And then came a little thing we affectionately call COVID-19. And, like everyone else, my world got turned a little wonky. As I noted in a subsequent blog post, in spite of how important I thought those risks and issues were, they seemed to pale in comparison to real-world events. Eventually, I took a break from writing this blog.
As attested to by the fact that you are reading this, I finally returned to composing these missives. And, while the world still holds much weirdness for internal audit to consider, it is also important that we not lose track of big-picture items that existed before, exist during, and will exist after the pandemic. Meaning that it’s about time I got back to the task of discussing past risks and the need for internal audit to catch up.
They are still out there, the big risks and issues that we may have missed. And they continue to have a big, if not bigger, impact on our organizations and our profession.
Don’t think so? Think they are overshadowed by current events? Let’s use a recap of the areas I already talked about to show that they are as important as they ever were. And a quick note: These areas (like the blog posts) are listed starting with what I thought to be the least of the risks first. All bets are off on that now. Take a look and make your own decisions on which is most important. But remember, it doesn’t matter which one you think is least important, they’re all still pretty darned impactful.
This has always been an important risk, the ability for an organization to recognize and be able to react to potential crises. And, when I wrote the post, I had all kinds of examples.
I guess we don’t need examples anymore; we’re living it. But that doesn’t mean we ignore this area.
In general, it seems organizations have reacted to the current crisis as well as can be expected. A big reason for this may be that none of us even know how an organization should react; there are low expectations. A worldwide pandemic has a different set of expectations than a giant oil spill (to use one of the examples I cited in the post.) We think we know what an organization should do in a localized, ecological nightmare. None of us knew what anyone should do in a global pandemic and economic shutdown.
But that doesn’t relieve organizations from trying to get ready for the next crisis. It may be global, it may be local, it may just be the organization. But “things” will continue to happen. And, when our current situation begins to kind of calm down, organizations should spend time on lessons learned and putting together updated procedures for the next whatever-it-is that happens.
Yeah, we’ve all been disrupted. And a lot of that disruption relates to the previous topic. But the issue I was discussing in this blog post was disruptions in the way work is accomplished. And, yep, that one is happening, too. As I mentioned in a previous post (which I can’t find, so you’ll just have to dig it up yourself), it is amazing how many organizations that told their employees working from home was not feasible have now not only found it feasible in the time of crisis, but are seriously looking at how working from home will become status quo.
The way people work has been disrupted. And the way people buy has been disrupted. And the way people go to dinner has been disrupted. And the way people are entertained has been disrupted. And the way people are educated has been disrupted. And every way that every person does everything has been disrupted.
Change was going to happen; the pandemic just accelerated its progress. A quick example from my personal life: I had a doctor’s appointment that got pushed off a couple of times. Finally, the doctor set up a videoconference. After that experience, I would do it again in a minute. (And the rumblings I’ve heard from the medical industry show agreement on the other side of the screen.) The appointment started on time. I felt I had the doctor’s undivided attention. And I didn’t have to drive anywhere. The technology and applications were always out there. And it was starting to get traction. But now it is being adapted with lightspeed acceleration.
Every organization (at least the ones that want to succeed in the new future) will be looking at how business has changed, how they will respond to that change, and how they might take advantage to find new ways to do business. And it is internal audit’s responsibility to be there to help them succeed.
(It took me two blog posts to cover this one — here and here.) You’d think this might be an area where things slow down a little as we work our way through the crisis. But it’s still happening. Two recent examples. A U.S. Navy captain was fired for allegedly going outside accepted channels to raise concerns about the coronavirus aboard his ship. An official has filed a whistleblower complaint after being ousted from the U.S. Department of Health and Human Services. These high-profile incidents show that whistleblowers will always feel the need to come forward through nonconventional channels to bring perceived wrongs into public light.
Whistleblowing occurs in a culture of poor communication and secretiveness. But is also occurs when people are insecure — not sure what is happening around them and what will be happening next. The current situation is rife with opportunities for people to feel insecure, persecuted, and ready to blow the whistle.
Internal audit, as always, needs a pipeline of information about whistleblower activities and, when possible, needs to be involved in potential investigations. But it also needs to maintain its awareness of the culture and the pressures that are part of the organization — the culture and pressures that can foster whistleblowers.
The topic under consideration here was not the disruption that the gig economy was causing for many industries. Instead, this was a discussion on how the gig economy might impact the profession of internal audit — how internal audit needed to look for opportunities, but also look out for the new things that might be creeping up from behind.
Now, many players in the gig economy are taking a big hit, mainly because they are primarily involved in personal-interaction services. And we’re not hearing a lot of discussion around this area any more. This may well be one of the few areas in this list where internal audit can back off and not focus too much attention. But neither can we let our guard down.
And, there they are, the topics we were talking about before everything changed. And the interesting thing is that these risks and issues generally became even bigger risks and issues.
Trust me. There were no Nostradamus-like skills involved on my part (other than to speak in obscure phrases that can be interpreted to fit any situation). These are simply the risks, events, and issues that have always been out there. But, to my original point, I think they are areas to which internal audit should have paid more attention. The current situation seems to be bearing this out. And that means they are areas where we can still provide value.
Coming up, I’ll begin going through the rest of that list I compiled a couple of months ago. And, like the ones we just covered, the rest of the list contains areas that are as important as they were when the list was first conceived.
I promised this once before; I’ll promise it again. Next time, technology. And internal audit continuing to break the promises we make to ourselves.