Impactful Internal Audit – Post Lockdown
Role and position of Internal Audit function in an organization is going to witness major changes post Covid 19 as its working environment and expectations are likely to change significantly. This article is intended to highlight the ways internal audit can upgrade itself to effectively add value across the organization and maximize its influence on the company in a sustained manner. There is an attempt to outline key change drivers which the organizations must focus to prepare themselves for tomorrow. |
Once the business opens after lockdown, there is a definite and significant change in the expectations from Internal Auditors (it is only going to rise) as organizations themselves will be finding themselves working in a changed environment – economically, logistically, demographically and most importantly – technologically.
When companies are feeling the pinch of fast changing business methods, regulations etc. there is opportunity for Internal Audit (IA) to identify and help companies in managing the transition.
There is a challenge for the IA function itself. To be able to provide enhanced value, IA must innovate and find opportunities to challenge the status quo to reduce risk, improve controls, and identify potential efficiencies and cost benefits across the organization. Key areas to be focused are:
- Automation
The need for automation of certain (operational) activities is not felt more than today. One such use of automation is in the field of healthcare – patients being served by robots instead of humans. This automation is coming in production in a big way.
Whether manually or automated, entities must be aware of the risks and governance responsibilities. It is more important in automated environment as a failure here will hit the company with more speed and ferocity than in manual environment.
Well defined automation guidelines help a company in meeting its governance, risk, controls, and compliance requirements.
Role of internal audit:
- Examine matching of automation with key goals of the company
- Evaluate appropriateness of the process for automation and the plans to deal with gaps.
- Whether cost benefit analysis is giving favorable results (on strategic objectives)
- Methods of training on automated functions to fully grasp risks
Management Focus:
- Obsolescence of conventional methods due to automation.
- Increased spending on innovation by leaders of respective industry
- Widespread use of robot in daily operations
- Data: Protection and Usage
More and more transactions and communication are being done (especially during lockdown) online leading to unprecedented volumes of data and information. Companies are trying to figure out optimizing the value tremendous amount of data housed in the business environment, ensuring proper controls around the use and storage of data is critical. Effective governance of such voluminous data enables a top-down, enterprise-wide view of the data.
IA needs to perform dual role regarding data – firstly that of ensuring data safety and secondly effective usage of data for audit activity.
Role of internal audit:
- Better use of data analytics in risk assessment process (alongwith direction of changes).
- Incorporate digitalization the process of auditing
- Support the management in drafting policies and processes of data governance
- Identify security gaps in data management
- Support in standardization of MIS report especially on CSA areas.
Management Focus:
- Evolving business demands for huge data
- Enhanced regulatory data requirements
- Usage of mass data management technology and methodologies to improve audit quality at reduced audit costs, and wider audit scope
- Real-time identification of risks with data
- Change in Technology
To sustain in the Covid 19 scenario, there are many experiments being done and technology is being adopted in haste. Companies are considering technological advancements without proper assessment of suitability for their business nature and target customer. These changes in technology would have huge impact on companies which is likely to continue in foreseeable future. In most cases, the technological transformation is forced onto the organizations.
Role of internal audit:
- Check alignment of existing and planned technology changes with broader goals of the company.
- Examine effectiveness of new system implemented in terms of its contribution to company goals
- Timely assessment of control environment in high-risk areas
Management Focus:
- Find key areas for any technological changes
- Create a realistic technology change plan
- Avoid outlay on unwarranted technology
- Cybersecurity
With uninterrupted connectivity needed today, cybersecurity is an extremely important area to not loose focus. For instance, in the Work from Home scenario, lot of office meetings and files exchange is being done on platform like Zoom, Microsoft Meeting etc. Many concerns faced recently have increased attention paid to cybersecurity issues (like changes in the cyber threats, frequent changes in technology, new regulatory requirements, changes in society and corporate environment and enhanced competencies and techniques used by hackers.
Role of internal audit:
- Examine comprehensiveness of entity’s cybersecurity risk assessment, the processes and controls deployed for risk mitigation, and provide realistic recommendations
- Evaluate effectiveness of technology security arrangements – working on prevention or detection
- Review effectiveness of trainings the employees for a comprehensive cyber protection framework
- Evaluating the extent to which third-party security providers can address completely and sufficiently the most current risks
Management Focus:
- Proactive identification of cybersecurity threats and their possible impact on the organization
- Need to avoid costly implications of data breaches (like investigations, fines, responsibility for customer losses, diversion of time / focus of management and loss of customers / business
- Availability of the organization’s cybersecurity program and preparedness accordingly
- Protecting intellectual property and other key information
- Regulatory Compliance
Under the regime of NDA, we are seeing a trend towards more regulations and implementation of old laws. Also, global regulations in other partner countries are impacting local companies. Companies operating in India are required not only on Indian Law but also on global regulation to remain focused on maintaining compliance standards.
On one side, new laws and regulations are being developed and updated; on the other side, compliance is getting expensive. As such there is need for internal controls to manage the regulatory risk effectively. It is not wrong to say that there is enhancement in cost of compliance as there even more severe impact of non – compliance.
Role of internal audit:
- Review the list of regulations applicable on the company and its readiness for their compliance
- Examine the compliance activities are integrated with regulatory requirements of other companies under the group
- Examine instances of significant non-compliances to evaluate effectiveness of the mechanism for reporting / escalation of non-compliance issue
- Evaluate appropriateness of compliance trainings provided to employees
- Review the mechanisms in place to ensure compliance with data regulations
Management Focus:
- Ensuring compliance with increasing number of regulations, both domestically and abroad
- Mitigating the increasing costs of complying with an ever-growing number of regulations
- Developing a strategy to lessen the restraining effects of compliance on business operations
- Ensuring compliance operations are aligned following a merger or acquisition
- Dependence on Third Parties
Companies are increasingly relying on third parties to carry out vital business functions. For instance, during lockdown, restaurants are fully dependent on delivery channels owned / operated by third parties. However, engaging third parties exposes the companies to new risks and potential compliance failures translating into fines, lawsuits, operational bans and reputational damage.
Role of internal audit:
- Review the process of engaging and managing third-party
- Assess contract management processes
- Examine compliance to regulatory requirements related to and by third parties
- Regular audit of third parties
- Help implementation of Control Self – Assessment mechanism for third – parties
- Review the compliance of third-party contracts
Management Focus:
- Risks of engaging more third – parties
- Net incremental profit
- Improvement in contract and vendor management
- Creating effective CSA
- Prevent or timely detect risk management failures at third – parties
- Trade Restrictions
Protectionist trade policies poses a significant risk to businesses. For quite some time, China and US were engaged in a tit-for-tat over the trade competitiveness through tariff.
In latest development, the Chinese Government is not permitting teams to visit Wuhan Lab and WHO advocating for China had complicated the matter and giving a basis for US to protect its industries even more. Expected exodus of companies from China may take any turn to the situation.
Added to this burden is an increase in trade sanctions (selective as well blanket) that carry heavy penalties (like on Iran). As the world’s two biggest economies face off with tariffs and continues and added with Covid -19, global economies will inevitably feel the squeeze and shifts.
Role of internal audit:
- Examine the company’s compliance and procurement function and assess impacts on market pricing and competitiveness
- Assess the process of evaluating strategic decisions and reacting to political risks
- Examine whether the operational impacts on the supply chain are being considered
Management Focus:
- Inter-national trade scenario especially the sanctions by US or WTO on countries like China
- Status of suit filed by US on China regarding loss incurred due to spread of Covid – 19
- Possible escalation between China and Russia
- Other political disputes having significant unintended consequences that go beyond paying heavy penalties for non-compliance
The above is for general discussion purpose only. Please contact RNM for any organization specific issues and solutions.
Sovan Singh, Partner – Internal Audit, RNM