The word “pandemic” comes from the Greek words “pan” which means “all” and “demos” which means “people.” A pandemic is an epidemic of unstable disease that spreads across a large geographic area. The world has experienced pandemics of diseases such as smallpox and tuberculosis. One of the most devastating pandemics was the Black Death, which killed an estimated 25 million people in the 14th century. Other notable pandemics were the Spanish flu pandemic of 1918, which is estimated to have killed 50–100 million people, HIV / AIDS in the 1980s, severe acute respiratory syndrome (SARS) in 2003, and the pandemic of 2009 swine flu (H1N1). The 2019-2020 coronavirus (COVID-19) outbreak is the world’s most recent pandemic and its impact is potentially more severe than other pandemics because people around the world, as well as economies, Communications, travel and supply chains are more connected than ever.
First:
Second:
When internal audit prepares its risk assessment to define the risk-based audit plan, business continuity management is invariably a topic to include. Given the importance of business continuity management, it should be audited on a regular basis. It is important to ensure that crisis management and planning for potential pandemics are included in the audit scope.
When performing the audit, the internal audit must identify whether the organization is conducting sufficiently robust crisis management and pandemic planning or is it a superficial effort, which is what many business continuity plans present. You must also ensure that planned changes to business practices during a pandemic really work, for example, if the ICT system and broadband capacity can realistically cope with a substantial increase in employees working remotely. Internal audit should also question the business impact analysis, to ensure that the correct systems remain accessible and that the defined acceptable level of disruption is realistic.
Tests for various disaster scenarios, including for pandemics, should be performed periodically. Internal audit may be involved as an observer, to perform scenario tests and provide suggestions for improvement.
There should be a rigorous follow-up of the actions implemented by management to remedy the deficiencies detected by the audit in business continuity and routine testing of scenarios, and regular reports should be submitted to senior management and the audit committee.
The COVID-19 pandemic has all the ingredients to throw a large number of organizations off balance and the result could be that many employees lose their jobs and the community suffer service interruptions and product rationing. Many organizations, particularly small businesses, may never recover. Many organizations can quickly find themselves in a really dire situation.
When a crisis strikes, organizations need access to enough cash to survive. How long can the organization cope with the payment of employee salaries, rents, leases and other regular obligations? What steps should be taken to “secure” its liquidity? At what stage should the regulator, financial institution, suppliers and other stakeholders be informed if the company begins to walk a tightrope?
The opportunity exists for internal audit to respond to pandemic risk in a number of ways:
There are two reasons to do it. First, in a crisis, the internal audit plan developed months or years in advance is unlikely to be a priority or deemed essential by the audit committee or management. The survival of the organization would be the primary factor. Second, internal audit would better serve the organization by taking a step back and giving business units air to continue to deal with the crisis.
Facilitate a risk workshop to help management determine the most pressing issues to address. For example, contact center capacity, customer complaints, current management and liquidity ratio, adequacy of cash resources, debtor and creditor management, probable financial projections, supply chain security and alternatives, reduction bureaucracy, critical compliance obligations, and staff well-being.
Inform management that the internal audit team is available to lend a hand. Make it clear that this is not the time to raise roadblocks by conducting traditional audits. Examples: playing front-line customer contact roles to meet needs, providing advance planning assistance, assisting in transaction processing roles, or preparing revised policies or procedures to accommodate the new environment.
A crisis management plan or a business continuity plan requires people and the work in general tends to overwhelm everyone. Non-business essential activities, such as internal auditing, can lend your staff to meet needs or assist with remediation and recovery efforts.
Internal audit can become an active and agile participant in the recovery and continuity actions of the organization, providing control and advisory services in real time. Examples: joining the recovery committee, filling recovery roles, and monitoring recovery efforts in real time to ensure they remain focused and in check.
In times of crisis, you often need to relax or circumvent controls. Management may be so focused on recovery efforts that it may not be able to keep controls working effectively during a crisis. Internal audit can provide the oversight service to ease the burden. For example, when governments make emergency cash payments to citizens in times of community disaster, hopefully there will be some kind of control process. This is something that internal audit could do.
Help the business with whatever needs to be done, even if it means taking on roles and tasks that detract from internal audit. Example: provide customer service to meet your needs. Whatever it is, internal auditors must be able to reasonably accomplish the task. If, after the crisis is over, internal audit needs to audit an activity it has worked on, the assessment can be done ‘remotely’, perhaps with an independent service provider or other members of the internal audit team.
With the internal audit plan out of the equation, there is a real opportunity for internal audit to provide services that directly support the recovery effort. It could be advisory services, such as offering advice or facilitating brainstorming sessions to seek options and solutions to the myriad of crisis-related problems facing the organization.
There are likely to be many tasks that internal audit can perform after the crisis is over. Examples may include return-to-work planning, post-crisis reviews and reports, integrity (probity) activities for pre- and post-crisis purchasing activities, occupational health and safety assessments for a potentially traumatized workforce, reconciliations and evaluation of the strength of process controls.
The chairman of the audit committee and the chief executive officer should be informed immediately about the activities of internal audit in relation to the pandemic, to demonstrate what this function does to help the organization and confirm their agreement with what is it is done. The resulting impacts should also be explained in the internal audit plan.
It may be necessary for some or all of the internal audit staff to isolate themselves from the rest of the workforce to avoid becoming infected, or to recover from the disease, help affected family members, or reduce the spread of the disease. If internal audit staff work from home and are able to work, there are some “in progress” or planned audit tasks that can be completed without interfering with business units, for example research, data analysis, or report writing. reports. It can also be an opportunity to update internal audit manuals and templates, conduct relevant research, do environmental analysis, complete online training, or study for certification. In either case, it will be important for the chief audit executive and other leaders to maintain meaningful communication and support isolated internal auditors to stay connected, even when physically separated.
Helpful References
‘International Framework for Professional Practice’; IIA – Global / ‘Internal Audit in Australia – second edition’, IIA – Australia / Fact sheet ‘Evolution of Internal Audit’, IIA – Australia / Fact sheet ‘Internal Audit Consulting’, IIA – Australia / White Paper ‘Internal Audit Service Catalog ‘, IIA – Australia /’ Team Leader’s Guide to Internal Audit Leadership ‘, Internal Audit Foundation, 2020
Source: IAI Peru – Institute of Internal Auditors of Peru