Transforming IA during the pandemic

Suits the C-Suite

By Christiane Joymiel Say-Mendoza, Pia Isabella Pagdanganan, and Meleusipo C. Fonollera

The COVID-19 pandemic caught the world off guard, adversely affecting peoples’ lives and businesses on an unprecedented scale. According to the EY Global Risk Survey in 2020, four out of five of companies’ board members and CEOs across the globe said their businesses were not well-prepared to face the pandemic crisis head on.

Companies have been employing various, often reactive actions, and even alternative methods to address the growing concerns impacting their businesses. These add pressure as they try to keep their business operations afloat. Furthermore, it has dramatically changed the risk landscape and given rise to new risk hot zones:

Health, safety and mobility: The community transmission of the virus poses a huge health risk. This immensely affected the life and ways of working for customers, business owners and employees as their mobility becomes limited.

Macroeconomics: The health crisis crippled the global economy. Supply chains across countries remain stressed, disrupting both demand and supply.

Cybersecurity: The lockdown has forced people to work remotely and connect virtually. The spike in use of technology and cyberspace opens cracks for cybercriminals to hack, phish and even infect vulnerable IT networks and infrastructure.

Compliance and stakeholder perception: The pandemic has caused governments to implement urgent measures and programs to fight the novel coronavirus, disrupting various industries. This event has further challenged companies to fulfill their obligation to issue fair disclosures to their stakeholders and maintain their societal brand and reputation.

These disruptions open opportunities for the company’s Internal Audit (IA) function to play a pivotal role as companies are challenged to successfully steer a course towards survival and growth amidst the pandemic.

IA can build trust by exhibiting reliability and continuing to be engaged as co-stewards of the company. It presents a real opportunity to collaborate with other business functions and enable company continuity. This can be achieved by being at the forefront of this pandemic through rapid assessments to identify focus risk areas; being agile in engaging and responding to stakeholder needs; and the continuous monitoring of the pandemic risks and impact on the company.

ACTIVATING IA AS A TRUSTED BUSINESS ADVISOR
IA is in a unique position as its experience allows it to assist in evaluating and managing internal and external business risks in the changing risk landscape. It can provide strategic business continuity advice, acting as consultants and crisis managers. It can start assessing business readiness on the new risk hot zones and potentially identify other risk areas.

Results of the assessment can be used to further understand the current impact of the disruption, foresee upcoming impacts that the disruptions may bring about, and plan how to appropriately respond to ensure public safety, business continuity and social responsibility.

LEVERAGING COLLABORATION TO DRIVE CHANGE
IA is a key contributor in defining the necessary actions that key stakeholders should consider in addressing new threats as a result of the “new normal.” Constant communication is critical to keep key stakeholders aware of and aligned with plans despite the continuing uncertainty.

IA can have more frequent, real-time discussions with the Audit Committee and Management to provide real-time advice on escalating risk focus areas, including critical action plans that they can consider taking.

As governments apply strict social distancing guidelines and curtail travel, IA can assist businesses and provide advice on adjusting to a remote work environment, such as how usual controls can be executed or mitigating possible changes in roles.

It is also a good opportunity to proactively engage and collaborate with external auditors to discuss the impact of the situation, especially for some procedures that may need to be performed differently due to limited face-to-face interaction.

ADVANCING TECHNOLOGY TO ANTICIPATE EMERGING RISKS
IA can implement a process supported by data analytics and technology to continuously monitor emerging risks. This will open avenues for key stakeholders to collaborate within various business functions. It will also be able to determine areas in their critical processes to stress-test and proactively identify resiliency plans and crisis protocols that can support sustainability of business functions.

STEP CHANGE: NOW, NEXT AND BEYOND
As companies slowly regain momentum to address the impact of the pandemic and prepare for their new normal, there is increasing pressure to reprioritize company resources and drive spending where it matters most.

NOW
IA as a function is called on to adapt to disruption by being more innovative and dynamic in its approach. There is a need to reassess audit priorities and expand the IA lens to clearly evaluate the impact of the pandemic on the organization’s financial, IT and operations risks.

IA can invigorate decision-making as IA resources can be repurposed to directly support the business by providing real-time advice on crisis management, business continuity, cybersecurity issues, employee well-being, brand protection and working capital management.

It is also a good opportunity for IA to proactively revisit control design changes and discuss internal control focus areas. In particular, key controls on processes such as inventory count or financial close may need to be performed remotely because of social distancing requirements, or in the event that the individual executing the control is ill for an extended period.

NEXT
Audit scope may shift focus to escalating risks such as data privacy and information security, liquidity and working capital, employee health and well-being, business resiliency and regulatory changes. As IA reprioritizes the audit plan, it needs to assess whether IA resources have the right skills, methodology and technology to enable them to execute its work.

IA work can be continued, but with considerations on cost and the least disruption to the business. With the possibility of an extended economic downturn, more IA departments may face budget cuts. Hence, IA will need to find innovative solutions to enable them to do more with less. It may also consider performing analytics-based procedures which can be performed remotely, or leverage on third party IA service providers as subject matter experts for audits where IA either does not have expertise yet or are in locations currently restricted in lieu of on-site audit procedures.

BEYOND
Chief Audit Executives (CAEs) should continue to innovate their ways of working and interaction with key stakeholders. Short sprints and focused, real-time reports may replace traditional detailed reporting. Internal auditor requirements may also need revisiting as the need for data analysis and automation skills increases while on-site procedures decrease due to social distancing protocols. A flexible workforce structure can also be considered, such as the use of third-party resources, developing an offshore workforce and enabling business rotations to give access to the right subject matter skills at the right place and time.

CAEs must examine their efforts to transform their organization through a new lens with renewed motivation and optimism. IA should continue to act in an advisory capacity to the business to address escalating and emerging risks upfront. As companies face difficult budget decisions, having an IA function that is viewed as a trusted business advisor is key in withstanding tightening budgets and workforce reductions.

While there is no one-size-fits-all solution, CAEs as leaders can be catalysts for change in defining the new normal. The question is, in a world of uncertainty, will they just watch the events unfold or will they have the resilience to reimagine and reinvent the future?

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Partner Christiane Joymiel Say-Mendoza, Manager Pia Isabella Pagdanganan, and Manager Meleusipo C. Fonollera are from the Advisory Service Line of SGV & Co.