Skip to content Skip to footer

Loading Results

Four ways internal audit is responding to COVID-19

When faced with COVID-19, internal audit executives may understandably feel they’re in uncharted territory. Companies are dealing with an avalanche of new challenges — which demand rapid responses in an environment that changes by the hour.

In these challenging times, internal audit executives have both an obligation and an opportunity to help their companies manage the most critical risks COVID-19 has either created or magnified. While business leaders juggle the dual imperative of crisis response and operational continuity, internal audit executives can help them weigh risks and opportunities to inform their decisions.

The following four guidelines, which are part of a broader collaboration with risk management and compliance, can help internal audit maximize its contribution to the COVID-19 response. 

Redirect your risk expertise to COVID-19 priorities.

  • Directly connect with your company's COVID-19 response team to:
    • Help stress-test operational risks and potential vulnerabilities in light of COVID-19; then offer insights to help mitigate these risks.
    • Help confirm that the response team is rolling out and executing its actions appropriately, effectively and swiftly.
  • Evaluate the emerging risks of newer operating models and business practices and redirect your attention to the most time-sensitive risks.
  • Understand COVID-19’s impact on your industry and business. A COVID-19 Navigator can help you quickly connect with other key departments, so you can work together to assess existing and emerging COVID-19–related risks in key areas such as these:
    • Crisis management and response should look at increased cybersecurity threats, greater network connectivity needs, and increased VPN or mobile device usage as more employees work remotely.
    • Workforce disruption may go beyond health risks to possible impacts on productivity, collaboration and adherence to company policies, as employees who now work from home may face new stress.
    • Operations and supply chains may face disruption, possible declines in quality or availability, and new third-party risks.
    • Finance and liquidity challenges may arise from revenue shortfalls, debt servicing requirements and rising customer credit risk. This may require changing SOX processes and controls.
    • Tax and trade is dealing with immigration issues, the implications of shifting business or suppliers to different jurisdictions, and the potential need to change the organizational structure.
    • Strategy and brand may be affected by your response to the COVID-19 crisis, which may require changes in long-term plans, while defining your brand for years to come.
  • Help manage regulator expectations by coordinating with the appropriate stakeholders.
  • Provide leadership and support for compliance frameworks, processes and control activities for COVID-19–related non-traditional funding or stimulus funds (including the COVID-19 CARES Act).
  • Reprioritize internal audit activities to help enable you to answer key questions, including:
    • Which in-flight projects do we need to halt?
    • Which projects can we conduct remotely?
    • Which projects should we postpone because they are no longer relevant or practical?
    • Which projects are mandatory to meet regulatory requirements, and which can we defer if needed?
    • Which projects should we add or accelerate in order to address the new business and risk climate? 

View more

Identify new delivery models and ways to add value and mobilize accordingly.

  • Reimagine how teams will stay connected. In addition to health and safety, everyone needs human connections, especially when dealing with COVID-19’s psychological impact.
  • Prioritize relevance, speed and flexibility in addressing risks — both new and ongoing — while operating virtually. This may likely require:
    • More proactive reviews and advisory projects to add real-time value
    • Accessing outside expertise in specialized risk areas
    • Soliciting more stakeholder input and feedback.
  • Encourage innovation through flexible new ways of working to the degree your business can support this. You should also begin by:
    • Turbocharging data analytics to increase insights and assurance virtually and with less business disruption
    • Applying analytics and virtual collaboration tools to conduct end-to-end projects
    • Relying on self-service for access to data and records.

View more

Proactively communicate with both management and audit committee stakeholders.

  • Articulate the potential impact of COVID-19 on your business, risk assessment and audit response.
  • Share emerging risks that you identify to help the company manage or intentionally accept the risks. Also share how you are altering your focus and approach to help address these risks.
  • Communicate how you are changing your audit plans. Be transparent about the limitations you face, but also use this opportunity to ask yourself if you could do more to adapt your plans, find innovative ways to execute or help in new areas.
  • Identify and explain the value of your proposed new projects or activities. Common examples of value include providing real-time feedback to management, mitigating potential for misconduct and enabling regulatory compliance.

View more

Redirect any short-term excess capacity to activities that will help the business and your department at a strategic level.

  • As you help your company navigate the COVID-19 disruption, your team members may be redeployed to other areas that require assistance. In such a case, you may have no excess capacity.
  • However, you may also find that COVID-19’s imperatives constrain some business areas from fully participating in audit activities and responding to requests. Then you may have short-term excess capacity that allows you to add new internal audit projects, if appropriate. If not, you should consider redirecting excess capacity toward long-term goals such as:
    • Automation/digitization of workstreams
    • Digital upskilling and training
    • Methodology transformation, using data and technology
    • Strategic transformations to reduce costs and improve compliance for departments that perform SOX testing.

View more

A stronger, more valuable Internal Audit team

The times are difficult, but internal audit’s potential contribution is enormous: helping to provide a trusted risk perspective during these weeks and months when critical risks are both rising and changing quickly.

In developing your response to this crisis — knowing the fluid environment requires you to continually reset priorities — keep your eye on the medium- and long-term future. At some point, a new business-as-usual environment will emerge. If internal audit provides critical guidance now, while also preparing for that future, it will emerge as a stronger team, providing even greater value to the department and the business.

Contact us

Mike Maali

Partner, Cyber, Risk and Regulatory, PwC US

John Sabatini

Managing Partner, Cyber, Risk & Regulatory, PwC US

Todd Bialick

Digital Assurance and Transparency Leader, PwC US

Tom Snyder

Financial Services Cyber, Risk & Regulatory Leader, PwC US