Site Search

Menu

Services

Menu

Private Wealth & Entrepreneurs

Menu

Family business & SME consulting

Featured

Sustainability: Make your climate actions count.

Menu

Events

Loading Results

Virtual reviews for Internal Audit

Given the challenges posed by COVID-19, virtual reviews are a good option for conducting audits, fulfilling the internal audit remit and keeping internal audit teams safe

The impact of COVID-19 on business is devastating, and internal audit is no exception.

The virus is prohibiting many internal auditors from conducting audits on-site due to travel restrictions. Others are seeing resource shortfalls due to team members becoming ill.  

As the duration of this crisis is still unknown, a number of critical areas will need special attention.

 

The impact of COVID-19 on business is devastating, and internal audit is no exception.

The virus is prohibiting many internal auditors from conducting audits on-site due to travel restrictions. Others are seeing resource shortfalls due to team members becoming ill.  

As the duration of this crisis is still unknown, a number of critical areas will need special attention.

Key questions to consider

There are a number of areas that may be affected. Here are some questions you should consider:

  • What options are available for you as heads of internal audit to still conduct audits, fulfil your remit to stakeholders and keep your teams safe? 
  • How have you adapted your operating model to continue delivering on your internal audit  mission?
  • How do you maintain continuous and efficient interactions with internal audit  stakeholders?
  • How do you manage remote working?
  • How do you manage resource and competence shortages?

Critical areas for your consideration

Observations suggest that the following areas might be interrupted due to COVID-19.

  Safeguarding the internal audit mission Keeping internal audit staff safe New types of risk
Description
  • The mission of internal audit must be maintained (regulatory requirements and internal audit charter) or, at the very least, re-focused on critical items.
  • Non-critical internal audit areas may be stopped, while workarounds will need to be implemented for critical ones.
  • Most internal audit engagements are performed on-site. The current situation prevents this.
  • Traditional ways of delivering internal audit are jeopardised.
  • The organisation may face new types of risk. As a result, the risk assessment and audit plan will need updating and require internal audit attention.
  • Internal audit departments may lack the bandwidth and competences to address those new risks.
Consequences if interrupted
  • Internal audit  cannot achieve objectives as defined in the internal audit charter and assurance cannot be provided to internal stakeholders.
  • Compliance reviews (e.g. SOX testing) become impossible, with possible regulatory consequences.
  • IA staff Internal audit staff may have spare capacity, meaning their full potential is untapped
  • Internal audit is not able to produce the required levels of information.
  • Internal audit is not able to deliver the expected value.
  • Increased exposure to those new risks.
  • Risk prioritisation may lead to potential hidden exposures to risks that are usually under control.

 

Coronavirus scenarios and mitigation via virtual reviews

COVID-19 will affect organisations to different degrees, requiring several actions.

 

Details
  • Internal audit staff are available but the availability of key auditees is decreased.
  • Your existing tools and software allow your internal audit teams to continue delivering on their mission for some audit areas.
  • Key internal audit staff members or their key auditees are not available.
  • Existing processes and technology do not provide efficient means to deliver the internal audit mission for several audit areas.
  • Key internal audit staff members or their key auditees are not available.
  • Existing processes and technology are clearly not working to deliver the internal audit mission.
Functional impact
  • Your first and second lines of defence are less flexible and available, and your internal audit teams feel that their ability to conduct their third line of defence duties is reduced for some audit areas.
  • Your internal audit function struggles to review existing processes, risks and controls adequately and maintain the required levels of oversight.
  • Internal audit is able to help identify new risks, but may not be able to assess them.
  • Your internal audit function is not able to review existing processes, risks or controls. The required levels of oversight are not achieved.
  • Your internal audit function cannot determine whether new risks are being identified and monitored.
Proposed actions
  • Virtual reviews can be considered as an alternative to optimise the assessment of the general control environment (e.g. with “health checks”) or specific procedures.
  • Structured virtual reviews must now be deployed to safeguard the internal audit mission in assessing the general control environment.
  • Efficiency gains allow the internal audit team to support first and second lines of defence in identifying emerging risks as well as conducting in-depth analysis on emerging risks.
  • Structured virtual reviews must now be deployed to safeguard the internal audit mission and the credibility of internal audit as a strategic partner for senior management and the board, and to help the organisation get through the crisis.

As the COVID-19 crisis unfolds, the second objective for IA departments, once teams are safe,  is to define how to fulfil their missions in the medium to long term.

It is important to take an integrated perspective on how IA will be transformed and what the new enabling environment looks like, considering:

  • limited travelling
  • cost-saving measures
  • other health crisis waves
  • evolving risk landscape
  • uncertainty and unrest

Key questions to consider when recovering your business:

  • What is my new enabling environment?
  • What will start, stop or change as we move to recover from the crisis?
  • What does the new risk landscape look like and how is it going to impact audit activities in our organisation?
  • Are their new expectations to be considered according to senior management and the audit committee?
  • What resources/skillsets are needed to fulfil the IA mission in the medium to long term?
  • Have we considered alternate approaches to delivering the IA mission, making the most use of digital options?

Suggested next steps to tackle the recovery phase

If you find your business moving from the response to the recovery phase of the crisis the following key considerations and recommendations might be useful to you. 

1. Stakeholder engagement & resource confirmation 2. Assess heightened risk areas 3. Determine immediate and future risk priorities 4. Innovate agile ways of working using technology 5. Establish a (remote) data analytics capability
  • Engage stakeholders (e.g. audit committee, board, senior management) and confirm expectations and priorities
  • Confirm resources available and enabling environment
  • Walk through of principal risks (with the CRO if applicable) and assess effect of COVID-19
  • Focus on identifying increased liquidity, credit, fraud, cyber, third-party conduct, business processing and AML risks
  • Refocus audit plan and resources
  • Consider seconding to focus on business processes that have increased in importance during COVID-19
  • Test new solutions via pilots and adapt the target operating model to drive efficiencies ensuring all dimensions of the new enabling environment are addressed
  • Train IA teams and auditees 
  • Embed data analytics to review key process risk areas
  • Set up file-sharing protocols and secure portals

Guidance for the next phases

The next steps to deal with the “new normal” vary based on job roles and companies. We have created an overview with possible actions and suggestions on planning and getting ahead for upcoming phases of the crisis.

Guidance for next phases
  Short-term Medium-term Long-term
Board Members, Audit Committee Members
  • Engage with the Head of Internal Audit on a frequent basis
  • Discuss the re-assessment of the risk landscape, reviewing the focus on the risks and business processes that are critical in the crisis and moving out of the crisis
  • Approve the re-focused audit plans
  • Challenge the plans on the new operating model – what will stop, start or change moving out of the crisis?
  • Consider the opportunity to invest in the target operating model including technology
  • Continuously challenge the internal audit transformation as well as the delivery of the audit mission in the new environment
  • Continuously monitor the risk landscape moving through the various cycles of the crisis (e.g. further waves)
Head of Internal Audit
  • Engage audit committee and senior management to confirm priorities and resources available
  • Re-assess the risk landscape, priorities and resources
  • Coordinate with assurance providers and auditees and adapt the audit plan
  • Explore new ways of delivering the IA mission considering travel restrictions and resource limitations
  • Pilot test new solutions and adapt the target operating model and the approach
  • Confirm the new approach
  • Define the scale-up plan
  • Develop the IA adaptation or transformation programme and align with other assurance providers, as digital may drive integrated approaches and synergies with internal controls and risk management
  • Continuously monitor and challenge the risk landscape moving through the various cycles of the crisis (e.g. further waves)
  • Replicate and scale the new operating model across organisations as required
  • Unlock new opportunities and value driven by integrated digital approach
  • Upskill resources on the new operating model including technologies

As the COVID-19 crisis unfolds, the second objective for IA departments, once teams are safe, is to define how to fulfil their missions in the medium to long term.

It is important to take an integrated perspective on how IA will be transformed and what the new enabling environment looks like, considering:

  • limited travel
  • cost-saving measures
  • other health crisis waves
  • evolving risk landscape
  • uncertainty and unrest
  • etc

Key questions to consider when recovering your business:

  • What is my new enabling environment?
  • What does the new risk landscape look like and how is it going to impact audit activities in our organisation?
  • Are there new expectations to be considered, according to senior management and the audit committee?
  • What resources/skillsets are needed to fulfil the IA mission in the medium to long term?
  • Have we considered alternative approaches to delivering the IA mission, making the most use of digital options?

Suggested next steps to tackle the recovery phase

If you find your business moving from the response to the recovery phase of the crisis the following key considerations and recommendations might be useful to you. 

1. Stakeholder engagement & resource confirmation 2. Coordination with assurance providers 3. Delivering the IA mission in the new normal 4. Training and piloting 5. Implement
  • Engage stakeholders (e.g. audit committee, board, senior management) and confirm expectations and priorities
  • Confirm resources available and enabling environment
  • Confirm risk landscape and align with other control and audit activities within the organisation
  • Adjust the audit plan and priorities accordingly
  • Explore alternative ways of delivering IA within the new enabling environment, considering digital solutions and making the most use of experience gained from alternative approaches used in the COVID-19 crisis (e.g. remote reviews, expanding data analytics)
  • Define new target operating model(s) looking at ways to be agile and resilient as well as optimise cost structures
  • Test new solutions via pilots and adapt the target operating model to drive efficiencies ensuring all dimensions of the new enabling environment are addressed
  • Train IA teams and auditees 
  • Replicate and scale new solution and target operating model

Guidance for the next phases

The next steps to deal with the “new normal” vary based on job roles and companies. We have created an overview with possible actions and suggestions on planning and getting ahead for upcoming phases of the crisis.

Guidance for next phases
  Short-term Medium-term Long-term
Head of Internal Audit
  • Engage audit committee and senior management to confirm priorities and resources available
  • Coordinate with assurance providers and auditees, and adapt the audit plan
  • Explore new ways of delivering the IA mission considering travel restrictions and resource limitations
  • Pilot test new solutions and adapt the target operating model and the approach
  • Confirm the new approach
  • Define the scale-up plan
  • Develop the IA adaptation or transformation programme and align with other assurance providers, as digital may drive integrated approaches and synergies with internal controls and risk management
  • Replicate and scale across organisations as required
  • Unlock new opportunities and value driven by integrated digital approach

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}
{{contentList.loadingText}}
{{contentList.viewAllLabel}}

Contact us

Richard Thomas

Richard Thomas

Partner, Risk Consulting TIS (Trade, Industry, Services) & Internal Audit, PwC Switzerland

Tel: +41 79 816 27 00

Linkedin Follow Email
Services Assurance Consulting Corporate Support Services Deals Global Markets Legal People and Organisation Private Wealth SME and Family Business Tax Advice
Industry Sectors Energy Financial Services Government and Public Sector Health care Industrial Manufacturing Real Estate Retail and Consumer Goods Pharmaceuticals and Life Sciences Sports Business Advisory Technology, Media and Telecommunications
Today's issues Artificial Intelligence Workforce of the Future Finance Transformation Customer Transformation Cybersecurity Data & Analytics ESG: Criteria and Implementation
About PwC Contact Press Locations Organisation and Management Purpose, Values and Code of Conduct Reports Corporate Sustainability Our History Alumni
Careers Open Positions Career Events Experienced Hires Graduates Students Apprentices PwC as an Employer PwC's Career Blog
Research & Insights Our latest insights Subscribe to PwC updates Update your subscription preferences

© 2018 - 2023 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.