Recovery Checkpoint: CAEs on Current & Future Audit Priorities

Recovery Checkpoint: CAEs on Current & Future Audit Priorities

CAEs share insights, expectations, and current best practices about return to work plans, short- and long-term changes to audit operations, and continued focus on evolving risks. 

July marks the fifth month in efforts to contain the spread of Coronavirus (COVID-19). Throughout the crisis, audit professionals have adapted to novel challenges, including remote working conditions, reduced personnel, and interrupted audit plans, in addition to helping their organizations identify and address new and emerging risk areas. In a series of virtual Chief Audit Executive roundtables hosted recently by AuditBoard, audit leaders shared their concerns, priorities, and best practices being applied to audit departments as regions begin relaxing quarantine measures and some workforces begin returning to their offices. 

CAEs on Current & Future Audit Priorities

We’ve collected insights below from the three most-discussed topics covered at the roundtables, and would like to express our appreciation to the audit leaders who have shared their experiences to help progress the profession in these volatile times. 

Short-term and Long-term Changes to Audit Operations 

The ability to quickly assess, adapt, and remain flexible has been invaluable during this period, as audit departments have experienced a range of challenges from delays in recruiting to halted audit plans to layoffs and furloughs. Consensus among roundtable attendees was that their external auditors expect to perform audit engagements partially or completely remotely in 2020. Additional changes to audit operations included:

Short-term Changes 

  1. Implementing weekly touchpoints with external auditors who are working remotely to replace in-person collaboration with the internal audit team.
  2. Frequent contact points among audit teams to create seamless team communication. 
  3. Performing virtual walkthroughs with external auditors.
  4. Delaying issuance of audit findings for business owners dealing with immediate challenges related to the crisis. 
  5. Putting operational audits on hold to finish SOX work on time.
  6. Reperforming the SOX risk assessment and scoping analysis to account for a changed risk environment and changes in materiality.
  7. Increased collaboration with audit clients (through provision of self-assessments and surveys) to understand their new challenges and any material changes in performing and documenting existing controls remotely.
  8. Earmarking time in the audit plan devoted to assessing and managing COVID-19 related emerging risks, like fraud or cyber threats.

“Looking back over the past three months, I expect that a lot of us were figuring out how to strike a balance between making progress on planned audit engagements while also adapting our activities to provide the support our businesses needed. Back in March we decided to delay issuance of reports so that our people could focus on the most pressing priorities during such a challenging time. Now that some sense of normalcy has returned, we have started issuing reports again and are moving forward with our audit plan while also looking for ways to further partner with our businesses as conditions and new risks evolve.”

— Robert Kraemer, Director of Internal Audit, Dorilton Capital Management LLC

“One change we made early on was around system access — as a health system, many more of our people and healthcare providers needed remote access to our electronic medical records that they didn’t have before. We’ve also worked to make sure that we have strong controls around our purchasing processes because our purchases have changed significantly during COVID: what we’re buying, who we’re buying it from, how it’s being distributed and received.” 

— Laurie Riggs, Director of Internal Audit at Thomas Jefferson University

“We’ve already done a number of virtual walkthroughs of warehouses using communication technologies like FaceTime and Zoom as workarounds to get eyes on these locations to get comfortable with the completeness and accuracy of inventory. It’s not going to fix everything, but it does help alleviate some of the risks.”

— Ryan McGee, Director of Internal Audit at ICU Medical

Long-Term Changes

  1. Confidence in the internal audit’s ability to continue working and sustaining department operations remotely.
  2. Updating Business Continuity and Disaster Recovery plans to include the word “pandemic,” as well as steps for preparing for the next crisis. 
  3. Favoring video conferencing technology over telephone calls for touchpoints.
  4. Adoption of electronic documentation to replace manual control processes in Purchasing and Supply Chain. E.g. updating control requiring on-site signatures to a digital signature system (e.g. DocuSign and AdobeSign).
  5. Assessing ways to downscale departments while providing sufficient coverage to the board and Audit Committee (e.g. adoption of cloud-based software to replace manual control testing).
  6. Reducing broad audit plan scopes and time spent on medium and low risk areas to be able to focus on high risk areas
  7. Seeking out flexible office leasing options.
  8. Investing in individual employees’ technology infrastructure to help with the business’s efficiency (e.g. providing stipends for premium internet capabilities and phone lines).
  9. Planning for long-term remote work (e.g. considering working 90%-95% remote, having in-person trainings, investing in cloud-based audit management software to streamline end-to-end audit workflows). 

“We’re a global company, and the biggest impact for internal audit has been the inability to travel. We’re having to figure out how to get comfortable with the operations and controls environments at locations virtually — which we’ve been able to do for the most part. We’ve adapted our audit approach to split up things that can be done virtually versus what must be done in person. We’ve been working with our external auditors to prepare for possible scenarios: prioritizing key locations if we can only travel in Q4, but also discussing methods in case we’re not able to travel at all during the year.”

— Ryan McGee, Director of Internal Audit at ICU Medical

Banner image inviting you to click here to download our free 5 Steps to Strengthen Audit & Risk Practices in Response to Crisis whitepaper.

Return to Work Plans

Some roundtable attendees reported that they expect their audit departments to continue working remotely for the foreseeable future, while others had returned to the office in a limited capacity. Organizations are taking into consideration the health and safety concerns of individual employees, in addition to following local county guidelines for businesses. Transparent, company-wide communication regarding health and safety can improve and sustain morale by ensuring employees that their well-being is a top priority to the business. Best practice indicates erring on the side of caution in allowing employees to return to the office, as well as having flexibility to accommodate individual employees’ at-home working situations involving children and spouses. Additional best practices include:

  1. Leveraging company-wide surveys and return to work polls to inform the phased return to work approach.
  2. Creation of a Business Continuity task force team to manage company-wide communications regarding new policies and procedures.
  3. Working with property management to communicate new building entry protocols: temperature testing, body scan imaging, etc. 
  4. Staggering in-office hours for employees to reduce workplace congestion.
  5. Allowing employees who benefit most from on-site co-working to return to office first, in accordance with building capacity rules. 
  6. Minimize employee contact in communal areas where people tend to congregate (e.g. removing communal water coolers and asking employees to bring their own water to the office).
  7. Rethink office layout to create a more flexible work space that accounts for 6 foot social distancing.
  8. Granting employees with underlying conditions, who live with health-compromised family members, or who have other extenuating circumstances the option to remain remote.

Continued Focus on Evolving Risks

Across the board, a best practice among audit departments is frequently revisiting the ERM program to identify and address evolving risks related to COVID-19. Among roundtable attendees, fraud risk, cybersecurity, and third party risk management were the areas of most concern. Additionally, audit committees and boards are expressing greater interest in considering risk interdependencies when making decisions. Trends among roundtable attendees included: 

  1. Increased communication with the Audit Committee regarding emerging risks. 
  2. Effort to steer audit staff in becoming more fluent in the language of cybersecurity.
  3. Desire to leverage data analytics to help better assess emerging risks. 
  4. Stronger controls over Purchasing and Supply Chain processes, a business area with the greatest change in controls and processes. 
  5. Stronger controls around remote access & reassessment/validation of IT general controls to address security vulnerabilities of sustained remote working.
  6. Special attention being paid to risk interdependence by identifying drivers of high-level risks, as well as drivers of sub-risks associated with them.

“Right now we’re putting focus on the CARES Act and COVID-19 relief funds, ensuring that we have strong controls regarding documentation and management of our spend. We are also focusing on any system changes made as a result of COVID. Fraud is also a concern that is currently our radar and, as a team, we’re taking this time to look for ways to implement more data analytics to help us get insight into new and emerging risks.”  

— Laurie Riggs, Director of Internal Audit at Thomas Jefferson University  

“From an auditing perspective, the updated work plan is geared toward a COVID perspective — looking at remote access and security from an HR perspective because we have new policies around telecommuting, as well as making sure those controls are in place. In addition to uniform guidance, we’re figuring out the best approach to identify the key risks to prioritize — speaking from a healthcare perspective, for us that’s from tele-health to grants to what’s going on with The Centers for Medicare & Medicaid Services and all the different payers. Personally, I’ve invested a lot of time in the past month attending webinars to gather SME information covering COVID-19 risks. I’ve earmarked a significant number of hours in my updated plan for audits around these emerging risk areas.”

— Sandra Mozee-Smith, Director of Internal Audit at Cooper University Health Care

“A big part of my everyday has really been focused on helping the business navigate changes. In Consumer Products/Retail, our risk profile has changed a lot, and I’ve probably talked to my Audit Committee chairman six times in eight weeks. Overall, we’re keeping the lines of communication open, and keeping an eye on emerging risks”

— CAE of a Consumer Products / Retail Company

As regions shift toward recovering from the crisis, audit leaders and teams are remaining flexible and adaptable in a fluctuating business environment, while recognizing the need to create greater efficiencies through automation of key audit processes. For departments still performing audit testing manually using spreadsheets, email, and shared drives, centralizing audit data in a system of record that the organization can rely on is a key first step toward long-term departmental continuity moving forward. This creates the foundation for leveraging analytics to monitor key business risks and processes, ultimately allowing for the business to identify and respond to emerging risks more efficiently in a changing environment.

Ben

Ben Lindner, CISA, is Manager of Solutions Advisory Services at AuditBoard. An experienced auditor and PwC alumnus, Ben has spent his career consulting with some of the world’s largest organizations on the topics of audit practices, finance and accounting processes, risk programs, and SOX compliance.

Peter

Peter Hammer, CPA, is a Manager of Solutions Advisory Services at AuditBoard. An experienced consultant and Protiviti alumnus, Pete has worked to manage SOX programs and oversee internal audit and IT audit projects at some of the Philadelphia area’s largest organizations. Connect with Pete on LinkedIn.