Learn what’s on auditors’ minds now and what’s around the corner as shelter-in-place becomes normalized and organizations begin looking toward post-pandemic measures. AuditBoard’s Ben Lindner and CrossCountry Consulting’s Heather Stewart share key points from their recent roundtable with West Coast audit leaders.
Audit Challenges During COVID-19
As the rapid response that characterized the COVID-19 pandemic’s early days has shifted into somewhat more familiar habits, we brought together a group of West Coast audit leaders in late April 2020 to share their perspectives at this point in time: when teams are working remotely, but states and companies are taking different approaches to deciding when and how to lift shelter-in-place restrictions. We’ve collected some of the highlights to share with the wider audit community who may find themselves confronting similar issues.
Audit Leaders Perspectives on Addressing Pandemic Impacts
In the article below, we’ve documented audit leader perspectives on addressing pandemic impacts to the business and internal audit, how this experience working remotely will change internal audit operations going forward, as well as current top-of-mind concerns and future expectations for internal audit coming out of this pandemic crisis. We would like to offer our sincere appreciation to the audit leaders who took the time to share their experiences to help progress the profession during this time of continuing uncertainty.
1. At this point, how has the pandemic impacted the business and your internal audit team?
Some of the audit leaders present at the roundtable were at Silicon Valley tech companies, and while they had made some changes due to work from home measures and other effects, they had not experienced significant impacts to business or internal audit operations. Several reported having increased audit activities around pandemic-related risks.
- Consensus among roundtable attendees was that there had not been significant changes to internal controls, though there were changes to the types of documentation provided by control owners who had previously relied on physical evidence. Electronic documentation and finding alternative procedures — for example, to do confirmations on inventory — have required inventiveness and adaptability by both control owners and auditors. One best practice that emerged was to reach out to your external auditor to proactively discuss changes to your usual control activity.
- If you’re in an organization that doesn’t have a mature Business Continuity Program, this is the opportunity for internal audit to be a catalyst to help facilitate and accelerate those discussions to get the necessary investment mindshare. Now is a great time to use some of that bandwidth and management attention to move the ball forward. One auditor noted that internal audit can play an important advisory role to prevent the development of an overengineered BCP program, and instead establish a framework that can be flexible or agile to fit whatever event arises.
- Several attendees reported hiring freezes or postponements due to the pandemic. One noted that they were still proceeding with the interview process using Zoom interviews instead of in-person interviews. However, their company’s HR has warned that they can’t bring anyone on board because local court systems are shut down and they can’t do a background check — certainly not business as usual.
“We’re an infrastructure construction company, and we’re considered one of the essential businesses so we’re still operating for the most part. We’re a decentralized company, with large construction projects all over the US. A big part of our audit plan involves being on site and talking to project management, which has obviously been impacted by our no travel policy for these last couple of months. From an audit and SOX activities perspective, I don’t think the pandemic has necessarily shifted priorities, though it has shifted timing. We went through the risk assessment process a couple months ago for our annual plan, and while the situation is different, a lot of the priorities on the plan remain relevant. In terms of timing, we wouldn’t have typically started Q1 SOX testing this early, but we don’t want to take our eye off the ball from a key controls perspective with everything going on. Our audit plan also includes some audits that look at business processes across different groups, and we’ve moved some of that internal planning and risk assessment forward. It’s time that was factored into the audit plan, but we simply moved the timing of that up and now we can hit the ground running when we’re able to get on site again. Also, we just signed with AuditBoard at the beginning of this year and had been planning to wait until mid-year to implement SOXHUB, but we decided to move that forward as well and kickstart the process now while we’re all remote so we’ll be ready to go once we’re back in the office.”
— Douglas Block, Vice President, Internal Audit at Granite Construction
2. How has the shift to remote work impacted the corporate culture, or the culture of control compliance?
Many audit teams in attendance reported having some degree of prior experience with working remotely — either because certain members are geographically dispersed or because the team was already entirely remote. This made it relatively easy for internal audit to pivot to working from home, though teams employed a range of strategies to maintain the experience of personal interaction and to address additional complications from remote work.
- Several auditors noted having control owners working remotely created an additional execution risk to the SOX program. There is concern that when people are working from home, there is an increased chance of error from performing a control under different circumstances than is typical, or from having other business concerns take precedence over proper control operation. If your audit team hasn’t already reached out to control owners, now is a good time to confirm that controls are being performed correctly and provide additional guidance. Teams that had leveraged technology to remind their control owners to perform their controls on time found that they were able to get ahead of control weaknesses during the pandemic.
- Several auditors noted that we’re starting to hit the fatigue factor as everyone’s gotten over the novelty of being at home. This duration is taxing, and many expect a new set of elements to emerge over the upcoming weeks as people get tired of being at home and perhaps more lax in performing their work duties.
- As many of us have found these past weeks, it’s a different experience engaging with a frozen image or a blank screen versus engaging with someone via video. Not everyone is comfortable being on video, but one auditor anticipates that once people return to the office, there may be increased expectation that remote employees will be prepared to use video during meetings.
“We had already seen a trend in different countries and all over the U.S. to push for more work from home prior to this crisis, and obviously COVID-19 is going to accelerate that trend. We have to help the business think through what parts of the organization can reasonably work remotely in the future and what parts just can’t because the value add comes from having these people sit together. From an audit standpoint, one of the things that’s on my radar is looking out over the next year, regardless of when this resolves, is thinking through areas of increased risk not only internally, but also with third party vendors. How are you going to be able to gauge velocity, capacity, and so on? How do you judge morale impact to employees? We already had some third party vendors that are completely distributed, and they’re more difficult to assess — I think we’ll see more of this model going forward, so how do we prepare? These are the types of increased risk areas both internally and with third party vendors that I expect are going to have an impact over the next 6 to 12 months.”
— Keith Williams, Director, Global Audit at Electronic Arts (EA)
“You might think we’d have an easy transition to a virtual workforce because we’re an all-digital company, but having the capacity for employees to work remotely is different than requiring every employee to do so, and in a very short timeframe. For instance, the ability to meet increased demand and security protocols of virtual private networks (VPN) with the instantaneous ramp up of everyone working from home had to be assessed. Internal audit had to pivot and validate effective management of VPN capacity, sufficiency of vendor licenses to cover spike in usage, and potential vulnerabilities that could be introduced via team member’s home networks. Another issue is the rise in phishing attacks — increased training and awareness were key defenses in protecting our assets with everyone working from home.”
— Lisa Violet, Chief Auditor at Varo Money, Inc
3. What are your top-of-mind concerns at the moment, and expectations going forward?
We asked the assembled audit leaders what’s on their minds now, and what impacts they expect to see in the coming weeks and months. Areas where internal audit can have an immediate as well as long-lasting impact included taking an advisory role in anticipating risks associated with the pandemic response and return-to-work strategy, as well as spearheading the creation or improved maturity of a business continuity plan.
- One area where internal audit can be impactful is by taking on a consultative role with pandemic response efforts. Some organizations had not directly involved internal audit in their pandemic task force, but kept audit in the loop and sought out their input. Several audit leaders had a seat at the table to listen in and see if any decisions being made would lead to new risks that should be considered in the ERM program. Teams with risk assessment technology in place benefitted from being able to pivot quickly to not only identify, but also rapidly assess new and emerging risks. One example discussed was the increased cybersecurity risk that working from home may pose — based on rapid identification, the internal audit can discuss with IT and the CISO how to mitigate the risk of breaches.
- When COVID-19 hit, one audit leader did a quick risk assessment of pandemic-related matters and presented it to the senior management and the Audit Committee, who were very appreciative. They then added audit projects not originally in the audit plan around increased pandemic risk factors such as fraud, which tends to go up when people experience financial stress. A few attendees mentioned the importance of taking advantage of the opportunity to promote a risk focus across the organization, and appeal to leadership for increased support based on the proven need for innovation in the audit space.
- The teams discussed the change in mindset required for assessing not only one singular event occurring, but the impact of multiple compounding events occurring at one point in time. The leaders challenged risk assessment as it’s known today, and mentioned that a more holistic approach may need to be taken in the future.
- Multiple audit leaders reported that they are shifting focus to the projects they can complete from home, and are putting projects that require or would benefit from person to person interaction on hold for the time being. They also reiterated the importance of maintaining an agile audit program and the ability to shift resources to planning activities and pre-work that can be done remotely. Teams that leverage audit technology to facilitate collaboration and communication have found that they have been able to maintain high levels of efficiency across their teams, including rapidly identifying areas to adjust the audit plan to continue to meet objectives for audit effectiveness while physically out of the office.
- Looking ahead to the end of work from home requirements, some auditors reported that their companies are concerned about having people return to the office and then get sick — many are preferring to have people who can work from home continue to do so. Some audit teams are taking a phased approach, setting expectations now that audit will be one of the last teams to come back. Others are making a decision to embrace this new COVID-19 virtual world, and are taking the opportunity to build more adaptability into the function. They are considering having audit teams work more flexibly and remotely on a go-forward basis, changing the model of how internal audit can and should operate.
“We govern our COVID-19 response as part of business continuity — it is multifaceted, cross functional, has audit engagement upfront, with reporting up to the Board. Our process considers the short term, medium, and longer range ramifications of this neo-event. In the immediate term, I would say one area where we doubled down and were distinguished was Communications. This came through being true to Varo’s mission and purpose. As circumstances and the broader macro socio and economic factors evolved, we challenged ourselves continuously, and hyper focused our actions and message to the needs of our customers. In the medium term, we can’t say with certainty what recovery will look like. Yet we have stress tested our business outlook and plan. One role that audit plays is to challenge assumptions and accuracy of the forecast so that the Board gets an independent view of the reasonableness of the business plan post COVID-19. Also, audit is uniquely positioned as an independent observer to synthesize all the different points of view and information available to bring valued insights and range of practices to stakeholders as they make informed decisions. I also think that audit helps the company look around the corner, for while this pandemic is all consuming right now, other high impact or knock on events can emerge.”
— Lisa Violet, Chief Auditor at Varo Money, Inc
“One topic for us right now is the return to work strategy. There’s a lot of discussion internally about what our process and guidance to our people should be. When quarantine is lifted in different locations, that doesn’t necessarily mean we’re going to send everyone immediately back to work. We have to be cognizant of the fact that some people are high risk and some will be very concerned about the situation. If we were to mandate that people return to work, what risks does that open us up to if someone gets sick from being in the office? I think we’re likely to end up with management discretion and the guidance to continue to work from home if you’re able to until the situation settles down.”
— Douglas Block, Vice President, Internal Audit at Granite Construction
From impacts on the larger economy to the effects of working remotely, COVID-19 has had and will continue to have an impact on how internal audit teams will complete their work. Teams who leverage technology that’s purpose-built for internal audit will be more effective and efficient no matter where they — or their key stakeholders — are working. As organizations continue to move forward through this pandemic crisis, internal auditors have an opportunity to step up to show the value-added role they provide in helping support the organization’s continuity efforts and business objectives during these still-uncertain times.