Like nearly every other profession in the business world, internal auditing (IA) has been forced to cope with the extraordinary environment brought about by COVID-19. Skills and tools that IA has been adopting gradually over the past several years suddenly become critical for successful performance. And perhaps none is more critical than Agile auditing.
As part of our ongoing Enterprise Resilience webinar series, we examined the advantages of Agile auditing in this particularly challenging time in a recent webinar, Applying an Agile Mindset and Auditing in a Dynamic Environment. Our discussion dealt with three basic areas: What internal auditors need to do right now; what challenges they are likely to face in the short term; and what to look forward to in the long term, when the crisis is behind us but reality may be different.
With regard to immediate needs, the question we as internal auditors are asking ourselves right now is, “How can we be most helpful at this moment?” We have to be able to move at the speed of risk, which, as we’ve seen from the past several weeks, can be lightning fast.
Clearly, this involves a role change from the traditional IA model of developing checklists, evaluating data and formulating risk assessment. Instead, the internal audit voice now finds itself at front-line meetings more frequently. Auditors should put aside worries about violating independence standards for internal audit when providing consulting to the second and first lines of defense and see themselves less as an assurance provider and more as a proactive partner. In essence, we have to become part of the response team.
The immediate demands of IA also include how we deliver reporting. Directors and executives now require a higher level of risk management visibility across the organization. Here too, agility can play a role. Using flexibility and transparency as guiding principles, auditors should develop adjustable channels to stay more closely connected to leadership, with an emphasis on data delivery, stress testing and analysis.
While traditional risks remain, auditors should be ready to quickly change their focus as newer challenges present themselves. Many of the newer risks center on the distributed workplace and how it affects organization and governance.
To be sure, it’s a big challenge for IA to keep up with the demands of the moment. But it is also an opportunity, driven by an immediate need, for auditors to engage with other departments on a more integrated level, and to help spread the use of new digital tools, such as data mining and artificial intelligence. These are capabilities that many Agile auditors have in their toolboxes but they are often lacking in the larger organization, so this is an opportunity to socialize the Agile mindset and toolbox while drawing on their benefits.
Even as the COVID-19 crisis continues to rage, auditors need to be thinking about the next step forward, when the marketplace and the economy gradually regain their footing. As we noted in the webinar, the initial shock and awe of the crisis has passed, though much of the economy remains in the response phase. But when the economy begins to move into the recovery phase, Agile auditing needs to refashion itself again.
It is at this point that internal auditors may need to re-think their risk assessment frameworks. For example, in view of the current strain on supply chains, there might be a need to re-assess third-party risk. Auditors might also want to look at other areas that came under stress during the crisis, such as cash management and inventory control, and reassess how they are tracked.
On another level, internal auditing needs to communicate to the organization’s leadership how changed business priorities affect the risk profile of the organization as it moves through different phases of the crisis cycle. It is IA’s responsibility to evaluate not only the likelihood of new risks during this phase, but to also assess how quickly such challenges may arise and the extent of their duration. Velocity, duration, speed – all this creates new risk dimensions for internal audit to consider and underscores the need for dynamic and iterative approaches as opposed to the linear, predictable audit planning of prior years.
The recovery phase is also an opportune time to ensure that organizations are more resilient to big-impact risks in the future. The leadership may feel, after the uncertainty subsides, that they’ve weathered the crisis of the century and that it’s time to get back to managing more normal risks. But the truth is that black swan events occur much more often than one might think. In the past several years, there have been any number of major crises that had significant, though geographically more limited impact – other viruses and diseases, the Japanese tsunami and the Great Recession of 2008 come to mind. Auditors need to point this out and establish risk frameworks for dealing with such events.
Perhaps the most consequential activity of the post-recovery phase is analyzing and documenting the lessons learned. How well did IA do during the crisis and how might its future role be improved? As with other aspects of Agile auditing, this is best done in an integrated manner, involving as many departments as possible. Doing so creates company-wide acceptance for an Agile internal audit function as it moves the risk management capabilities of the organization forward.
One key area of learning should be how well the company used rapid deployment of cross-functional teams. Such information would enable auditors to establish new models of engaging with stakeholders, reporting findings and compressing the time-to-value period of analyses.
Another key area of analysis should be the use of data and digital tools, as well as the accessibility of leadership to real-time dashboards.
And finally, the post-crisis analysis should focus on the continued introduction of new digital mindsets and technology throughout the organization, including the IA function. As both experts and non-experts have observed, companies that were further along the digital curve tended to be less devastated by the COVID-19 crisis, and even used it as an opportunity to take a clear lead. The crisis and its aftermath are a great opportunity for internal audit to highlight the risk of remaining a digital laggard and move the organizations higher on the digital maturity curve.
Looking ahead, Agile auditing will continue to be the best way forward for IA, as organizations adjust with a changed market and social environment. It will enable auditors to better align assurance with the dynamic condition of a post-COVID world.
Access the free on-demand version of our webinar here.
Thank you for sharing this. Please see how I have extended the points in https://normanmarks.wordpress.com/2020/05/22/should-we-audit-at-the-speed-of-risk/