The COVID-19 pandemic has shaken up the entire business world whilst impacting almost any industry, organisation and operational function. Internal audit (IA) and controls are not an exception. In this quick guide, we review some of the best practices and considerations for IA teams to adapt to the new normal.
The COVID-19 pandemic has shaken up the entire business world whilst impacting almost any industry, organisation and operational function. Internal audit (IA) and controls are not an exception. With remote working becoming the norm, organisations are facing an increasing number of operational risks and challenges, which has put some greater pressure on IA teams to:
quickly adapt to the new working environment,
ensure compliance during the transitional, recovery phase, and
provide some direction for the future.
Below are some of the best practices and considerations for IA to respond to the new normal.
3 risk factors for organisations post-COVID
Before we look at some of the best practices for IA in the post-COVID environment, we’ll briefly outline the 3 key risk factors driving those considerations.
Due to the COVID-19 pandemic, many regulatory authorities have altered various laws and regulations in aim to strengthen the economy and facilitate businesses’ recovery. This creates an extra burden for internal auditors who need to constantly keep up to date with any key regulatory changes and ensure the organisation remains compliant at all times.
Whilst remote working facilitated business continuity during the pandemic, it also created some new opportunities for fraudsters to exploit any weaknesses in operational controls (e.g., no clear visibility of control breaches, reduced inventory or data control, no clear control managing responsibilities and accountability). KPMG has identified some of the most common control-related frauds:
Misconduct by employees for personal financial gain
Manipulation of financial results to comply with covenants
Bypassing transaction controls, or forging of the necessary approvals
Non-execution of approved transactions for personal or professional gain
Processing of fraudulent claims for personal gain, or to benefit a known party
Stay on top of the latest governance, regtech and innovation trends and insights!
Performance and reporting
Remote working further increased the need for greater management oversight as key responsibilities like monitoring, measuring and reporting on the financial and operational health of the organisation can be easily overlooked.
This brought some more pressure on the IA function, which has the responsibility to ensure the accuracy, completeness and adequacy of reporting in key areas like; Revenue, Liquidity, Cash-flow, Procurement and transactions, Inventory, etc.
Best practices and tips for managing internal controls post-COVID
To tackle the above mentioned risks and build a strong and resistant internal control environment post-COVID, KPMG recommends IA to consider implementing any, if not all, of the below critical areas:
Adopting a digital sales process and onboarding
Managing liquidity risk (incl. cash flow forecasting and working capital)
Ensuring business continuity (remote working setups and policies, digital communications, etc.)
Increasing governance over remote working and mitigate the risk of cyber fraud and breaches
Navigating vulnerable customers and facilitating the sales and customer services processes remotely
Ensuring the effectiveness of financial controls in the new remote environment
Looking at the internal function, in particular, KPMG has also proposed the following 7-step approach for internal auditors to adapt and continue to provide valuable insights and assurance to their organisations in the post-COVID world:
Define and prioritise the critical controls required to reduce fraud, compliance, and performance and reporting risks
Identify who has responsibility for monitoring new critical controls arising from the “new normal” (e.g., work-from-home arrangement)
Assess the impact of changes on internal controls and revisit organisational structure, if required
Identify and leverage on lessons learnt from the crisis to further improve the internal control system
Enhance auditors’ capabilities and fill any knowledge gaps
Identify and evaluate the emerging risks in the aftermath
Adopt additional technology to increase security and efficiency, and automate business processes
Working in internal audit? How have you adapted your processes and organisation post-COVID? Share your experience in the comments below.
Still using paper-based checklists or excel spreadsheets to manage your internal risks and controls?
ControlNet helps you automate the process, and create an efficient, accountable and secure operational environment.