The COVID 19 pandemic has bought unprecedented changes and uncertainties in the in the business environment. It had disrupted lives / labour force, business operations, insolvency risks, resulted in inflation and supply chain. Although the companies are gearing up after a prolong lockdown and uncertainty, from the perspective of internal audit, there are certain additional risks which the internal auditors need to consider while doing the audit of any organization. In most of the cases, it is important to rethink the internal audit strategy, planning and to determine where it focuses its efforts. Even with the roll-out of the vaccines in many countries, the effect of the pandemic and the risk associated with it continues to linger and it may take some considerable time to deal with the same.
In the following section, certain additional risks which are discussed which the internal auditors are expected to consider while auditing organizations post pandemic caused due to COVID-19.
Data & IT security resulting from Work from Home culture
As per the recent survey, the volume of ransomware attacks increased by 150% due to work from home during the pandemic, more than any other kind, as criminals have sought to exploit the migration to remote working for financial gain. Victims also paid 311% more in ransom to have their data and systems decrypted by perpetrators over the same period. It is estimated that among recent ransomware victims, 56% recovered their data via system backups and 26% paid the required ransom to have their data returned. The stated data increases the responsibility of internal auditors to draw the attention of the management to focus their attention towards IT continuity plan and to ensure that the plans are well understood by the staff. The internal auditors can have following areas in their audit program.
- Does the organisation have a cybersecurity strategy or roadmap? If yes, how far has the organisation progressed in achieving this?
- Is there a staff awareness and training programme in place to prevent successful attacks? If yes, are these regularly updated?
- Is a cybersecurity response and recovery plan in place and is it tested?
- Does the organisation make data backups that it can use in the event of an attack? How does the organisation know that the backups are secure?
- What is the organisation's ransomware policy (does it pay up or not?) and are people aware of it?
- Do insurance policies appropriately cover IT security risks? Is incident reporting likely to be fast enough to meet the coverage requirements of insurers for successful claims?
- Is the organisation confident that it won't suffer an attack via its vendors or clients? Why is it confident, e.g. are third parties ISO 27001 certified?
- Does any penetration testing include all areas of the business, including potentially overlooked subsidiaries in non-core markets?
Changes introduced in the laws and regulations to cope with pandemic
The regulatory burden is a perennial risk that stays firmly at the top of business's risk registers, especially for banks and others operating in regulated markets. While internal audit is not usually directly responsible for compliance, for smaller, less mature organisations it may choose to raise flags, highlighting which forthcoming regulations may need to be met. For instance, the frequent change in the deadlines for various compliances and adherence to the working norms which have been introduced due to pandemic. For more mature organisations, internal audit will need to assess the compliance function's work, checking the efficacy of any processes and controls that have been modified to deliver on these emerging requirements. The internal auditors can introduce the following areas in their audit program.
- Is internal audit providing assurance over the translation of relevant sustainability regulations into organisational commitments, policies and plans? Are the plans adequate and are they being delivered?
- Is the organisation aware of its sustainability reporting requirements and is it taking action to address this? Is internal audit or some independent party providing assurance over this reporting?
- Do the data and statements disclosed in non-financial reporting accurately reflect the activities of the company? Could it be reasonably concluded that the company is greenwashing or is it doing what it claims?
- How well developed is the governance around sustainability reporting? For example, are roles and responsibilities clearly defined?
- Does the company have a system of prioritising regulations, whether related to sustainability or otherwise, and does it take an appropriately risk-based approach to managing compliance?
Accelerated digitisation and low-code adoption
The pandemic which has restricted the physical contact has resulted in investment in digitization. Any businesses that previously did not recognize the need to digitalise their operations feels the certainly do now.Citizen development helps to address the shortage of technically skilled workers by empowering non-technical employees to build apps that solve immediate problems. This can help overstretched IT functions unable to keep up with the many demands of the business. In an effort to drive swift change, digitalisation may proliferate unchecked and key controls may not be paid their due attention, increasing security and data privacy vulnerabilities.Internal audit should therefore return to the basics and assess whether any low code app development and usage follows the company's established standards and protocols, including reviews, testing and staged deployment. Internal audit may choose to independently map all digital projects throughout the business and check that this matches the IT function's own mapping of current activities. The internal auditor may include the following in their audit program.
- Is the IT function fully aware of all digitalisation projects and sub-projects underway across the organisation?
- Is the organisation allowing citizen/ end-user development? If so, are access rights and version roll-outs managed to avoid unintentional errors?
- Does current digitalisation activity match the organisation's risk appetite? From a back-to basics perspective, does this digitalisation meet the established standards adopted by the organisation? Are the standards themselves fit for purpose?
- How much oversight do digitalisation projects have from the IT and IT security functions?
- Are agile methods delivering practical results at the expense of risk management? For example, are new applications being sufficiently security tested?
- Is there a programme in place for automatically patching any low-code apps that are in use?
Financial risk and insolvency
For businesses that are cash poor, internal audit's attention may be directed at the treasury or finance function to determine the strength of decision-making processes and that financing or refinancing facilities have been put in place to optimise the capital structure and see the business through. As the earnings distortion caused by the pandemic normalises, the third line can assess whether cash flow forecasting is proving to be accurate again so that the business fully understands its liquidity risk exposure as growth returns. The internal auditors in such organization may concentrate on the following areas:
- What is the business's liquidity risk exposure? Does it have enough cash on its balance sheet to withstand any continued lack of demand and is there an up-to-date and effective cash management strategy?
- Are key business partners still being monitored and is credit insurance in place to cover the potential failure of customers?
- Does the treasury or finance function have clear visibility on what the cash needs of the business will be and a firm grip on cash management?
- Is the company making the most of borrower-friendly financing conditions, e.g. by refinancing existing debts that may fall due soon or securing lower rates? Is a borrowing strategy in place?
- Does the business have access to working capital to be able to scale operations back up as growth returns?
Supply Chain Strains
The present recovery is currently contributing to the new inflationary pressures, but greater risk than the inflation is the supply of critical components which is causing the production delays resulting in revenue losses. If a business is unable to secure vital supplies, then it cannot sell its products. Complicating matters is the unpredictability and unevenness of the economic recovery, which is likely to make demand forecasting a persistent challenge for every link in the supply chain.Supply chain risks will typically be a far higher priority for internal audit functions in businesses that deal in physical goods rather than services, the latter benefiting from scalability.
The internal auditors may include the following areas in the audit program.
- How well is the company currently coping with supply/demand shocks? Were these foreseen?
- Is there evidence of concentration risks, with supplies coming from a small number of vendors or from a single country?
- How well coordinated are procurement and supply chain management functions?
- Is the business reviewing its supply chain strategy, for example moving away from Just-In-Time inventory management?
- Is the supply chain sufficiently flexible such that the business can dial up/down production and source new suppliers when necessary?
- Are the procurement function's planning and forecasting modelling efforts effective?
Have any necessary adjustments been made and are these based on sound data and analysis?
Employee safety
As lockdown measures are eased and more of the workforce returns on-site, health risks will increase as more people occupy shared physical spaces. There are simple practical steps that organizations can take like increasing social distancing, staggering shifts, regularly cleaning communal areas, improving ventilation, and providing hand-sanitising facilities, and these basics should already be well covered. If not, the third line should be raising the flag.
Going deeper, internal audit can form an opinion on how effectively staff and customer safety is being risk assessed on an ongoing basis, in the context of the business's various activities and taking into account the potential for further waves of COVID-19 infections.
Source: Risk in focus _Hot topic for internal auditors published by European Confederation of Institutes of Internal Auditing