COVID-19 enterprise resilience checklist: We help you navigate the now, next and beyond.
Risk transformation: key questions
- What is the impact on your people – quarantines, evacuations, travel and alternate working methods?
- Are you establishing a crisis command team that is empowered to approve policy exceptions?
- How are your customers, suppliers and production capabilities impacted?
- What are the critical functions, processes and significant third-party dependencies, especially in impacted locations?
- What are some of the legal and contractual liabilities that could get triggered because of this event?
- What is the financial impact and how does it alter your short- and long-term capital needs?
- How are you responding to the regulatory compliance requirements that have been triggered over the past few weeks?
- Are you adjusting your policies in the wake of a distributed ecosystem to ensure empathy, collaboration and productivity?
- Are you adjusting your existing infrastructure and technology to support the new norms of engagement?
- Are you adopting strategies to rapidly fulfil capacity gaps and activate alternate channels to service customer demand?
- Are you communicating with your stakeholders, including employees, customers, regulators and public officials, in a trusted and transparent manner?
- Have you build contingency plans by modelling risks related to revenue and cost scenarios?
- To your existing business and operating model in light of your risk response to the COVID-19 crisis?
- Does your organization have a risk intelligence mechanism to sense and identify future risk scenarios?
- Are critical processes and controls periodically tested for operating effectiveness?
- How is your organization’s risk management function adapting in the wake of the crisis?
- Have you refreshed your business continuity plans and incorporated learnings from the COVID-19 crisis?
- Are you reviewing the results of resilience-testing and make recommendations for strengthening crisis-management?
Repurpose IA resources to support the business in identifying vulnerabilities and provide real-time risk advisory services to crisis response.
- Crisis management
- Business continuity planning
- Work from home capability
- Technology effectiveness
- Employee well-being
- Customer safety
- Supply chain effectiveness
- Working capital management
- Brand protection
Continue IA work with some focus on cost recovery and the least disruption to the business, through remote auditing and performing analytics based procedures.
- Cash management
- Vendor audits
- Capital expenditure and projects
- SOX walkthroughs and testing
- Procure to pay
- Order to cash
- Foreign Corrupt Practices Act (FCPA)
Operate a new normal -a transformed IA function focused on the risks that matter, better enabled by technology and resources with deeper business skills.
- Updated risk assessment
- Dynamic audit approach
- Data driven, technology enabled audits
- IA as a business advisor
- Higher impact audits
Rapidly assess the control environment and secure resources necessary to maintain compliance.
- Evaluate the control environment to identify vulnerabilities in processes and crucial controls needed to operate in this period
- Verify new ways of working continue to provide sufficient evidence of control performance
- Establish mechanisms (particularly skilled people) for effective operation of new or critical controls with a focus on:
- ITGC (access and change controls)
- Revenue recognition
- Accounting estimates
- Fair values
- Segregation of duties
- Repurpose individuals as needed to design and document changed or new controls
- Enhance existing tools, technology and IT infrastructure to support remote execution (and evaluation) of controls in a virtual environment
- Create back-up support for process and control owners, as well as testing team members who may be impacted by illness or remote-working
- Understand and address concerns with 302 certification resulting from disruption to the control environment
Reassess the risk, evaluate the design and operating effectiveness of key processes and controls and support remediation.
- Reperform risk assessment, materiality and scoping to assess changes in ICFR and align risks and required level of effort to maintain effectiveness of key controls
- Realign with the external auditor in critical areas (e.g. scope, materiality, timing of procedures)
- Connect with third-party service providers to understand impact on their control environments and related complementary user entity controls
- Re-evaluate testing team to consider segregation of duties conflicts resulting from hands-on support of control execution
- Take a thoughtful approach to testing fieldwork with an aim for the least amount of disruption as the organization returns to business as usual
- Consider early fieldwork to enable flexibility and appropriate time for remediation of new control deficiencies, where required
- Prioritize walkthroughs to evaluate changes in significant processes and related control design
- Leverage remote testing approach, enabled by technology
- Coordinate with business on alternative methods of evidence gathering (e.g. photo or video evidence)
- Onboard additional support to evaluate controls under new regulations or within complex accounting areas
Evaluate ICFR program management, including sustainable and optimized solutions for new ways of working.
- Evaluate lessons learned and new ways of operating generated during the crisis
- Optimize and rationalize key controls against updated risk considerations and a refreshed “new normal”
- Continue remediation of control deficiencies
- Revisit and update training programs to consider current business landscape, new controls, new systems and/or revised regulations
- Transform the testing operating model based on lessons learned and successful adaptation through uncertainty
- Increase the use of technology (e.g. robotics process automation, analytics, process mining)
- Build a talent model that can adapt to changing requirements (e.g. rotational programs, third-party support