, that although there's been some reductions, I think, most internal audit functions have found ways to keep themselves pretty occupied on the emerging risks that the COVID-19 pandemic has presented to their organization.
NK: Thanks, Alan. What are some other highlights from the survey worth mentioning?
AF: Well, the key takeaway is that the internal audit, like I said, are responding to the challenges faced by the pandemic. And we see this in the adoption of more flexible approaches and, honestly, being a little bit more creative in the way they're rolling out their audit plan, and engaging with the stakeholders within the organization. One way to showcase this is chief audit executives are updating their audit plans most commonly through canceling some planned audits, and reducing audit scopes in other areas. And they're doing this and replacing those with the emerging risks that the risk assessment has highlighted given the impact of the COVID-19 pandemic.
And what we see here, as we've gone through the changes and the challenges, is we've seen a greater demand for internal auditors in some critical areas. One, as you can imagine, being in a more work remote environment there's still a critical need to engage your stakeholders. You're not always going to be in person, which internal auditors place a lot of value on that personal interaction to create that bond and comradery amongst your stakeholders. Clearly, that's been limited with the work from home environment. So, communication skills, verbal communication skills, we're doing a lot of different ways of connecting with people has just highlighted the need of internal auditors to develop those softer skills to get their point across and be effective during, during this environment.
And the other area too, as you can imagine, is the increase in cybersecurity risk that this has presented to organizations. So, auditors, the need to develop their cybersecurity skills and awareness has only increased. And I expect that to be going forward as well. And just the ability to change and adapt, and have a flexible mindset, and be open to exploring new technologies, or new ways of doing things, I think has been one of the most positive changes that have resulted from the pandemic as it relates to internal audit. I expect many of those changes to continue afterwards because many of these changes have highlighted the need for increased technology, different approaches of doing their function. And many organizations have found a great improvement in productivity and effectiveness. And I think that's one of the positive byproducts of what we've been going through. And I expect those changes to continue on.
NK: Lastly, what's EisnerAmper doing to stay ahead of the shifting landscape for their internal audit clients?
AF: Well, we're trying to help our clients as best we can adjust to all these changes. Clearly, we have a pretty good purview across many clients, across many industries, and we're able to share those insights with our clients. The lessons learned, best practices that we've seen. And that's been very helpful for us. We've seen how other organizations have dealt with things to face the threats, and the risks presented by the pandemic. And we've been able to very successfully share those ideas, and make those organizations more effective, and efficient, and reassured as they go through this process.
NK: Alan, thank you for this valuable information. And thank you for listening to the EisnerAmper podcast series. For more information on this, and a host of other topics, visit eisneramper.com/PRTS and join us for our next podcast.