Virtual internal auditing: remote control
Trends that were gradually gathering momentum have been dramatically accelerated by the COVID-19 pandemic. Chief among these is homeworking. As staff decamped from offices, adapting many of their organisations’ risk controls as they went, internal audit had to keep pace with changes while delivering its assurance work remotely.
Surprisingly, many of these changes turned out to be less disruptive than we might have expected. Technology has proved able to replicate many of the day-to-day audit tasks at least adequately, if not optimally. Zoom or Microsoft Teams calls replaced face-to-face board and auditee meetings, while documents were shared digitally from any site via secure data portals.
Internal audit functions that had invested in data analytics systems and skills were already used to tapping into company-wide enterprise resource planning (ERP) systems, such as NetSuite, Sage and SAP. Some were better equipped than others, but the tools have been available for several years and the direction of travel has been clear. Those that were not already using them should have seen recent events as a serious wake-up call. Such tools and skills are no longer a nice-to-have luxury.
Far but near
Brian Hayes, partner for Moore Ireland, which provides internal audit services to the credit union sector, says the biggest change in recent months has been in mindset. “Pre-Covid, if I told my clients I would rather schedule a Zoom call, half of them would not have known what that meant and the other half would think we were trying to cut corners somehow. The challenge for us as internal audit professionals is to seize the moment. I told my team to normalise the use of Zoom in the boardroom as soon as possible and we don’t want that to slip.”
The main advantage of auditing at a distance using video-conferencing software has been greater efficiency. Internal audit must stay close to the organisation to understand its risks and where its assurance will provide most value. The pandemic has exacerbated a host of existing risks from financial solvency to supply chain integrity, leading to an even greater need for the third line to be vigilant, engaged and relevant.
Oddly, many internal auditors can now stay closer to the business and maintain more constant contact, despite being physically remote, than they could when most meetings were physical and involved time-consuming travel. However, this does require a commitment to establishing and maintaining key relationships (on both sides) and a broad view of the ways in which internal audit should be involved and how it can add value. A team that rarely interacted with management except during specific audits may have the technology to forge closer links, but is unlikely to do so unless the auditors first change the way they think about the value of audit and their role in the organisation.
“Our clients now see a lot more of us. Previously, the team would arrive, set up base camp on day one and leave on day four, and then return three months later,” says Hayes. “Now, suddenly, the auditee sees us as part of the team as opposed to an occasional visiting policeman. The next stage is becoming more continuous because the line between us and our clients is blurring.”
The benefits of this “little and often” approach to communications are echoed by Marc Lansdown, director of internal audit at software firm Wolters Kluwer. “I think it’s fair to say that six months ago we were perhaps under-communicating without realising it. We’re now having more regular touchpoints with senior stakeholders in the company and that’s something that is probably going to continue, because I don’t think the pandemic will go away and everyone return to the office as we did in 2019.”
This has to be done carefully and with tact. It will not help relationships if constant contact means that internal audit is seen to get in the way of doing business – especially when organisations are contending with the many long-term effects of the health crisis and a related economic downturn.
“We don’t want to go to the other extreme and start over-communicating. Having an Outlook calendar that is blocked off back-to-back every day may not be a positive sign and can inhibit the work of audit and the company,” warns Lansdown. “You need space in your calendar to actually do the work.”
Importantly, managed well, remote communications can also improve co-ordination within the internal audit team. “When you’re all in the office it’s easy to assume that everyone is on the same page,” Lansdown adds. “Now we are no longer face to face, we have a lot more interactions within the internal audit team, such as a weekly call every Monday. We’ve become a lot more aligned about what our goals are, how we’re achieving them and what people are actually working on. That’s been tremendously beneficial.”
The insightful auditor
Spending less time travelling can also enable teams to deliver more audit days. To capitalise on this, heads of internal audit (HIAs) should set aside time to scan the horizon and research the wider risk landscape, from geopolitical to macroeconomic risks. The current crisis is a good opportunity to think afresh about how you identify emerging risks and what insights you offer the board or audit committee. Many risks will be changing, but others may have been under-scrutinised in the past simply because they were not on the radar and required a different outlook to identify and monitor. Still more may still be on the agenda, but no longer significant or useful.
“I now have time to look at what is relevant on a macroeconomic level and understand the world as it applies to credit unions and present what I learn to clients,” Hayes says. “When you’re eating, sleeping, drinking a certain sector, you pick up news, research and information by osmosis.” He adds that reviewing OECD economic forecasts and central bank commentaries enabled him to see that the pandemic’s effects on the Irish economy had caused savings surges in depository institutions. This had direct implications for the liquidity of credit unions. “Such observations give boards context and that is utterly in line with the role of the internal auditor – to provide insight.”
Stick and move
The efficiency gains afforded by remote internal auditing go hand-in-hand with developing more agile methods (not just “Agile” auditing involving sprints and daily scrums). The group chief internal auditor of one of the big four commercial banks in Ireland says that, in its independent advisory role, internal audit should be agile and proactive and shake off the perception that it only assesses issues once they arise.
“The traditional internal audit approach is often too retrospective. This year we’ve been trialling a simple product where we provide one and a half sides of bulleted feedback. It’s short, sharp, iterative feedback and is driven by our attachment to the relevant committees or management, so we’re with them live seeing what they’re doing. Then we pump in these bullets of observations and recommendations: ‘Your paper is silent on this risk or that risk and we recommend you include it’,” he explains.
“That’s value added, because you didn’t wait for something to fall over. You actually helped it on the way,” he adds. “But we’ve preserved our third line by recording that in a product, so a bulleted memo is always discoverable.”
He says that he can see no reason for ever retiring this product. He has found that management is more receptive to inputs provided this way, compared with those identified via a “traditional, slower, longer, deeper rated audit” and that it has reduced conflict.
Challenges and limitations
There are downsides, of course. Remote auditing may lead to more piecemeal engagements which are harder to schedule. It may also require a different approach to managing workloads. Auditors may have to work on more than one assignment at a time and switch between projects. In this case, managers may have to plan and group related assignments to ensure that their resources are not scattered and unfocused. In turn, HIAs may need to think about how various engagements fit into the overarching audit plan.
There are also concerns about the integrity of remote assurance work. “We have to satisfy ourselves and our clients that things can be checked from afar,” says Hayes. However, he adds that, whether an auditor reviews documents on paper or on screen, “touching and feeling it doesn’t really add or detract from the probity of the work we do”.
Any organisation or auditee deemed to be higher risk will still require closer inspection, which may be hard to achieve at a distance. And while business processes are increasingly digital, some are still physical by their nature. Warehousing and inventory management, as well as occupational health and safety audits, for example, require on-site inspections.
“We’re quite an acquisitive company and we conduct post-acquisition reviews, where we’ll go into a newly acquired entity quickly. A lot of the companies are small entrepreneurial start-ups in the tech space,” Lansdown says. “Part of that engagement is building trust and doing that face-to-face sends a message to the entity as a new member of the company. Could you do that virtually? Yes. Is that preferable? Absolutely not.”
There are also limitations to how deep remote internal auditors can dig when undertaking forensic work into financial discrepancies or potential fraud. “These cases need a certain amount of body language interpretation and interviews and it can be difficult to gauge the mood in the ‘Zoom Room’,” Hayes admits. “But I’m not too concerned that remote internal audit increases fraud risk, since fraud has moved online as well. We’re simply moving with the flow of where the risks are.”
Face-to-face audits still have a role and after the pandemic is over audit teams will have to strike a balance depending on their organisation, its resources and its assurance needs. However, the lessons learned in 2020 must not be forgotten. All auditors should be seeking greater efficiency, broader coverage and deeper insights, and one key tool will be an innovative and skilled approach to virtual auditing.
This article was first published in November 2020.