top of page

Best practices for managing internal controls post-COVID

The COVID-19 pandemic has shaken up the entire business world whilst impacting almost any industry, organisation and operational function. Internal audit (IA) and controls are not an exception. In this quick guide, we review some of the best practices and considerations for IA teams to adapt to the new normal.

Best practices for managing internal controls - Banner


The COVID-19 pandemic has shaken up the entire business world whilst impacting almost any industry, organisation and operational function. Internal audit (IA) and controls are not an exception. With remote working becoming the norm, organisations are facing an increasing number of operational risks and challenges, which has put some greater pressure on IA teams to:

  • quickly adapt to the new working environment,

  • ensure compliance during the transitional, recovery phase, and

  • provide some direction for the future.

Below are some of the best practices and considerations for IA to respond to the new normal.

3 risk factors for organisations post-COVID

Before we look at some of the best practices for IA in the post-COVID environment, we’ll briefly outline the 3 key risk factors driving those considerations.

Regulatory compliance

Due to the COVID-19 pandemic, many regulatory authorities have altered various laws and regulations in aim to strengthen the economy and facilitate businesses’ recovery. This creates an extra burden for internal auditors who need to constantly keep up to date with any key regulatory changes and ensure the organisation remains compliant at all times.


Whilst remote working facilitated business continuity during the pandemic, it also created some new opportunities for fraudsters to exploit any weaknesses in operational controls (e.g., no clear visibility of control breaches, reduced inventory or data control, no clear control managing responsibilities and accountability). KPMG has identified some of the most common control-related frauds:

  • Misconduct by employees for personal financial gain

  • Manipulation of financial results to comply with covenants

  • Bypassing transaction controls, or forging of the necessary approvals

  • Non-execution of approved transactions for personal or professional gain

  • Processing of fraudulent claims for personal gain, or to benefit a known party


Stay on top of the latest governance, regtech and innovation trends and insights!


Performance and reporting

Remote working further increased the need for greater management oversight as key responsibilities like monitoring, measuring and reporting on the financial and operational health of the organisation can be easily overlooked.

This brought some more pressure on the IA function, which has the responsibility to ensure the accuracy, completeness and adequacy of reporting in key areas like; Revenue, Liquidity, Cash-flow, Procurement and transactions, Inventory, etc.

Best practices and tips for managing internal controls post-COVID

To tackle the above mentioned risks and build a strong and resistant internal control environment post-COVID, KPMG recommends IA to consider implementing any, if not all, of the below critical areas:

  • Adopting a digital sales process and onboarding

  • Managing liquidity risk (incl. cash flow forecasting and working capital)

  • Ensuring business continuity (remote working setups and policies, digital communications, etc.)

  • Increasing governance over remote working and mitigate the risk of cyber fraud and breaches

  • Navigating vulnerable customers and facilitating the sales and customer services processes remotely

  • Ensuring the effectiveness of financial controls in the new remote environment

Looking at the internal function, in particular, KPMG has also proposed the following 7-step approach for internal auditors to adapt and continue to provide valuable insights and assurance to their organisations in the post-COVID world:

  1. Define and prioritise the critical controls required to reduce fraud, compliance, and performance and reporting risks

  2. Identify who has responsibility for monitoring new critical controls arising from the “new normal” (e.g., work-from-home arrangement)

  3. Assess the impact of changes on internal controls and revisit organisational structure, if required

  4. Identify and leverage on lessons learnt from the crisis to further improve the internal control system

  5. Enhance auditors’ capabilities and fill any knowledge gaps

  6. Identify and evaluate the emerging risks in the aftermath

  7. Adopt additional technology to increase security and efficiency, and automate business processes

Working in internal audit? How have you adapted your processes and organisation post-COVID? Share your experience in the comments below.


How to manage internal controls - Whitepaper Banner


Still using paper-based checklists or excel spreadsheets to manage your internal risks and controls?

ControlNet helps you automate the process, and create an efficient, accountable and secure operational environment.



bottom of page