Internal audit (IA)
The impacts of COVID-19 are being strongly felt in the areas of IA and cybersecurity.
The necessary changes in working practices and organisational arrangements in response to COVID-19 will introduce a range of new or enhanced risk areas, and they will also have the potential to disrupt existing systems of internal controls in significant ways. In turn, this will create a need for agile IA functions to better enable the continuity of services by means of remote working – minimising the impacts on, and maximising the value of, the IA activities that are conducted by management and teams across the organisation. IA must stand with the business to provide the support that it needs to deliver its services in a safe, secure, and trusted way.
With remote working, greater dependency on technology, and online interactivity comes the increased risk of cyber threats. As more information and data is transmitted online, and fewer on-site support systems are readily available, the IT management must be ready to provide the safeguards and support that are required in order to ensure that cybersecurity, data protection, and IT operations controls are not compromised, especially when they are particularly vulnerable to external threats in this period.
As the duration of the present circumstances remains unknown, a number of critical areas will need special attention.
Key Questions to Consider
- What are the options for your Heads of IA to conduct audits, fulfil your remits to stakeholders, and keep your IA teams safe?
- How have you adapted your operating model to continue delivering on your IA mission?
- How do you maintain continuous and efficient interactions with IA stakeholders?
- How do you manage remote working?
- How do you manage any resource and competence shortages?
- What technological solutions are in place in order to provide the organisation with a secure and seamless remote working environment?
- How has the IT team been structured and assigned so that they are able to effectively operate their IT support and control functions remotely?
- Are there sufficient safeguards in place to ensure that all remote working services and transfers of data are not compromised?
- How do you plan to manage the effectiveness of the controls of your third-party providers and the security surrounding your data and services if those providers have also been impacted by the COVID-19 disruptions?
- Safeguarding the IA mission: the IA mission must be maintained (in terms of the regulatory requirements and the IA charter) or, at the very least, be refocused on the critical items.
- Conducting virtual IA reviews: use PwC technology solutions to conduct virtual reviews in order to inspect the general control environment at the organisation, then use the results to determine where deep dive on-site audits should be conducted.
- Keeping IA staff safe: most IA engagements are performed on-site – the current circumstances may prevent the execution of IA engagements as they were initially planned, jeopardizing the traditional ways of delivering IA.
- New types of risks: organisations may face new types of risks – and, as a result, the risk assessment and audit plan will need updating and require IA attention, although IA departments may lack the bandwidth and competences to address those new risks.
Risk Management functions – in either the business or control functions – are at the heart of current crisis management efforts. Boards of Directors, management, regulators, clients, and other stakeholders expect up-to-date information about the risks that companies are exposed to, as well as the effectiveness of the measures that have been taken. The timely reporting of risk information is critical for enabling timely decision-making, as this has been an issue in past crises.
At the same time, Risk Management organisations have also been impacted by the crisis. You may be experiencing restrictions in terms of remote working, with reduced workforces, and technical disruptions or increased work volumes. We recommend identifying and ring-fencing the services that are critical to protecting your organisation and meeting your regulatory expectations.
Key Questions to Consider
- Do you have any mechanisms in place to increase the frequency of your reporting – to regulators, to the Board, and to management? Are you able to produce ad-hoc reports at short notice? What manual workarounds do you have in the event of any system disruptions?
- Do you have access to up-to-date Key Risk Indicators (KRIs)/Key Performance Indicators (KPIs) that display what is happening in your areas of responsibility?
- What is the workforce situation in relation to your critical services? What cross-staffing options do you have? What about your leadership options?
- Are there any projects, initiatives, or other activities that can be deprioritised?
- Do you have any KPIs for monitoring the increased volumes from the front and the controls/control backlogs in the second line of defence?
- Are you in contact with any of your key regulators? Have you established any working protocols and escalation points?
- Risk reporting: stakeholders such as regulators, the Board, and management expect up-to-date risk information, in order to make informed decisions.
- KRI review: crisis situations increase risks and require a clear mechanism to be in place in order to scan the risk horizon for red flags and to allow management to monitor possible changes in either the impact or the likelihood of the key risks occurring.
Organisations in regulated industries need to follow their regulatory requirements and honour the commitments that they have made, even when they have been impacted by COVID-19. At the same time, compliance organisations have also been impacted, and they may also be experiencing restrictions in terms of remote working, with reduced workforces, as well as facing technical disruptions or increased work volumes.
Organisations were already struggling with the complex regulatory environment, and spending a huge amount on compliance, yet compliance failures still remained commonplace – now is the time to be looking for cost-saving opportunities and being more open to technology-led solutions.
Key Questions to Consider
- Are you able to detect trends quickly, such as increased alerts?
- Are you reliant on service providers for critical services – technology platforms, for example, or external providers for surveillance activities?
- What is the workforce situation when it comes to your critical services?
- What cross-staffing options do you have? What about your leadership options?
- Are there any projects, initiatives, or other activities that could be deprioritised?
- Are you in contact with your key regulators?
- Have you established working protocols and escalation points?
- Regulatory affairs: in times of crisis, regulators may increase supervision – and, in addition, organisations may lose their focus on their regulatory commitments.
- Compliance with deadlines: assess the processes and controls for managing compliance with legislative and contractual timeframes, and/or the client service KPIs for regulatory reporting and legislated customer service obligations.
- Project health checks: undertake a review of your projects in order to assess the likely impact of COVID-19, by checking the contingency arrangements for the critical path to project delivery and assessing the ability of third parties to deliver as per their contracts.
Organisations that are typically dependent on the ability of their vendors and suppliers to deliver in compliance with their requirements are likely to be impacted, as third-party providers may be dealing with remote working arrangements, supply chain interruptions, distribution delays, service-level instabilities, and many other potential developments.
It may not be possible to receive the required levels of critical information in order to support third-party compliance, with the standard tools, software, and processes remaining in place. These may prove to be inefficient or insufficient in terms of providing the depth, scope, and frequency of information that is likely to be necessary.
As the duration of the present circumstances remains unknown, organisations should focus their scrutiny of third-party compliance on critical points of failure.
Key Questions to Consider
- How do you monitor third-party compliance?
- Have you adapted or defined any new levels of financial, operational, and internal controls compliance for your third parties?
- How do you plan to maintain lines of reporting with your third parties at the required frequency?
- Have you established new protocols in order to escalate third-party compliance failures?
- Do your existing processes and tools allow you to collect timely and structured information across all of your third-party providers?
- How do you plan to manage resource shortages and remote working?
- Financial health and resilience: the economic cost of the crisis is steadily increasing and the financial health and resilience of your critical vendors and suppliers remains as important as ever.
- Compliance with your requirements: your organisation’s third parties are likely to be facing the same challenges in relation to internal controls, which may in turn impact their ability to comply with their contractual terms and conditions.
- Business continuity resilience (cyber and operational): with employees having to work offsite, some of your third parties may have to stop any non-critical operations and deploy workarounds – and, additionally, any key control owners who you typically interact with may become unavailable.
The PwC Cybersecurity team has been closely monitoring the evolving COVID-19, and taking part in a number of conversations with clients from various industries.
A lot of companies are now allowing their employees to work remotely, from home, so they have therefore increased or set up the required IT infrastructure. Unfortunately, these circumstances, which are a consequence of the coronavirus, also present a good opportunity for hackers to attack your IT infrastructure.
Key Questions to Consider
- Do you have enough VPN connectivity and is it secure enough?
- Have you increased the monitoring of your IT system and network security?
- Have you installed advanced anti-malware solutions on your servers and endpoints?
- Have you installed the latest software patches and security configurations?
- What are your defined actions in the event of increased external phishing activities?
- Do you have a clear overview of the access rights that your remote working employees have?
Our observations have revealed that the following services may be interrupted as a result of COVID-19 – this overview suggests how you might manage your IT infrastructure and how you might avoid being harmed by a hacker attack:
- Remote working technologies;
- Business Continuity Management/Disaster Recovery Plans;
- Access Management Plans;
- Phishing and social engineering attacks;
- Anti-malware/Anti-ransomware solutions;
- Software patches and vulnerability management; and
- Incident Response Chains.
The impact of the current uncertainty on business is complex. The dynamic spread of COVID-19 and the uncertainty of the developments ahead are causing all of us a hard time.
For most organisations, the existing working schedule has been designed to focus on the key risk areas of risk and the accompanying system of internal controls, in a Business as Usual (BAU) scenario.
As the duration of the present circumstances is still unknown, organisations should focus their attention on their business continuity plans, and identify opportunities for recovery.
Key Questions to Consider
- How will you identify and prepare for events that are likely to disrupt your business activities?
- How will you reduce the impact of any business interruptions?
- How will you improve your recovery times?
- How will you address your operational continuity and contingency plans at times of emergency?
- How will you identify any weaknesses and unidentified impacts resulting specifically from COVID-19 (relating to supply chains, staff availability, customer demand, etc.)?
- Undertake a review of Business Continuity Plan (BCP) arrangements, by conducting a critical analysis of the BCP plans in relation to any weaknesses and unidentified impacts resulting specifically from COVID-19 (relating to supply chains, staff availability, customer demand, etc.). This could involve conducting a simulation of various contingency scenarios in order to ‘stress test’ the continuity plans and assess their likely impact on the associated process and controls.
- Undertake contingency planning by mapping the key processes and controls under a BAU scenario, and considering the impact of any potential changes on these controls under various contingency scenarios.