Managing your internal audit plan in light of COVID-19.
Although we are a number of weeks into our ‘remote working’ situations, the level of disruption caused by coronavirus has…
20 Apr 20•
My Audit Spot
Although we are a number of weeks into our ‘remote working’ situations, the level of disruption caused by coronavirus has severely impacted businesses in a number of ways. We have previously spoken about how Internal Audit teams may be pulled in a number of directions. Our unique position in the business means we are a great point of call for management when understanding and implementing business continuity arrangements. However, whilst we are busy helping the business in other ways, our own audit plan may become impacted.
A recent poll of our showed that over half of the respondents had to change their annual plan as a result of coronavirus. So, how do you manage change of an annual plan, ensuring that we still provide the audit committee and management with an assessment of the business, whilst not impacting on areas of the business which are largely affected?
We have listed below a few questions which should be considered when changing your annual plan.
Before changing the plan
Prior to changing the plan, we need to consider if our plan is still relevant and appropriate. You might want to ask yourself some of the following questions:
- Have the topics currently included on the plan been impacted because of coronavirus? How have they been impacted? Has our risk assessment of these areas increased?
- What other areas of the business have been impacted?
- What business processes have stopped, changed, or reduced as a result of coronavirus?
- Are there any regulatory requirements we may not been meeting due to the current situation?
- What known issues have already arisen? Are these covered by areas of the plan currently?
By understanding the current environment, what’s changed and what risks exist, we should be able to determine if the current audit plan is appropriate, or if we need to make changes. It’s also important to remember our role in the organisation. Our customers are both the audit committee and management. Our role is to provide independent assurance. Bearing this in mind, what would our key customers want to know and what should we be providing them?
Once we know what should be on the plan, and what changes we need to make, we need to consider the following:
- What are our current resourcing constraints?
- Are there any limitations to what we can do? Are there restrictions to accessing data or performing analytics?
- What is managements availability to engage with us? Are there alternatives?
Through these questions, we should be able to understand our ability to deliver any new or revised audit plan.
Revising the plan
Typically, when revising the plan, a consultation process would be undertaken to ensure that management and the audit committee all have input into the new plan. This may not be entirely feasible, however every effort should be made to communicate with these key stakeholders.
Where proper consultation cannot occur, audit teams should consider a rolling plan. This could result in audit’s being temporarily deferred whilst new audits added to the plan where risk is considered much higher. The rolling plan can then be revised monthly or quarterly and communicated formerly during audit committee meetings. Again, managing risk and providing assurance is our key priority, and if audit believes that there is significant risk within a particular area of the business, resources should be dedicated to this as appropriate.
Such situations are a great way to remind audit teams of the Internal Audit Code of Practice!
Communicating with business areas
Business areas are already likely under a huge amount of stress, and as such, its important to communicate with them openly and honestly. We want to reduce any additional stress or burden on them as well as manage our relationship with them, however need to perform our work. A few key items to consider when communicating with the business area:
- Know what you want to do. Have an understanding of the scope, objectives and risks associated with the audit.
- Understand their impacts. Are they down team members? Have they lost resources, etc? Understanding this will help us develop a practical test program. There is no point testing items or taking up their valuable staff time if we know they are no longer doing a process. E.g. If payroll is no longer being reviewed before being paid because there is nobody available to review it (i.e. segregation of duties issues), then there is no point auditing it. We already have a finding.
- Know key timeframes. What audit committee are we reporting to? What deadlines do they have (i.e. keeping with our payroll example, there is no point doing fieldwork in the week leading up to payday).
- Communicate the plan. Show the business area the audit plan and how and why we have deciding on the timing for the review. This will show how we have considered their issues, issues with other business areas, and our own internal timing / resourcing issues.
Above all, audit teams should be pragmatic and sensible when changing the audit plan. Audit teams should also be sensitive to the issues being encountered by audit teams, however should not be afraid to raise and discuss findings. A such, its important that audit executives and managers ensure their teams are reminded of the need to remain professional and objective throughout their audits.
Share your thoughts on changes to an audit plan in the comments below.