Mind of Jacka: ​The Risks They Are A-changing

You see, I had quite the diatribe all worked up about how internal audit was reacting to this new world that none of us saw coming. The internal audit literature regarding the impact and reactions to the pandemic seemed to focus on three areas.

First, there was a lot about how to manage remote workers and how to do audit work remotely. An extremely important subject, to be sure. I couldn’t fault anyone for that.

Second was a lot of information on the same hoary risks that were being bandied about before the crisis. (“Cybersecurity!” he coughed loudly.) As Loggins and Messina once sang, it was the same old wine in a brand-new bottle.

Finally, there were discussions around subjects, such as business continuity, which, while important, seemed to smack of horses and barn doors and the closing of same well after the incident had occurred. They represented information that was either too late or better suited for discussions surrounding lessons learned — discussions that needed to wait until things calmed down a little.

What I did not see was internal audit reacting to what I perceived to be the biggest issue. The world had changed; the risks had changed. And internal audit needed to be involved in associated re-evaluations of risk, audit plans, and how best to support the organization. It appeared to me that Internal audit was not making the necessary zigs and zags. And that was the topic on which I was going to spend 1,000+ words.

Thank goodness that, before I made a fool of myself, I saw The IIA's Audit Executive Center Knowledge Brief, COVID-19 Impact on Internal Audit (PDF). This contains the results of a survey related to how internal audit departments changed their risk assessments, audit plans, staffing, and budget. The report revealed that my restricted perceptions of what was occurring were incorrect.

You should read the report yourself; never trust the interpretations of others when the relevant facts are handy and easily digested. But let me share some of the things that made my cold, dark, internal auditor heart soar.

As noted, my biggest concern was that internal audit was not adjusting its perceptions in light of new risks and issues. Got that one wrong. When asked how internal audit was addressing risks related to COVID-19, 75% of respondents said that audit plans had been updated, 67% said emerging risks were being identified, and 57% said they were reviewing risk assessments.

More than half of internal audit shops surveyed see the world is changing, and recognize that the risks identified as recently as two months ago may no longer be relevant. They are adjusting their work in response to that change.

More stats: When asked how internal audit was adjusting audit plans, 56% responded that they were discontinuing or reducing scope for some audit engagements, and 48% were canceling some audit engagements. Further, 39% were adding new audit engagements, and 15% were increasing the scope for some audit engagements. (I like those last two; it says to me that new risks were being recognized and additional work was being done because of them.)

Some of the percentages may seem a little low, but all provide evidence that some audit departments are acting like audit professionals and partners in the success or failure of their organizations.

One example of that partnership shows up in an unexpected place. Nearly 40% of audit departments redirected audit staff to do nonaudit work. We can’t be sure exactly what that means, but here’s one story. A couple of weeks ago, I was talking with a friend whose audit department was effectively doing quality assurance work. I started to go off on a lecture about being the control when I suddenly realized it didn’t matter. We are in a time of crisis. And if the best support internal audit can provide means a temporary bending of the guidance related to internal audit, then that is the right thing to do. Internal audit must help the organization through tough times and focus on what is important, not on a slavish adherence to promulgations, principles, and standards.

All these results are a positive indicator that, not only are internal audit shops responding to the evolution of risks, but they are seeing the bigger picture and actually acting like the professionals we all want to be.

I’ll only throw one caveat into all this. There are still a lot of questions behind the answers in this survey. For example:

• What was included in those risk assessments?
• Did they take into account the impact to the organization of an increase in remote workers?
• Has responsibility been assigned for ensuring new customer channels are properly monitored?
• Have guidelines been established for those who still meet the public?
• Have guidelines been established for those working remotely?
• What preparations are being made for when things calm down?
• Has anyone looked at the opportunities inherent within these new situations?

Obviously, such questions are beyond the reach of this simple survey. But they are questions you may want to be asking to ensure your organization is appropriately approaching the new risks.

Ultimately, the results of this survey are good. And they are evidence that when our profession professes business acumen, agility, and the desire to provide value, we are not just blowing smoke. And, in this somewhat dark time, this survey also shows that we can be pretty darned good at what we do.