Coronavirus: Business not as usual...and that applies to Internal Audit as well
Covid-19 has reinforced, again, the problem with a "failure of imagination" in many risk management processes.
A failure of imagination was one of the key learnings from the 9/11 tragedy, and it looks like many organisations have found themselves with a similar problem with Covid-19, and all its knock-on impacts. It may not be a big priority right now, but all organisations who have felt blind-sided by what has happened should be prepared, at the right time, to take a long hard look at their risk management processes.
What other risks are there where we might be thinking “that will never happen”? How do we make sure we prioritise impact over probability? How good is your organisation in thinking through the knock-on consequences of one risk on other aspects of its operations?
A new coronavirus was first identified on 31st December 2019; when did it start to get on your organisation's radar screen?
CNN have done a great timeline of the Covid-19: https://edition.cnn.com/2020/02/06/health/wuhan-coronavirus-timeline-fast-facts/index.html
Key points include:
11th January 2020: First death
16th January 2020: In Japan
17th January 2020: Selective screening in the US
21st January 2020: First case in the US
23rd January 2020: Emergency committee of WHO formed
29th January 2020: White House task force
30th January 2020: Person to person transmission in the US
2nd February 2020: First death outside of China (in the Philippines)
14th February 2020: Covid-19 found in Egypt
The evolving news story has been well publicised across the world and was effectively an early warning that a pandemic might happen and could have prompted organisations to look at their business continuity arrangements.
So, when, in fact, did your organisation start to make preparations in earnest? Are there other areas where more attention could be paid to early warning signals?
Are past assurances given about continuity arrangements proving to be too positive?
Hopefully most organisations are working flat out to prepare themselves for Covid-19 and double-checking past plans and assurances. If these are proving to be too positive, and are needing to be revisited, it would suggest that the amount of assurance that is being given needs to be thought about more carefully. This may apply to back-up plans for payroll and IT and home-working as well as third party suppliers and service providers.
When you ask others for assurance, have you defined what assurances you are expecting in terms of service levels – and what assumptions have been made about staffing levels etc.
When you look at arrangements relying on third parties, what do the contractual arrangements say; are there any “force majeure” clauses and are you clear about fall back contact/emergency cover details?
Whilst organisations need to be pragmatic and flexible to “fight fires” now, how do we ensure we won’t cut corners we will regret in 3-6-12 months time?
If there is a crisis, a fire, let’s put it out. This means organisations may need to adopt the 80/20 rule in many areas – “good enough will be good enough”, but how clear is the organisation about areas where compromises to standards should not be made? This could be in relation to treating customers fairly, or in relation to certain data security and other control processes; otherwise cuts in these areas will just lead to other problems and surprises shortly or in some months’ time.
Are we clear which aspects of our operations can be good enough with the 80/20 rule and which activities need to be continue to be delivered to the highest standards? What record will be kept of where corners are being cut, so we have visibility of this? What are the areas where we have zero tolerance to short-cuts?
Turning to Internal Audit
What adjustments are needed to the audit plan?
This is the obvious one - any planned audits that are not business critical should probably be seriously challenged and/or postponed, since there are undoubtedly key risks/new projects where Internal Audit’s skills could be invaluable, either to assure progress of business critical continuity plans, or to advise on process changes that will maintain operations and compliance where fewer staff are available.
Heads of Audit should urgently clarify with Senior Executives and Audit Committee which audits should continue and which should be postponed, as well as the key areas it might be sensible for Internal Audit to get involved in. One good practice is to have P1 audits on the plan which cannot be sacrificed and P2 which are nice to have.
Also, do not forget the option of seeking “direct assurance” from project managers/executives to the executive/Audit Committee on progress in certain areas. Here IA could be asked to do “follow-on” assurance if there are any key areas of concern about what is being said and done.
Of course, adjustments to the audit plan should factor in possible staffing shortages in the audit team, as well as arrangements for remote working/direct access to systems as much as possible.
Assignments should focus on just the key exam questions
With everything going on at the moment, it is crucial that audits do not progress per business as usual. Ask tough questions about which scope areas are really essential to be covered (particularly in areas not linked to Covid-19) and focus only on these. Few business managers will have an interest in “nice to have” matters for the next 3-6-9 months. Likewise audit reports should recommend only the most critical issues are remediated; anything else will likely be challenged with “you auditors are not living in the real-world”.
Look at open issues and the follow-up process
There are two key considerations. With everything else that’s going on consider the amount of open audit issues and determine which really must be remediated, notwithstanding Covid-19. Based on this engage key stakeholders on two key points:
- Which lesser issues should probably be deferred given everything else that is going on?
- How to make sure critical issues will be remediated, even if there are staffing and other disruptions.
And, of course: Adopt lean and agile ways of working/reporting etc. so that the internal audit team can speed up the way it delivers.
In summary although Covid-19 poses many fundamental challenges to organisations it also provides a very important opportunity for Internal Audit to “step up to the plate”, so I hope you are working on these issues with your audit team and key stakeholders.
Finally my thoughts go out to all of you in these unsettling times.
James C Paterson is a former CAE, consultant and Author of “Lean Auditing”. jcp@RiskAI.co.uk / www.RiskAI.co.uk