With the world being taken on a roller coaster ride of lockdowns, resurgence of the virus, and circuit-breaker lockdowns, businesses are pulling out all the stops to nudge out risks and future disruptions. Organizations, irrespective of the industry they belong to, are straddling business continuity plans with process reinventions. And, the Internal Audit (IA) team has been a resolute part of this reinvention plan, galvanizing itself for the “next normal.”
IA teams recognized early on in the day that the impact was not quite the same on every industry, with some being more regulated than the others. Thus, the first job right after the pandemic hit was to understand the risk profiles for each business to create that much-needed safety net. Managing risks against the backdrop of such galloping changes and unprecedented chaos was not easy even for IA teams. However, their deep knowledge of the organization and their unique position within that fold has made them the fulcrum of this change today.
To turn the wheels and to do so in a sustainable manner, the IA teams need to make way for seamless and high degree of coordination among all the three lines. The priority is to support businesses and customers alike. The internal auditors must undertake fresh evaluations of operational as well as compliance risks and also weigh the consequences of having unmanaged risks, if any. There is a recognition of the fact that some of the audit activities will have to be pushed into the next year to grapple with the shifting risks’ landscape. And, of course, all this will have to be done while ensuring adequate risks are being managed to wade through the crisis and beyond.
So, the internal audit function too has had to press the quick pause and the reboot buttons. It is no surprise that internal auditors’ role is undergoing a metamorphosis.
In the core of a crisis lies the spark of an opportunity. There are two key actions the IA team must take to get a better grip on such unimagined and unparalleled crisis – now or in the future.
There’s an immediate need to:
There must be acceptance of the fact that a pre-March audit plan has ceased to be relevant and, therefore, an urgency to put a new audit response in place. A post pandemic world calls for a dynamic planning process. Here, the buzzwords have to be greater resilience and versatility as an audit function. A fresh assessment of both external and internal risks has to be undertaken as businesses deal with supply chain disruptions, liquidity shortages, order cancellations or the challenge of doing more with less people. And while businesses dealt with these, many audit teams had to push out a chunk of their plan to the next year. While this freed up capacity to address the “what next and how” question, it also prodded IA teams to take a rational capacity utilization exercise.
While the crisis creates an opportunity to revisit the audit plan, it also opens the door to execute a new assurance approach – a rapid assurance model for the next normal. As the IA team helps pre-empt emerging risks, enables company boards to realign risk perceptions with the changing controls landscape, helps them stay clued in to new regulatory and compliance requirements, it becomes critical to chart a new and timely path to assurance.
The traditional methodology calls for a revision and a rethink as IA teams reckon it is out of sync with the post-COVID scenario. It is imperative for IA to press for rapid assurance as it provides real-time assurance while organizations usher in new business models, develop new products and at new price points. Recalibration of assurance approach augments recalibration of evolving business models.
The changes in audit plans, the new approach to assurance – are new prospects that probably wouldn’t have been explored if not for this pandemic. Be it credit risk management, back office management, product management or customer servicing, IA must don a new avatar to deal with emerging new risks.
The tenacity of the tortoise and the pace of a hare will be the combined forces to flaunt for the post pandemic-era internal audit functions. We often talk of clear and present danger. With the pandemic, we all know there is a present danger but it is not very clear how long it’s here to stay or how deep its impact would be on businesses. However, what we know is, a future-ready internal audit team will have to be a lot more nimble in its approach.
IA needs to build some strategic pillars of strength so that the function and the businesses it supports and advices do not buckle under the weight of the crisis. Rapid assurance is the way forward. The insights and assurance not just have to be valuable, but also as rapid as possible. To fast track execution of the new assurance approach, here are the four pillars to build the foundations of a reimagined IA function.
Getting the support of the senior management is critical in this journey. As IA moves forward to understand the business and its COVID-inflicted disruptions, gets a firmer handle on future risks, access to business data to draw the right insights becomes key. And, if there is scant support from business leaders, IA will not be able to shepherd this change. It is, therefore, of prime importance that IA teams get key stakeholders to collaborate and the top leadership accepts this as a shared mission. Without the senior leadership’s open and firm support, IA will have no access to data and will not be able to execute reviews. Support of teams one or two notches below the top business leaders, too, will be ensured if IA has the top leaders’ buy-in. It is for IA to engage with all stakeholders to best support with the provision of assurance.
Agile and IA had so far been somewhat strangers. Traditional auditing was time-consuming, rigid in approach and done in a phased manner. The pandemic leaves no such luxury of time. As businesses rush to align strategies to the pace of disruption unleashed by the COVID-19 crisis, IA teams must embrace agile audit methodologies to get a sense of the business landscape in real time, understand impending changes, implementation requirements, etc. Prioritization of the riskiest assurance areas while managing people is one of the top jobs the IA teams have on their hands now. Doing smaller audits or audits in subsets could bring in a higher degree of agility as businesses look for immediate actionable insights.
IA must learn to live with shorter windows for reviews, insights and action. Be it root cause analysis, crystallizing findings and putting out reports for business to act on, the best armor for IA to usher in rapid assurance is to work on more compressed time schedules. If businesses wait for weeks for IA teams to come back with findings, as in the pre-COVID days, it would be doom and disaster. IA must, therefore, adapt rapid approach to infuse more agility into its working models. Business must be informed as soon as IA identifies control breakdowns to investigate and remediate. Extra assurance will not hurt IA in this new normal.
The pandemic has catapulted internal audit, more than any other function, out of its comfort zone. Remote working was never quite an IA thing. The confidential nature of work, access to classified data and frequent travel to work on these in person, were what auditors were used to until the pandemic struck. The post-COVID era calls for real-time decisions, quick risk assessments and faster actions. And IA must rise to the occasion by transforming its approach. Remote work has also accelerated IA’s technology adoption, especially its reliance on data analytics and artificial intelligence. IA must now lean more on operational data to perform analytics on the business’ data. This will tell auditors what to close, pause, defer or delay. Data analytics can help IA run capacity modelling or even open up capacity for new assurances.