Many audit teams in attendance reported having some degree of prior experience with working remotely — either because certain members are geographically dispersed or because the team was already entirely remote. This made it relatively easy for internal audit to pivot to working from home, though teams employed a range of strategies to maintain the experience of personal interaction and to address additional complications from remote work.
“We had already seen a trend in different countries and all over the U.S. to push for more work from home prior to this crisis, and obviously COVID-19 is going to accelerate that trend. We have to help the business think through what parts of the organization can reasonably work remotely in the future and what parts just can’t because the value add comes from having these people sit together. From an audit standpoint, one of the things that’s on my radar is looking out over the next year, regardless of when this resolves, is thinking through areas of increased risk not only internally, but also with third party vendors. How are you going to be able to gauge velocity, capacity, and so on? How do you judge morale impact to employees? We already had some third party vendors that are completely distributed, and they’re more difficult to assess — I think we’ll see more of this model going forward, so how do we prepare? These are the types of increased risk areas both internally and with third party vendors that I expect are going to have an impact over the next 6 to 12 months.”
— Keith Williams, Director, Global Audit at Electronic Arts (EA)
“You might think we’d have an easy transition to a virtual workforce because we’re an all-digital company, but having the capacity for employees to work remotely is different than requiring every employee to do so, and in a very short timeframe. For instance, the ability to meet increased demand and security protocols of virtual private networks (VPN) with the instantaneous ramp up of everyone working from home had to be assessed. Internal audit had to pivot and validate effective management of VPN capacity, sufficiency of vendor licenses to cover spike in usage, and potential vulnerabilities that could be introduced via team member’s home networks. Another issue is the rise in phishing attacks — increased training and awareness were key defenses in protecting our assets with everyone working from home.”
— Lisa Violet, Chief Auditor at Varo Money, Inc
We asked the assembled audit leaders what’s on their minds now, and what impacts they expect to see in the coming weeks and months. Areas where internal audit can have an immediate as well as long-lasting impact included taking an advisory role in anticipating risks associated with the pandemic response and return-to-work strategy, as well as spearheading the creation or improved maturity of a business continuity plan.
“We govern our COVID-19 response as part of business continuity — it is multifaceted, cross functional, has audit engagement upfront, with reporting up to the Board. Our process considers the short term, medium, and longer range ramifications of this neo-event. In the immediate term, I would say one area where we doubled down and were distinguished was Communications. This came through being true to Varo’s mission and purpose. As circumstances and the broader macro socio and economic factors evolved, we challenged ourselves continuously, and hyper focused our actions and message to the needs of our customers. In the medium term, we can’t say with certainty what recovery will look like. Yet we have stress tested our business outlook and plan. One role that audit plays is to challenge assumptions and accuracy of the forecast so that the Board gets an independent view of the reasonableness of the business plan post COVID-19. Also, audit is uniquely positioned as an independent observer to synthesize all the different points of view and information available to bring valued insights and range of practices to stakeholders as they make informed decisions. I also think that audit helps the company look around the corner, for while this pandemic is all consuming right now, other high impact or knock on events can emerge.”
— Lisa Violet, Chief Auditor at Varo Money, Inc
“One topic for us right now is the return to work strategy. There’s a lot of discussion internally about what our process and guidance to our people should be. When quarantine is lifted in different locations, that doesn’t necessarily mean we’re going to send everyone immediately back to work. We have to be cognizant of the fact that some people are high risk and some will be very concerned about the situation. If we were to mandate that people return to work, what risks does that open us up to if someone gets sick from being in the office? I think we’re likely to end up with management discretion and the guidance to continue to work from home if you’re able to until the situation settles down.”
— Douglas Block, Vice President, Internal Audit at Granite Construction
From impacts on the larger economy to the effects of working remotely, COVID-19 has had and will continue to have an impact on how internal audit teams will complete their work. Teams who leverage technology that’s purpose-built for internal audit will be more effective and efficient no matter where they — or their key stakeholders — are working. As organizations continue to move forward through this pandemic crisis, internal auditors have an opportunity to step up to show the value-added role they provide in helping support the organization’s continuity efforts and business objectives during these still-uncertain times.