Lessons from the pandemic: Best foot forward
New businesses will be able to look back a year and say they accurately predicted the risks and challenges they would face in 2020. COVID-19 was one of those “bolts from the blue” that affect almost everyone, in every sector worldwide, and it is not over yet. Meanwhile, other significant risks with the capacity to affect countries, regions or sectors remain serious and present dangers. So what has internal audit learnt from its experiences in the pandemic and how can auditors apply these lessons to the year ahead?
For many, the most important issue in 2020 was to stay afloat. However, the focus must now be on rebuilding and emerging from the period of intense crisis. One early gain could be to look at all the new ways of working that sprang up rapidly last year – and the skills gained in the process – and analyse both the risks and the opportunities these create. What should be kept and developed further, and what needs to be reined-in and modified?
This year, while vaccines may alleviate COVID-19, others crises will come to the fore. Many regions are likely to suffer from recession, there is an ongoing and escalating climate crisis, and regional geopolitical tensions will continue to affect operations in some areas. The UK will transition fully to its new status outside the EU, and we have yet to see what effect a new US president may have on global trade and politics. Experiences dealing with crises and improving risk planning processes in 2020 will certainly not be wasted.
Many internal auditors have already begun a post-Covid consolidating, analysing and learning process. According to a Chartered IIA survey of 225 heads of internal audit released in September, called “Internal Audit in Lockdown”, three-fifths of respondents planned a “lessons learnt” audit or a specific audit on their organisation’s response to coronavirus. The Internal Audit Code of Practice and financial services code state that: “internal audit’s reporting to the audit and any other board committees should include: [...] a review of any post-mortem and ‘lessons learned’ analysis if a significant adverse event has occurred at an organisation. A review should assess both the role of the first and second lines of defence and internal audit’s own role.”
Reset the dial
One example of current activity is NatWest bank’s organisation-wide “learning for the future” project, which incorporates a specific internal audit project within it. According to Nicholas Crapp, group chief audit executive, his team has interviewed 50 internal stakeholders and 50 in the audit team and collated their responses to identify key learnings. The audit function has also compiled a list of “quick wins” and finalised the top five actions that it needs to take to keep momentum going and signal that it is taking change seriously.
More broadly, internal auditors in several industries have said that their principal focus has become “resilience” and that review work has been “pushed back”. This is true even in heavily regulated sectors such as financial services, where compliance reviews can take up a significant part of the function’s time.
“COVID-19 has meant that we have had to focus on the immediate risks to the organisation, such as maintaining operations and key services, maintaining supply chains, enabling home working and ensuring effective financial management. Other areas of review have been pared back,” admits one chief audit executive.
Derek Jamieson, director for regions at the Chartered IIA, believes that the pandemic has highlighted some key lessons for internal audit. For a start, annual audit plans have been “thrown out of the window”. “Audit planning needs to be more fluid as internal audit work has to be much more reflective of the changing environment, a changing risk profile and the needs of the business.”
Faster, more responsive audit planning has been on the agendas of forward-thinking internal audit teams for some years, however, the Covid crisis has prompted more rapid changes and those who have brought in faster, flexible processes as a consequence must not look back when the pandemic passes. Those who have not managed to speed up their planning effectively must look to do this as soon as possible.
This seems to be a trend in several audit process areas – the pandemic did not create the fundamental need for better planning processes, but it created circumstances in which what was formerly desirable is now essential. The dial has moved on, and teams who were somewhere in the middle in 2019 will find themselves near the back if they do not move too.
All hands on deck?
Jamieson adds that the crisis has enabled internal audit to demonstrate that it can, when necessary, be more hands-on and offer practical help to ensure the organisation survives. “During the crisis, internal auditors may have been redeployed to support other areas of the business and asked to use their skills and expertise in any way they could to help the organisation weather the crisis,” he points out.
While this could potentially threaten assurance capacity and independence, it can also generate wider appreciation of audit skills and capabilities. It is one area where audit teams should now be reviewing what they have done over the past year to check for potential conflicts or control weaknesses – but they should also look at where they can capitalise on goodwill and the relationships they developed within the organisation as the crisis unfolded.
“Internal audit will have worked more closely with risk management and operational parts of the business than perhaps ever before,” Jamieson says. “This now provides the function with a great opportunity to forge better and deeper relationships going forward, as well as providing an opportunity for auditors to offer their skills, expertise and insights if the organisation faces another crisis or needs to pivot quickly.”
This experience “is bound to reflect positively on the profession,” he adds. “However, where redeployment has taken place, safeguards should be put in place to reduce the risk of conflicts of interest and to preserve the independence and objectivity of internal auditors.”
Bear in mind that, while internal auditors may win new friends by “mucking in” in a crisis, they will only demonstrate their full value if they remain independent trusted advisers. “Remember your role. Providing an independent, objective voice in a crisis situation can help to prevent management from making a bad situation even worse,” he says.
Write it down
One way to learn from – and leverage – auditors’ experiences in the crisis is to ensure that you accurately record what you did and when and how you did it. Jamieson suggests that heads of audit keep a diary. “It is important to record what key actions and/or decisions were taken and rejected during the crisis, and why. Internal audit can learn from what worked and what didn’t. Keeping a log that provides context about how the organisation acted, and why some strategies were chosen over others, will help auditors to understand how board and management prioritised certain risks and what drove their decisions. It can also add value to the organisation’s reflections after the crisis.”
Such reflections should include questioning weaknesses that the pandemic exposed. For example, some companies found that they relied on a handful of suppliers, often based in the same region. When the first Covid cases emerged in China, Chinese companies stopped producing and exporting the goods and parts that industries across the world depended on for their own manufacturing processes. The problems intensified as country after country locked down.
Check your tech
James Crayton, commercial partner at law firm Walker Morris, says that internal auditors should review the risk management frameworks around supply chain management to see that they are robust, diversified and not too dependent – or interdependent – on key suppliers or locations. Those who have not done so already, should look to invest in technologies using artificial intelligence, Big Data and Blockchain to provide the fast, accurate and detailed management information that businesses need to react rapidly to adverse events. Technology can also help to provide continuity when/if workforces are furloughed, reduced, forced to work remotely, or sick.
“Businesses need to second-guess the unknown and ensure they have a robust and extensive risk-management plan for their supply chains to ensure they not only survive subsequent waves of COVID-19, but are also protected against the pitfalls they faced the first time around,” he says. “The pandemic is likely to force more businesses to confront the challenges and opportunities that new technology can bring – there might be a short-term cost, but the longer term advantages are increasing.”
Move faster
Agility is also becoming essential, not just preferable. This does not have to take the form of formal “Agile” techniques, although these may be worth considering. Simon Geale, senior vice-president for client solutions at procurement consultancy Proxima, says that while the pandemic may not have any great outcomes, “a good outcome might be faring better than the competition, and/or being ready to move first.”
“We might all have to accept the ‘perfect imperfections’ that we have found over the past few months and work out what to embrace as our new ways of working,” he says. “This means thinking about what’s worked better than normal, and how we can use technology and more collegiate, agile behaviours to keep this new-found focus and agility in the future.”
Change focus
Val Jonas, CEO at risk software and services consultancy Risk Decisions Group, believes that internal auditors now have an opportunity to change their focus, as well as their processes. The pandemic has taught us a valuable lesson: don’t think about the likelihood of a risk occurring – think about how prepared the organisation is to deal with it and recover from it, she suggests.
“The possibility of a pandemic has been included in the World Economic Forum’s [WEF’s] risk indexes for over a decade,” she points out. “However, because it was classed as ‘high impact but low probability’, when it did make it into the report’s top five global risks, everyone ignored it and didn’t test their resilience. That thinking needs to change.”
For a start, organisations need to become more “risk intelligent” by using the tools and information they already have more strategically to help them react more swiftly in future.
“Organisations need to hold risk information centrally so that people who need it can access it in real-time,” Jonas says. “Too many internal audit and risk management departments still hold information on spreadsheets. It’s a complete waste of time – it gives an incomplete picture, takes too long to analyse and does not allow the function to answer the board’s questions immediately or with adequate assurance.”
Empower decision-makers
In addition, she believes that organisations should empower employees to make risk decisions in a crisis, particularly middle managers. “The CEO and the board are going to be dealing with the ‘big picture’ risks. They are not going to address nitty-gritty work stuff. Middle managers need to feel empowered to make decisions so that the business can react quickly and so that employees feel their concerns are heard and addressed. Internal audit has a strong role in pushing that message,” she advises.
Last, but not least, be positive about the opportunities. “Thinking negatively never solved any problems,” Jonas says. “The only way to get through a crisis is to find a solution and drive towards it. No business is going to go back to operating as it did before, so every organisation has to adapt. Companies could use the current situation as an opportunity to start thinking about the long-term future – for example, how climate change may impact future operations, supply chains and ways of working.”
This article was first published in January 2021.