As organizations grapple with the impact of COVID-19, everyone is expected to play their part. Many chief audit executives (CAEs[1]) and their teams are being asked to offer more “hands on” help to support management. When the boat is sinking, everyone from captain to galley crew is expected to be on bail-out duty. However, is it possible for internal audit to remain independent while undertaking these new tasks?

[1] i.e., the head of internal audit

Pressure on internal audit independence

More significantly, in a crisis, should auditors and audit committees regard independence as secondary to providing maximum value? Is it really a matter of choosing between helping management in any way possible or declining in the interests of maintaining independence?

COVID-19 has put pressure on internal auditors as they strive to support management as best they can. Internal audit’s unique position and expertise make it ideally suited to provide insightful advice to foster continuous improvement. Internal audit should be responsive to circumstances and flexible in order to provide maximum benefit. Offering advice, even developing solutions, does not amount to taking management decisions or ownership of risk.

Governance

In a crisis, the CAE should anticipate where senior management and the governing body would gain most from advisory services. Through such activity, internal auditors will be able to help the organization learn valuable lessons for the future. In other words, they should continue to think and act like auditors, even when undertaking advisory tasks.

For example, auditors can help senior management develop appropriate mitigation strategies to ensure business objectives will continue to be met. They can identify and prioritize emerging risks related to the pandemic that threaten the organization’s top strategies. Key risks to be assessed during this pandemic include impact to programs, goods and services provided by public organizations; revenues; employee health and safety; supply chain; and cybersecurity. Updating the risk assessment is particularly useful as this process can highlight the impact of similar risks if the pandemic dissipates before a second wave occurs.

Internal audit independence and objectivity

At the same time, taking on advisory roles should not jeopardize routine assurance work.

Internal audit must continue to follow a risk-based approach to its audit planning and implementation. As the risk landscape changes, the audit plan needs to change, but the approach does not. Ensuring relevance requires alignment with organizational needs and priorities and depends on continuous stakeholder engagement, including close liaison with external auditors.

Stepping outside the comfort zone

While advisory services are clearly within any modern internal audit function’s scope of work, the pandemic has pressed some practitioners into roles outside the comfort zone.

Some internal audit functions have taken on new roles outside of their traditional scope, even if this creates a threat to independence of the function and objectivity of internal auditors. For example, because of their risk and control knowledge, some internal auditors have moved temporarily into first and second line roles. Other internal audit departments are analyzing the processes that are most affected by COVID-19 and identifying the necessary changes in the key controls to minimize the risk to financial reporting, transaction processing, technology operations, and, last but not least, compliance.

A recent survey conducted by the European Consortium of Institutes of Internal Audit (ECIIA) Public Sector Committee confirms adjustments being made to audit plans as well as the expanding role of internal audit due to COVID-19. Nearly 52% of survey respondents cancelled engagements because of COVID-19, 21% added new engagements, and a similar percentage reduced scope for some engagements (see Exhibit 1).  Only 20% redirected staff to do non-audit work (see Exhibit 2).

Note: Q5. How has your audit plan changed as a result of COVID-19?. Q2: Did you transfer staff to non-audit work?  Survey responses collected May 13, 2020, from “The Impact of COVID-19 for internal auditors in the Public Sector- Webinar report” (n. 183 participants working mainly into the EU public sector). Source: ECIIA Public Sector Committee (https://www.eciia.eu/2020/04/webinar-the-impact-of-covid-19-for-internal-auditors-in-the-public-sector/).

No trade-off on independence

Independence of an internal audit function is not directly valuable for its own sake but as a means of enabling the objectivity, authority, and credibility of its internal auditors and their work. It is always important to apply appropriate safeguards when organizational independence or auditor objectivity are under threat due to close association and involvement. Auditors can maintain their objective mindset through application of professional standards and refraining from assuming managerial responsibilities. In all such cases, the CAE should ensure the governing body is fully informed of and approves any additional tasks being undertaken in response to management requests. If these measures are insufficient to reduce the threat to independence of the function and objectivity of individual auditors to an acceptable level, then the CAE should recommend using a qualified third party to provide assurance over the activity in question.

Accordingly, CAEs should feel confident to respond to the pressing needs of management as long as reasonable safeguards are taken. Senior management and governing bodies should be encouraged to utilize internal audit services this way. Internal audit is essential to organizational success, now more than ever.

Is there a necessary trade-off for internal auditors between being independent and being valuable, especially in time of crisis? The answer is an emphatic no. With the right mindset, safeguards, and oversight by the board or audit committee, internal audit is positioned to provide its unique value of well-informed, independent, and objective insight, assurance, and advice. 

[1] i.e., the head of internal audit