job Kontroll og sikkerhet

Internal Audit and Pandemics

Internal audit can play a vital role in pandemics from two perspectives. Read IIA Australia's fact sheet on internal audit and pandemics.

A factsheet from IIA Australia.

What’s a pandemic?

The word ‘pandemic’ comes from the Greek words ‘pan’ meaning ‘all’ and ‘demos’ meaning ‘people’. A pandemic is an unstable disease epidemic spread across a large geographic area. The world has experienced disease pandemics such as smallpox and tuberculosis. One of the most devastating pandemics was the Black Death plague which killed an estimated 25 million people in the 14th century. Other notable pandemics were the 1918 Spanish flu pandemic which is estimated to have killed 50–100 million people, HIV/AIDS in the 1980s, Severe Acute Respiratory Syndrome (SARS) in 2003, and the 2009 swine flu (H1N1) pandemic. The 2019–2020 coronavirus (COVID–19) outbreak is the world’s most recent pandemic and its impact is potentially more severe than other pandemics because people across the world, economies, communications, travel and supply chains are more connected than ever before.

How are internal audit and pandemics linked?

Internal audit can play a vital role in pandemics from two perspectives.
Firstly by:

  • Auditing the organisation’s business continuity, crisis management and pandemic preparedness.
  • Auditing the organisation’s cash management practices to assure there is a cash reserves policy and minimum cash holding limit in place to see the organisation through an unexpected crisis.

Secondly by:

  • When an unforeseen crisis such as a pandemic occurs, provide immediate internal audit services to the mitigation, and then later to the return to business-as-usual effort.

Pre-pandemic – auditing business continuity and pandemic preparedness

When internal audit prepares its risk assessment leading to the risk-based internal audit plan, business continuity management is invariably a topic to be considered for inclusion. Given the importance of business continuity management, this will generally be audited regularly. It is important to make sure crisis management and pandemic planning are included in the audit scope.

When the audit is performed, it should identify whether sufficiently robust crisis management and pandemic planning is performed by the organisation or whether it is a cursory effort, which is what many business continuity plans feature. It should also ensure that planned changes to business practices during a pandemic would actually work in practice, for example whether ICT system and broadband capacity can realistically cope with a dramatic increase in staff working from home. Business impact analysis should also be challenged by internal audit to assure the right systems would continue to be accessible and the defined maximum acceptable outages are realistic.

Testing of various disaster scenarios should periodically occur, including for pandemics. Internal audit can be involved as an observer to scenario tests and contribute improvement suggestions.

Management actions to remediate business continuity shortcomings identified by audits and routine scenario testing should be rigorously followed-up, and regular reports made to the senior management group and the audit committee.

When a pandemic occurs

The COVID–19 pandemic has all the ingredients to send many organisations to the wall and the resulting fallout may mean many employees lose their jobs, with the community experiencing diminished services and rationing of goods. Many organisations, in particular small businesses, may never recover. For many organisations the situation can quickly become dire.

When a crisis unfolds, organisations need to have access to sufficient cash to survive. How long can the organisation pay its employees, rent, leases and other regular payments? What action needs to be taken to ‘sure-up’ its liquidity? At what stage would the regulator, financial institution, suppliers and other stakeholders need to be informed if the ‘going concern’ test is coming close to the wire?

The opportunity is there for internal audit to respond to pandemic risk through a number of avenues:

  • Suspend work on the internal audit plan
    There are two reasons for this. Firstly, at the time of a crisis the internal audit plan formulated months or years previously is unlikely to be front-of-mind or even seen as important by the audit committee or management. Organisation survival would be the paramount consideration. Secondly, the organisation would be best served by internal audit stepping back temporarily and giving business units breathing space to get on dealing with the crisis.
  • Identify high risk–high priority issues
    Facilitate a risk workshop to help management determine the most pressing issues that need to be addressed. Examples include contact centre capacity, customer complaints, current and liquidity ratio management, sufficiency of cash resources, debtor and creditor management, likely financial projections, supply chain certainty and alternatives, red tape reduction, critical compliance obligations and staff wellbeing.
  • Tell management you’re there to help
    Make management aware the internal audit team is available to help. Make it clear at this time it is not to get in the way by performing traditional audits. Examples may include frontline customer-facing roles to fill gaps, forward planning assistance, transaction processing roles, or preparing revised policies or procedures to suit the changed environment.
  • Take an active business continuity role
    Enacting a crisis management plan or business continuity plan requires people and there are never enough to go around. Non-core business activities such as internal audit can provide people to fill gaps or perform specific roles to aid remediation and the recovery effort.
  • Become a real-time control adviser
    Internal audit can become an active and agile participant in organisation continuity and recovery actions by providing real-time advisory and control services. Examples might include recovery committee membership, recovery roles, and real-time oversight of recovery efforts to ensure they remain focused and controlled.
  • Become a control monitor
    In times of crisis, controls can often slip or need to be circumvented. Management may be so focused on recovery efforts that it is simply not possible to keep controls operating effectively at the time of a crisis. Internal audit can provide a monitoring service to pick up the slack. For example, when governments make emergency cash payments to citizens in times of community disaster, you would expect there would be some form of control process bolted on. This is something internal audit could potentially do.
  • Take off your internal audit hat
    Help the business with whatever needs to be done, even if that means stepping into roles and tasks that take away internal audit independence. An example might be to provide frontline concierge services to support customer needs. Whatever it is, internal auditors should be able to reasonably fulfil the task. Should internal audit be required to audit an activity after the crisis has passed, that they worked on that can be done at ‘arm’s length’, perhaps by an independent service provider or perhaps other members of the internal audit team.
  • Provide alternative services
    With the internal audit plan off the table, there is a real opportunity for internal audit to provide services that directly support the recovery effort. This might be advisory services such as providing advice, or facilitating brain-storming sessions to seek options and solutions to the myriad of crisis-related problems facing the organisation.

Post-pandemic – when the pandemic is controlled

There are likely to be many tasks internal audit could perform after the crisis has passed. Examples may include return to work planning, post-crisis reviews and reports, integrity (probity) activities for pre- and post-crisis procurement activities, work health and safety assessments for a potentially traumatised workforce, performing reconciliations and assessing process control strength.

Informing the audit committee

The audit committee chair and the chief executive officer need to be informed promptly of internal audit’s pandemic-related activities to demonstrate what internal audit is doing to assist the organisation and to confirm their agreement with what internal audit is doing Resulting impacts on the internal audit plan should also be explained.

Staff isolation

It may be necessary for some or all internal audit staff to be isolated from the rest of the workforce to prevent them being affected by the disease, to help them recover from the illness, to aid their family members, or to reduce spread of the disease. Where they are working from home and fit to work, there are some tasks on ‘in progress’ or planned audits that can be completed without getting in the way of business units for example research, data analysis or report writing. Otherwise this may present an opportunity for them to update internal audit manuals and templates, conduct relevant research, undertake environmental analysis, complete on-line training or study for a certification.

In any case, it will be important for the chief audit executive and other leaders to maintain meaningful communication and support to the isolated internal auditors so they remain connected, even while physically isolated.

Helpful References
International Professional Practices Framework, IIA Global
Fact sheet ‘Evolution of Internal Audit, IIA Australia
Fact sheet ‘Internal Audit Consulting’, IIA Australia
White Paper ‘Internal Audit Service Catalogue’, IIA Australia
Team Leader’s Guide to Internal Audit Leadership, Internal Audit Foundation, 2020