SOX risk assessment

Assessing Risk in Dynamic Times: Challenge Brings Opportunity to Internal Audit

Edna Lopez, Managing Director Internal Audit and Financial Advisory
Lauren Brown, Managing Director Internal Audit and Financial Advisory

COVID-19 has thrown a wrench into business operations around the world. Workplaces once teeming with workers sit empty as staffs have worked from home for the last several weeks. Considering the fact that major organizations have announced that remote working could become permanent for some of their employees, business won’t return to the “old normal” anytime soon, if ever.

The disruption is particularly challenging for internal auditors performing risk assessments. Along with that challenge, however, has come the opportunity to shape the “auditor of tomorrow,” a next-generation internal audit model that encompasses governance, methodology and enabling technology.  

As discussed in a recent Protiviti webinar, Focusing on the Risk Assessment Process in a Dynamic Environment, organizations and internal auditors are on a journey to not only think about urgent matters that need attention today but also determine what’s on the horizon and beyond. In other words, what do businesses and auditors need to plan for “now,” as well as “next” and “eventually”?


Internal auditors today are illustrating the strengths of agile and targeted risk assessments in an unanticipated and fluid environment. In this climate, auditors have the task of uncovering immediate risks related to the changes wrought by COVID-19. These threats,  span the breadth of organizations and include risks related to keeping systems secure while employees are working from home, the mental health and well-being of employees, and meeting compliance obligations in a distributed environment, to name a few.

Utilizing targeted risk assessments to identify threats in a time of crisis can deliver more meaningful and valuable results to stakeholders than static internal audit programs. As a result, they can set the stage for discussions about regulatory changes or compliance, as well as emerging or heightened risks, and what immediate actions can be taken to address them.


Internal auditors can employ flexible risk assessments to continuously monitor an organization’s various operations and identify matters that require attention next, or at least soon. In fact, discussions to employ this strategy are already happening in corporations that recognize the benefits of continuous monitoring. The practice allows internal audit to more quickly and accurately determine where organizations should focus attention and resources to improve processes, address risks, make corrections and launch goal-achieving initiatives.

Technology plays a pivotal role in effective continuous monitoring, and organizations are increasingly – and predictably – adopting emerging innovations to facilitate the strategy. In Protiviti’s latest annual top risks survey, audit executives across a range of industries worried that a failure to fully utilize technology could hamper competitiveness. The pandemic environment has already amplified the need to adopt new digital solutions – and many are likely to remain even after social distancing expectations begin to ease.

Advanced data analytics already are being leveraged by many organizations to allow internal auditors to more effectively map out action plans, make better inquiries into the various owners of risk and processes, and improve how, when and where audits are conducted. During the pandemic, internal audit task forces have used such data to inform and test the value of key risk indicators and, in some cases, recalibrate the indicators to better align with the data that’s available.

Additionally, process mining is becoming a key differentiator for internal audit programs, particularly in a work-from-home environment. Process-mining technology provides auditors with critical insight into how systems and processes are operating in those situations and identifies where deviations may be occurring.


At some point, this crisis will end, and a rebuilding phase will begin as we arrive at what people keep referring to as “the other side.” As workers transition to a more familiar routine, auditors can use risk assessments to prepare the internal audit plan and ensure that organizations remain compliant with local government rules related to social distancing and other guidelines. The internal audit function can also enhance the success or repositioning of project delivery, an area impacted heavily by the pandemic. Perhaps most important, the audit plan needs to provide executives with confidence that it can accurately assess an organization’s financial sustainability and any underlying risk.

Going forward, chief audit executives (CAEs) need to ensure that they’re in a position to respond to the emerging needs and new strategies identified by a corporation’s senior management and board of directors. CAEs need to assess the information they’re communicating to determine its timeliness and relevance to stakeholders. Does it address their challenges, strategies and objectives, for example, and is it presented in a language or format that they can understand?

There’s little doubt that CAEs have amassed goodwill by demonstrating internal audit’s value in response to COVID-19, and they can further leverage it to get a seat at the decision-making table. It is there that they can move beyond an assurance role and display the value of their consulting and advisory skills.

For a full, in-depth discussion of risk assessment in a dynamic environment, register to listen to the free on-demand version of our webinar here.

Add comment