12 May 2020
EY virtual risk assessment in light of COVID-19

EY virtual risk assessment in light of COVID-19

By

Henrik Lind

EY Nordic Internal Audit Leader, EY Nordic Advanced Manufacturing & Mobility Client Serving Partner

Supporting companies to better understand how weaknesses and threats can be transformed into opportunities and strengths. Advisory Partner.

12 May 2020

EY teams have engaged the Nordic Chief Audit Executives (CAEs) in several discussions to conclude on the business impacts of the COVID-19 pandemic. 

The overall purpose of the discussions were to provide insights and experience in how Internal Audit (IA) should respond to potential updates on the internal audit plan, how to execute internal audit projects and how to communicate with key stakeholders. This article highlights the outputs.

According to the EY Global Risk Survey 2020, 79% of board members state that their organizations are not very well prepared to deal with a crisis event. There are five essentials steps to take during crisis management:

  1. Put employee well-being above all else
  2. Communicate promptly, clearly and transparently
  3. Keep expenses in check and have backups for budget deficits
  4. Identify and repair broken links in the supply chain
  5. Prepare for the unexpected

For IA it is now essential to repurpose resources to directly support the business in identifying vulnerabilities and provide real-time risk advisory services to crisis response, such as:

  • crisis management
  • business continuity planning,
  • work from home capability
  • cybersecurity
  • technology effectiveness
  • employee well-being
  • customer safety
  • supply chain effectiveness
  • working capital management
  • brand protection

Next step is to focus on cost recovery through remote auditing and performing analytics-based procedures. Finally, this means that IA needs to adjust a new normal and focus on the risks that matter, better enabled by technology and resources with deeper business skills.

What could IA do in order to support the organization?

On EY virtual roundtables EY teams discussed if IA for example should support the organization in establishing business continuity or plan to use staff in audit units for tasks other than assurance engagements. However, most of the CAEs believe that the COVID-19 pandemic will last for six to twelve months. By that, EY teams ended up asking what the highest risks are. Is there a greater chance of fraud now? If yes, why? What can EY teams do about it? What are the risks and vulnerabilities when everyone is working from home?

EY teams identified 27 risks that can be clustered into nine main categories:

  • supply chain and globe trade
  • employee health and well-being
  • talent and workforce
  • customer safety and brand protection
  • financial and investor
  • risk
  • government and public policy
  • technology and information security
  • insurance and financial recovery
The CAEs concluded that cashflow, market conditions and regulatory landscape are among the top three risk areas of focus.
Henrik Lind
EY Nordic Internal Audit Leader, EY Nordic Advanced Manufacturing & Mobility Client Serving Partner

EY teams also identified eight relevant audit needs to meet the current challenges and provide relevant insights to key stakeholders.

1. Liquidity

With a global economic unbalance due to the COVID-19 outbreak, liquidity and cash management become essential for companies searching for near-term solutions, e.g. cash shortage, credit squeeze, contingency planning and supply chain disruptions. The main identified risk is severely deteriorated liquidity inflows; deterioration in forms of the customers' ability to meet their financial obligations impacting the company’s liquidity inflows and cash management.

Audit needs to assess the company’s financial resilience and highlight the necessity for appropriate treasury and cash management. Achieving visibility and control over cash flows and driving sustainable working capital improvements are the most cost-effective forms of finance for most organizations.

2. Adaptation to market conditions

All sectors are reporting a drop-in demand. Customers oriented to traditional channels are opting for online channels, requiring companies to make immediate adjustments. The risks here are the overall market health and changes in consumer demand impacting turnover. There might be decreased demand due to decline in customer sales, global recession, loss of market share or changed customer behavior.

Audit should assess how decisions are made and what information companies need in order to make decisions for business survival. IA needs to evaluate if the decisions are made according to the company's risk appetite and the information the decisions are based upon.

3. Supply chain resiliency

94% of the Fortune 1000 companies are experiencing disruption to their supply chains as a result of COVID-19. As the pandemic continues to evolve, organizations around the globe are struggling to align supply and demand and are facing numerous issues across the end-to-end supply chain. There is a risk that the interrupted supplier ecosystems will lead to halt in production, increased costs and reduced customer trust. Increased operation costs or liquidity risks might lead to replacing affected suppliers with more expensive substitutes, temporary layoffs and factory closures.

Audit needs to assess the company's supply chain resilience by auditing the area, route to market and channel strategy, integrated sales and operations planning, logistics and distribution, manufacturing and plant operations, procurement and supplier management and crisis management and governance.

4. Compliance with regulatory changes

Disruptive and sudden regulatory changes cause severe business disruption. Governments may take quick disruptive decisions, e.g. new or updated regulations and legislations on how to protect citizens and national interests.

Audit needs to assess the compliance framework and regulatory monitoring process with focus on COVID-19. Also, there is a need to assess whether the process considers actions and guidance from regulators and the government, business strategy and the organization’s crisis response.

5. Business continuity and crisis management

As companies navigate the ongoing pandemic in order to reshape their business plan for recovery, there are several key issues corporate leaders should keep in mind. There is always a risk that companies end up leading insufficient processes and procedures for business continuity and crisis management. Lack of robust, consistent, and agile processes may result in the company not being able to efficiently and adequately manage crises and disruptive changes such as COVID-19.

Audit needs to assess the company’s crisis management and strategy for business continuity. Areas to audit can be short term liquidity, financial and operational risks, alternative supply chain options and the COVID-19 pandemic effect on budget and business plan.

6. Fraud

During a crisis, the risk of fraud increases because companies and individuals face more financial pressure. The opportunity for fraud also increases if key internal controls are weak and if people find it easy to rationalize their actions. These three elements – pressure, opportunity and rationalization – are always present in every case of fraud (also known as the Fraud Triangle). COVID-19 offers all three and more. Naturally, there are always increased internal and external fraud risks involved.

Audit needs to assess the implication of the business's continuous activities on controls, systems, governance, and culture as these activities might increase the fraud activities in the short term.

7. Access to funding

The current financial disorder has resulted in tensions in capital and commercial paper markets, with potentially severe implications for the global economy and financial stability. Reduced demand for commercial papers deprives the access to short and mid-term funding through the commercial paper market.

Audit needs to assess the company’s funding strategy, capital market options, and contingency plan.

8. Cybersecurity

Security centers in COVID-19 affected areas have been shut down, rendering several companies exposed. Many such companies have been hit by cyberattacks compromising sensitive data. Cyberattacks and breaches cause leakage of sensitive data and fraud. Both increased exposure and degradation of cybersecurity programs lead to higher risk of breaches.

Audit needs to assess the company’s preparedness and defense mechanisms against cyber threats.

How EY can help you

Our teams can support you with a rapid assessment of your organizational maturity around the main categories to help prioritize needs and allocate IA resources. EY’s tool aims to provide a self-assessment questionnaire to evaluate an organization's overall preparedness level for COVID-19, across the broad facets of a business.

Summary

Internal Audit has a real opportunity to collaborate with business and support continuity by reposting IA resources, providing real time risk advice through crisis management, helping the organization to asses exposure to emerging risks, revisiting your risk assessment and planned audit procedures, ensuring the needed technology infrastructure and tools to support remote audit activities, planning to supplement your resources to address new ways of working and evolving risks and leveraging downtime to enhance the IA function. 

About this article

By

Henrik Lind

EY Nordic Internal Audit Leader, EY Nordic Advanced Manufacturing & Mobility Client Serving Partner

Supporting companies to better understand how weaknesses and threats can be transformed into opportunities and strengths. Advisory Partner.