An Inside Look at COVID-19’s Impact on Internal Audit at Retail Broker-Dealers

September 01, 2020

By Nina Kelleher & Jack Paladino   

download button.jpg

The impact of COVID-19 on the financial services sector has varied. Organizations with revenue streams dependent on interest rates, advisor growth or overall market viability are experiencing turbulence, while others are thriving through a volatile market.  Like the organizations they protect, chief audit executives (CAEs) were faced with an onslaught of challenges requiring short-term, agile responses during the pandemic.  CAEs are now beginning to assess the lessons learned to determine how their long-term strategy will be affected as they begin to navigate a path forward. 

EisnerAmper had the opportunity to gain insight from Tibyasa Matovu, CAE of Cetera Financial Group (“Cetera”), one of the largest independent retail broker-dealers in the U.S., regarding how the pandemic affected the internal audit plan and caused the department to provide short-term solutions.  The following topics were emphasized:

  • Reassessments of risk and the internal audit plan, including reprioritizing planned audits;
  • Maintaining internal controls; and
  • Transitioning to a remote auditing environment.

Reassessments of the Internal Audit Plan

EISNERAMPER:

Has Cetera’s internal audit department reassessed the internal audit plan, or audit scopes, based on the impact of COVID-19?

MATOVU:

From March to June 2020, our team reassessed the internal audit plan three times.  Initially, to allot time for business units to adjust their processes and controls to the new, virtual environment; then, the focus shifted to security, including that of Cetera’s offshore team, network access and personally identifiable information (PII) protections.  We wanted to ensure that the firm’s infrastructure was properly equipped to address the potential risks presented by the remote workforce environment and that the previously (strictly enforced) procedures and controls were being treated with the same standard of care and were not being circumvented.  To address this concern, a review over privacy considerations was built into the internal audit plan.

Maintaining Internal Controls

EISNERAMPER:

How has the internal audit department worked with key stakeholders within the organization to stress the importance of maintaining strong internal controls during the COVID-19 stay-at-home order?

MATOVU:

Our team recognized the need for perspective over the reinforcement of controls.  The objective was to maintain a level of internal controls without restricting essential business operations  To assist, I stressed the importance of management review controls (MRCs) through positioning internal audit as a partner working with the business; offering guidance to the firm’s operations and accounting teams with methods to translate manual controls to remote execution.

Transitioning the internal audit process remotely

EISNERAMPER:

How do you feel the internal audit department was positioned to shift to working in a remote environment?

MATOVU:

The internal audit execution was largely unaffected by working from home as audits previously had a remote component.  Although not ideal, our team has been able to complete walkthroughs and testing remotely by leveraging tools such as video conferencing and a recently implemented firm-wide enterprise, governance, risk and compliance (eGRC) platform.  However, there are delays with follow-up requests and socialization of findings.

Longer-term Impact of COVID-19 on Internal Audit

The Institute of Internal Auditors (IIA) published results of a survey conducted with internal audit leaders in an effort to analyze the long-term impacts of COVID-19 that CAEs are expecting to navigate.  The survey highlights a variety of key areas of consideration including:

  • Risk assessment frequency;
  • Internal audit plan update frequency;
  • Audit committee communication;
  • Internal audit travel budget; and
  • Internal audit competency needs
    • Communication
    • Cybersecurity
    • Innovation and change.

While the survey was distributed across industries, from a broker-dealer perspective, communication, cybersecurity, and innovation and change lead the way.  This is aligned with the themes that Mr. Matovu conveyed.

The conversation concluded with discussions relating to long-term areas of focus regarding internal audit communications and an extended work-from-home period.  It was indicated that communications and meetings with the Audit Committee chair have increased and are paramount, as well as an open dialogue with Cetera’s CFO.  As the company continues to adapt, so will the internal audit plan. 

EISNERAMPER:

Are there any other factors to consider regarding COVID-19’s impact on internal audit activity?

MATOVU:

 There are a few things for internal audit practitioners to consider.  First, it is important to understand that internal audit is not revenue-generating and the primary objective of the firm is focused on financial viability and commitment towards our advisors.  Internal audit is tasked with providing process assurance, guidance and independent review of all our key decisions (assumptions of risks associated with remote workforce, etc.) and maintaining the fiduciary responsibilities to the shareholders (if any), CEO, chairman of the board, and the firm as a whole.  The internal audit value proposition arises from analyzing aspects of the organization from an independent perspective, to ensure assurance while enabling growth.  The second thing is to never lose sight of the bigger picture.  We previously discussed the importance of maintaining advisor relationships for our firm’s business operations.  Strictly enforcing internal controls during the global pandemic might be short-sighted, rather the focus should be on enabling sustainable growth and recovery.  As always, it is important to have constant communication with the executive leadership team and the audit committee chairperson to fully appreciate their concerns for the firm and ensure alignment with audit objectives.  Regardless of the number of audits the internal department is able to produce within a year, the goal is to provide independent assurance, enable growth, and ensure close alignment with the CEO, audit committee and members of senior management.


PRTS Intelligence Newsletter - Q3 2020

About Nina Kelleher

Nina Kelleher is a Director specializing in Process, Risk, and Technology Solutions (PRTS) with expertise includes planning, executing and leading audits, conducting risk assessments and completing financial statement due diligence.

About Jack Paladino

Jack Paladino is a Staff Consultant specializing in Process, Risk, and Technology Solutions (PRTS), with experience serving both public and private companies.

Have Questions or Comments?

If you have any questions, we'd like to hear from you.