Goms-Suspension-bridge

How chief audit executives are responding to COVID-19 in the next

Photographic portrait of Esi Akinosho
Esi Akinosho

Houston Office Managing Partner, Ernst & Young LLP

7 minute read 24 Mar 2023
Related topics
Consulting
Risk
Cybersecurity

Internal audit functions are monitoring emerging risks, adjusting audit plans and changing their operating models in response to the crisis.

In brief:

  • The results of a follow up to our previous global survey: we explore how the internal audit (IA) profession is responding to the “next” phase of COVID-19.
  • The top risk areas are employee health and wellbeing, physical return to work, supply chain and global trade, technology and IT, liquidity and working capital.
  • Many of the organizations that IA functions serve are changing drastically. IA must change, adapt and keep up with the pace of change in the business.

The outbreak of COVID-19 caused extensive disruption for organizations earlier this year. They had to take rapid and decisive action to ensure business continuity during the pandemic. Now organizations in many markets are in the “next” phase of their response to COVID-19; restarting operations that were temporarily halted by the crisis and navigating the challenges associated with the physical return to work.

To find out how the internal audit profession is responding to the challenges and pressures presented by this phase of the pandemic, we conducted a global survey of more than 370 chief audit executives or equivalents. The survey, which closed on 1 June, is a follow up to our previous survey conducted in April, when we asked chief executives how they were responding in the “now.”

Encouragingly, our more recent research indicates a subtle shift in the mood of internal audit functions compared with the first survey.  When we asked respondents to sum up the current tone in their organization using one word, the most popular responses included “cautious” and “resilient” in alignment with our first survey, but there was also much greater emphasis on the words “adaptable,” “agile,” “collaborative” and “focused.” This is a sign that both organizations and internal audit functions feel positive about their ability to react to change.

Download: How chief audit executives are responding to COVID-19 in the next.

PDF (1 MB)

Lessons learned

The COVID-19 crisis has undoubtedly been a major learning experience for internal audit and the organizations that they serve. According to our survey, the most significant lesson learned by internal audit functions (cited by 42% of respondents) is that they can audit almost anything remotely. Internal audit professionals have thought creatively about how they can continue to perform their work during the COVID-19 disruption through the use of alternative auditing methods, technology and tools.

Most significant lesson learned
of respondents have learnt they can audit almost anything remotely.

Video conferencing technology has been a particularly helpful tool to enable internal audit to continue executing in a remote working environment. Internal audit functions have used the technology to hold virtual meetings in place of face-to-face meetings, carry out inventory walk-throughs or walk-throughs of specific processes with process owners. Data analytics has also been an effective tool, enabling internal audit functions to focus on high risk areas by analyzing data for anomalies, patterns and trends. Such is the importance of technology that a number of respondents (14%) indicated that the most significant lesson learned throughout the COVID-19 disruption was that their function has a need for more technology.

Leaning on technology
of respondents indicated the most significant lesson learned through the disruption was the need for more technology.

How EY can Help

Another important lesson, cited by 21% of respondents, is that internal audit can help business continuity by providing support to first- and second-line activities during a crisis. Internal audit professionals have a broad knowledge of the business and a deep understanding of risk, which has equipped them with the knowledge and skills to support the first- and second-line in times of need and showcase the value of internal audit to the organization.

 

Emerging and escalating risks

Our research found that internal audit functions have a more thorough understanding of the emerging and escalating risks that their organizations face compared with the previous survey. When we asked respondents to share their top risk areas, employee health and wellbeing came first, cited by 76% of respondents. The physical return to work also ranked highly, with 72% of respondents stating this as a top emerging risk. Other highly rated risk areas were supply chain and global trade (50%), technology and information security (47%), and liquidity and working capital (44%).

 

Significantly, there was a 33% increase in respondents citing fraud as one of the top emerging or escalating risk areas of their business, compared with the previous survey. Potential causes for the emergence of fraud as a key risk area may be controls and processes being changed to accommodate the remote-working environment, segregation-of-duties conflicts resulting from a reduced workforce or increased incentive to commit fraud due to the economic environment. 

 

Since the last survey, there has been a 10% increase in respondents reporting an increase in frequency of interactions with their audit committees. This shows that internal audit functions and audit committees understand the need to communicate more frequently in a rapidly changing risk landscape. The top three priorities for audit committees in this survey were consistent with the prior survey, with reprioritizing the audit plan to cover emerging risks (57%) as the top priority, followed by cyber risk (46%) and heightened risk to internal control over financial reporting (40%).

Since the last survey, there has been a 10% increase in frequency of interactions
between internal audit functions and their audit committees. This shows that both
understand the need to communicate more frequently in a rapidly changing risk
landscape.

As new risk areas emerge, and audit committees focus on maintaining risk coverage, internal audit functions will need to take a more agile, efficient and digital-enabled approach to their work if they are to fulfill their mandate over the coming months.

Adjusting the audit plan

More than two-thirds (69%) of respondents said that they had changed their audit plan by over 10% as a result of the COVID-19 disruption. The audits that respondents are most commonly postponing or canceling are those that require physical presence and/or travel. This may leave risk-coverage gaps for locations and operations that have historically been audited via site visits or physical inspection.

Adjusting audit plans
of respondents said they had changed their audit plan by over 10% as a result of the COVID-19 disruption.

Where possible, internal audit could use analytics or remote auditing procedures to avoid having to postpone or cancel planned audits. It is also important that functions continue to pay close attention to all high-risk areas of the business, not just the risk areas most closely associated with the COVID-19 disruption. Taking a flexible and digital-enabled approach is key to providing sufficient coverage.

While some audits have been cancelled or postponed, internal audit functions have also added new audits to their audit plans to cover the emerging risks related to COVID-19. Nearly a third (30%) have added audits on cybersecurity and crisis management effectiveness while 28% have added fraud-related audits and a fifth are auditing technology effectiveness.

The physical return to work

Although many organizations are now beginning the physical return to work process, less than half of internal audit functions have been directly involved with the associated planning. Only 37% of functions have been providing risk and control advice in this area. Furthermore, just 16% of internal audit functions have added return-to-office readiness to their audit plans.

As with a new system implementation, returning to the office brings new risks for organizations, as well as opportunities for process improvement that should be considered prior to go-live. Internal audit should have a seat at the table when these discussions are taking place because it is well-versed in assessing and developing plans to mitigate risk. It can also provide a holistic view of risk based on its familiarity with all facets of the organization.

Internal audit’s limited direct involvement with return-to-office planning may indicate that some organizations view internal audit as primarily an assurance function rather than a business advisor. Despite this, over 61% of internal audit functions have not experienced budget cuts to date as a result of the COVID-19 disruption which indicates that organizations clearly recognize the importance of risk management at this time and see internal audit as a critical and valuable function.

The value of risk management
of internal audit functions have not experienced budget cuts to date as a result of the COVID-19 disruption.

Changes to the internal audit operating model

Many of the organizations that IA functions serve are changing drastically. For IA to be seen as a value-added business risk advisor within the organization, it needs to change, adapt and keep up with the pace of change in the business on an ongoing basis. Our research indicates that this is the case, with 79% of respondents seeing a need and/or opportunity to change at least one part of their internal audit operating model going forward. Almost half (42%) of respondents said they were planning to change the way they use technology as a result of the crisis while 28% were reconsidering their execution approach and/or methodology and 27% were reviewing their risk assessment approach. Just over a quarter (26%) were looking to upgrade the skillset of their team in areas such as data analytics, IT and creative thinking.

Becoming a value-added business risk advisor
of respondents see a need and/or opportunity to change at least one part of their internal audit operating model going forward.

Preparing for the beyond

Internal audit functions have proved their value in the now and next phases of COVID-19, showcasing their agility and digital expertise as they responded to the crisis. So, what will happen in the beyond phase – an era that will almost certainly be defined by evolving business models and accelerated digital transformation?

Going forward, CFOs and audit committees will not be content with an internal audit function that continues to do business as usual while dynamic shifts occur throughout the organization. Instead, the pandemic is likely to be a watershed moment for executives and audit committees evaluating the effectiveness of their internal audit function. They will question whether they are receiving optimal service from internal audit or whether it is time to make an overarching change to the way the function operates.

Today a different picture of internal audit is emerging in response to COVID-19, as the function becomes more dynamic and draws on an expanded skillset. Traditional audit methods such as on-site visits, sample-based testing and documentation reviews are giving way to remote audits, analytics-based testing and digital audit techniques. The COVID-19 disruption is accelerating the transformation of internal audit to become an agile, forward-looking and technology-enabled business partner that provides strategic insight on risk right across the organization.

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.

Explore

Contact us for immediate support

Gain access to our help with crisis management, business continuity and enterprise resilience.

Contact

Summary

EY research has found that internal audit functions have learned to work effectively in a remote environment. They have a better understanding of emerging and escalating risks faced by their organization than at the outset of the crisis and are adjusting audit plans accordingly. At the same time, there is an opportunity for them to play more of a direct role in physical return-to-work planning. Disruption has created a need for internal audit to change its operating model and increase its use of technology to fulfill its mandate.

About this article

Photographic portrait of Esi Akinosho
Esi Akinosho
Houston Office Managing Partner, Ernst & Young LLP
Global Leader in value-driven Internal Audit innovation, Passionate about diversity in business. Travel enthusiast. Avid mystery fiction reader. Wife. Mother.
Related topics
Consulting
Risk
Cybersecurity

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.