Continuous Auditing Is the Value Creating Risk Detector CFOs Dream ...
How COVID-19 is Transforming the Internal Audit
We study history to avoid making the same mistakes. But sometimes an event is so unique and powerful – and not in a good way – that it provides almost immediate insights. Obviously, the COVID-19 crisis falls into that camp where, despite most companies still being waist-deep in its repercussions, leadership already has much to glean from it. And nowhere is that thought better represented than in the internal audit.
Therefore, we want to take a look at internal audit and understand how IA has changed in the wake of the coronavirus pandemic. With so many organizations caught off-guard and ill-prepared, this crisis has revealed definite shortcomings in how many companies plan and operate, all areas for improvement that internal audit can help drive. If recent events have taught us anything, it's that even extreme what-if scenarios can and do happen. And that's exactly what we're going to help you address.
Reassessing Risk Assessment
Now that's a mouthful, huh? Both as a tongue-twister and a whopper of a concept. But it's also the most obvious starting point to gauge COVID-19's impact on IA, one that encompasses so many different aspects of operations. Logistics, liquidity measures, labor, compliance, and countless more – they're all individual pieces of the enterprise risk management (ERM) jigsaw puzzle.
And as anyone that's tackled a behemoth jigsaw with hundreds of pieces will attest, you don't realize you have a missing piece or two until you're coming down the home stretch. And that, to say the least, is frustrating. But for a company and it's risk management, those missing pieces can be fatal.
Sure, everyone knew that a pandemic was possible, but was it really something to plan for? Or a terrorist attack? Or natural disasters that, once again, can and do occur? The answer to all of those is a resounding yes. Companies need to expand what they account for in their ERM, and not just with lip service.
And that process starts with the assessment itself. How do you choose what to include in your ERM right now? Is it a simple poll of your leadership? Because, as skilled and knowledgeable as we're sure they are, it's unlikely that anyone in your C-suite is omniscient. But that's the problem with so many risk assessments – they're more a check-the-boxes type of exercise than a deep dive into factors and forces that can quickly wreak havoc on your operations.
To that point, conduct a thorough post-mortem of what your company has learned from the coronavirus pandemic, and compare it to your preceding risk assessments for some pretty revealing insights. Building on that exercise, take note of your strengths and weaknesses, areas of risk exposure that the pandemic has exposed, and begin developing strategic plans to deal with similar sources of risk effectively, starting with a focus on:
External Risk Factors
- New regulations and policies stemming from the coronavirus pandemic that affect your company
Cash Flow and Access to Liquidity
- Reassess your working capital requirement and cash flow needs
- Access to and implications of PPP loans
Your People, Workforce, and Customer Base
- The impact of remote working on your financial close
- HR's progress on annual performance assessments in light of a remote workforce
- Your culture as well as the health and well-being of your people
- A revised communication plan for your customers and partners
Supply and Demand
- Prepare for changes in demand and any needed adjustments to stock and resources to satisfy those new demand levels
- Assess if you and third-party partners have sufficient resources to maintain critical activities at adequate levels
- Adopt a more holistic, end-to-end view of your supply chain, with an emphasis on optimizing your working capital through concerted efforts with your customers, vendors, and suppliers to maximize short-term cash flow
Further, revisit your disaster recovery plans (DRPs) and ensure they're comprehensive enough to cover even the small details that often go unaddressed. Granted, this usually isn't at the top of the to-do list but, as we've seen, can be critical to your organization's survival.
An experienced third-party can be extremely helpful in providing a thoughtful, thorough risk analysis of your operations to see if your ERM procedures and DRP are as fleshed out as they should be. From there, you should revisit your risk assessment at least once a year to continually improve and expand on it as necessary.
Supply Chain Risk
When aligning IA with the heightened threat environment, it's essential to ask bigger, more far-reaching questions that force you to plan for extreme scenarios. Like the ones that, at least until a few months ago, seemed to have an infinitesimally small likelihood of occurring.
Supply chains are a perfect example of what we're talking about. Modern logistics is based on a just-in-time principle, where everything is so efficient and streamlined, you don't need a lot of lead-time – or idle inventory – to satisfy orders. But that also means that any bump in the supply chain road can have a catastrophic rippling effect.
In other words, your supply chain is especially susceptible to disruption. And in the case of something like the coronavirus pandemic, that disruption can be devastating. Therefore, you need to take a close look at those susceptibilities, starting with a few pointed questions like:
- How secure is your supply chain? Do your service level agreements even address what happens during a pandemic?
- How will you mitigate risk if a hurricane, terrorist attack, or another pandemic impacts key suppliers or outsourced teams?
- If unexpected foreign policy suddenly cuts you off from critical factories in Asia – or anywhere else, for that matter – do you have another option?
- What if your suppliers get an offer they couldn't refuse? Does your contract allow them to drop you over a better price elsewhere? And if so, what will you do if that was to happen?
The internet doesn't have enough space for us to go through the myriad of what-ifs out there, but you get the point. Risk assessment isn't just about addressing the high-level targets. It's about nuance and detail, and formulating credible, effective gameplans that allow your company to properly pivot, even under the rarest of unforeseen circumstances. Suffice it to say, that notion is true for your supply chain and any other potential source of risk.
As we said, take a closer look at your supply chain and identify weaknesses exposed by the pandemic. This is another area where outside help could be very beneficial, able to identify vulnerabilities that might have slipped through the cracks. They could examine your ERM, identify areas of risk, and carry them through your pipeline into your working capital management. This type of exercise is essential for optimizing cash flow and even the vendor selection process.
Afterward, you're left with a far more comprehensive supply chain risk mitigation plan that prioritizes vendors and leaves no stone unturned. It should encompass everything from vendor screening and onboarding to ongoing reviews, ideally with a digitized documentation and communication hub that your partners and cross-functional teams have access to. Just keep in mind that, while absolutely critical, this process takes a fair amount of time and attention – two commodities that are in short supply for CFOs and their teams these days.
- Compliance officers and those involved with your vendor due diligence should be included in whatever rebuilding or refining your supply chain requires, including digitized solutions you implement.
- Explore a more diverse footprint for vendors to mitigate risk from over-concentration in a particular region.
- Regarding the previous point, pay particular attention to vendors in geographic areas that are new and unfamiliar to you, as they might present other sources of risk.
- Divestiture, restructuring, ownership changes, and other factors may all impact a vendor's ability to meet your needs.
SOX & Compliance Issues
Your new and improved risk assessment will probably leave you with a lengthy list of items to hone in on. Naturally, many of these items – if not most – will impact compliance in some way. To pick the lowest hanging fruit, let's say you downshifted into a remote working model, as many companies did in Q1 and Q2 of 2020. If you were new to the experience, there's bound to be some gaps that directly impact your internal audits and traditional SOX testing.
Having your team spread out rather than centralized within the same office means certain processes and controls might not work as well, or could even collapse. Unless you accounted for such dynamics in your segregation of duties, you will probably find that your team either completely missed particular tasks or was not as thorough as they should have been. Travel restrictions can cause the same issues, creating a disconnect in communication and disruption to your normal processes.
Because of COVID, many companies now realize that they need to adapt to a more digital model that leverages technology to support these critical functions. But digitalization goes far beyond mere support functions, though. When you choose the right partners and solutions, technology can also become a core value driver for your organization.
We've spoken in the past about our preference for Workiva's Wdesk solution because of its intuitive UI and scope of features. It's a single platform that can streamline IA management, SEC reporting, the full spectrum of the record-to-report function, and more. That said, although Wdesk is widely considered a best-in-class solution, it's certainly not the only game in town.
Our advice is to do your due diligence and find a cloud-based platform that meets your specific needs. It should easily connect your people and data, automate processes to minimize risk, and transform your decision making with timely, relevant, and accurate data. Yes, Workiva is a good place to begin your search but, as always, it's important to find what works best for you.
Of course, if one of your priorities is running a low-cost internal audit group, then you might have to stick with the old standards like Word, Excel, and mountains of PDFs. While those solutions aren’t ideal, especially if you continue to use remote workers, that shouldn't prevent you from streamlining your workflow with another set of targeted questions.
- How accessible is your documentation? Does everyone have access and logins to your network that needs them?
- Were you able to continue your audit cycle during the pandemic?
- What workarounds did you use and bottlenecks did you experience when using a remote working model?
- Have you documented any process and control modifications you've had to implement in response to the pandemic?
- Have your controls held up during the COVID-19 crisis?
- Do you have two-factor authentication in place for people logging into a VPN?
These are the types of compliance-related questions you should integrate into internal audit going forward, if you haven't already. Also, keep in mind that part of your organization's "new normal" might very well include continued use of remote working. If that's the case, then it's time to take a closer look at digital compliance platforms like Wdesk and, if not feasible at the moment, what you can do to bolster your control environment while connecting your team, data, and processes.
- Your walk-throughs and test-of-design activities will likely have to change to encompass more of the potential gaps during remote working.
- Communication with your external auditors is even more critical now. Keep them in the loop regarding process changes and other areas affected by COVID-19.
- Recording your virtual meetings and workshops will enhance your IA evidence. If remote working continues to be a factor, then electronic documentation will play a crucial role.
Lastly, we'd be remiss if we didn't mention the IA department itself. If the budget is now more of an issue and you need to add efficiencies, then, to stick with a common theme, technology could go a long way in reducing ongoing expenses.
And that really embodies the lesson to take from all of this. Your old ways won't necessarily work anymore. Technology and refined processes & procedures will be vital in helping you to develop and maintain the flexibility you need to navigate immense amounts of uncertainty.
Likewise, establishing and maintaining relationships with reliable, experienced third parties can point you in the right direction and help you clear certain hurdles that might seem insurmountable right now. Suffice it to say, COVID-19 has transformed organizations – in many ways, permanently – and internal audit along with it. Embark exists to help you through all of this, and we're ready to lend you our experience and expertise whenever you need it.