Internal audit departments in 2020 are facing a myriad of challenges. Audit plans may have changed, department sizes may have been impacted by layoffs, organizations may be revamping business models, or audit activities may be affected by the results of delayed or canceled initiatives or implementations.
As a result, the quality of an internal audit department and its conformance to the International Standards for the Professional Practice of Internal Auditing (“Standards”) from the Institute of Internal Auditors (“IIA”) may not be top of mind. However, it is critical that internal audit departments remain quality service providers and uphold their reputation as trusted business advisors to their respective organizations.
First, with all the changes happening in organizations, it is important that the internal audit department maintain proper reporting lines, in accordance with Standard 1110 – Organizational Independence. Internal Audit should always maintain an independent, direct functional line of reporting to the Audit Committee or the Board of Directors. Administratively, it may make sense for the Internal Audit group to report daily to a member of senior management, perhaps a Chief Financial Officer. With restructurings or personnel changes being a common occurrence these days, the person in that reporting relationship may have changed recently. However, Internal Audit should confirm that the new administrative report is not a person with significant daily involvement with internal audit projects.
Additionally, reduction in overall resources for an organization may mean that internal audit resources are asked to take on additional financial or operational tasks. Internal audit should be careful to ensure that these additional duties do not affect their ability to deliver on their promise to support governance, control, and risk. Standard 1112 – Chief Audit Executive Roles Beyond Internal and Standard 1120 – Individual Objectivity both speak to the need for oversight or assurances that additional responsibilities placed on internal audit resources do not represent a conflict of interest to their duties of objectivity in their audit work.
Layoffs and staff reductions also means that an internal audit department may find themselves without the specialized resources necessary to carry out some of their audits. Before you cancel or postpone a review, consider if there are resources with that skill set in your organization who could perform the review under the supervision of an audit resource. Standard 2030 – Resource Management, Standard 2230 – Engagement Resource Allocation, and Standard 2340 – Engagement Supervision all state the need for resources with the appropriate skills to execute audit plans combined with appropriate supervision to ensure proper audit processes are completed.
Lower staffing levels and an increase in special project requests by management may challenge internal audit departments to complete the original audit plan for 2020. However, audit should communicate with management to ensure that they are keeping pace with changing risk environments and have adjusted their audit plans accordingly. This should include communicating with other assurance services (risk management, compliance, external audit, etc.) to reduce potential duplication of efforts across the organization and higher risk areas are not missed. Standard 2050 – Coordination and Reliance addresses internal audit’s responsibility to coordinate with other internal and external consulting and assurance service providers to ensure proper coverage.
If your organization has pivoted to a remote work environment, the control environment may have significantly changed. This may result in additional time needed to document processes and identify changes. Changes in the control environment should be thoroughly communicated to appropriate management to ensure transparency of processes to all. Internal audit’s responsibility for assisting their organization in maintaining an effective control environment is stated in Standard 2130 – Control.
A pivot to remote work may make performing on-site audits impossible. If travel is not allowed, internal audit should consider technology options that could make obtaining evidence and performing test procedures possible. Audits may take longer, and evidence may take different forms, but technology is available to ensure internal audit can fulfill their responsibility to assess the effectiveness of an organization’s internal control environment.
While 2020 has thrown a lot of curveballs, as internal auditors, we maintain the responsibility to assist our organizations in evaluating and improving the effectiveness of their risk management, control, and governance processes. With some creative planning, internal audit departments can continue to deliver quality services and provide relevant assurance to our organizations in a time when uncertainty seems to be the rule.