Third line lessons from the front line of the pandemic
All of us have a role to play in helping create better processes and specifically, better internal audit practices.
Coronavirus and lockdown
The Covid-19 lockdown has dramatically re-ordered our professional, as well as private lives in all sorts of ways. Four months ago, headlines included 'US stocks fall 12% in worst day since 1987' and the VIX index, the market's 'fear gauge', jumped to a record high on 16th March 2020. Just one of the risks in financial services is that given that market returns can increase significantly for fast movers during periods of increased volatility, Artificial Intelligence algorithms could make a rational, though unintended, choice to engage in market manipulation for the benefit of their investing clients but at the expense of other investors. Similar trends may be discerned in other sectors and the Office for National Statistics report  soberly paints a dramatic picture of an entire economy in crisis.
April 2020 showed even sharper falls than in March, as the negative impacts of social distancing and lockdown led to falls in consumer demand and business and factory closures, as well as supply chain disruptions. GDP fell by 20% in the month, the largest fall since monthly records began in 1997, reflecting record widespread falls in services, production and construction output. The construction industry experienced a strong decline in output of 40% during the month of April. Turning to just one example from the public sector, the volume of educational activities declined by approximately 35% in April. On average, charities report that they are expecting a 24% reduction in total income for the year. During the Covid-19 pandemic, services comprise 80% of the UK economy, while production and construction comprise 14% and 6% respectively. I will come onto the significantly heightened fraud risk and of control circumvention later in this article.
Risk Registers need to be re-written, freshly scored and stress tested with rigour.
The question arises for us, how can this shape the future of Internal Audit? As we have all heard and said, things will not return to normal and new norms are to be expected. All of us have a role to play in helping create better processes and specifically, better internal audit practices. One can ponder how exactly we might be more effective auditors and participants in the overall assurance process. Also, what risks might we all pose not only by changing too much but also by changing too little.
As occurred in the financial crisis, precipitated by the banking failures in 2017 including the building of leveraged debt instruments, which preceded them, Internal Audit must come out of the current epidemic stronger as a result of the learning opportunities that crises afford us. In these still early days, these may be seen as:
Greater use of remote auditing, with the efficiencies and benefits that this can bring.
An accelerated adoption of agile audit techniques and much quicker reporting of control weaknesses, recommendations and opinions.
Data analysis extensions going beyond those of the previous twenty years.
These will require risk mitigation by audit departments themselves, because of the change in working patterns and audit coverage. This change is not driven by failure of the audit processes (“comfortable irrelevance” enjoyed by Internal Audit, was an expression of the credit crisis, a decade earlier) but rather by the unrequested opportunity afforded by prolonged remote working and looking at work itself done remotely by our colleague auditees.
Never before has the role of Internal Audit in reviewing and reporting on adverse events been so pertinent. Reflection on the lessons learned and analysis of what went right and wrong are likely to be key drivers and inputs into identifying priorities and setting a forward-looking internal audit plan.
Based on experience during the Covid-19 lockdown that commenced on 23rd March, it is extremely likely that internal auditors will work from home more in the future and will be expected to undertake less business travel by auditing remote locations, analysing their data and reporting audit results, without having to visit them.
The plan to increase remote working has many advantages for staff work life balance, reduced travel time and dedication to the task in hand. However there are risks that include:
Reduced contact with colleagues, albeit mitigated slightly by online interaction and video conferencing.
Work life and home life melding into one, possibly dealt with to some extent by having a dedicated desk which can be left when working time ends each day or by powering down the “work” computer.
Reduced opportunities to work alongside auditees and to get under the skin of the activity being audited.
Less chance to observe body language clues in auditees.
Further consideration is given to the latter two because controlling them will need greater input from internal audit management. One of the benefits of colleagues in different departments working in the same building is that it has always been relatively easy for the auditors and their laptops to locate to the trading desk or office area subject to audit. Then to work on audit tests, whilst normal activity continues. The auditor, whilst remaining productive, hears about any frequent problems as they occur and picks up on how they are resolved and errors are corrected. Sometimes people bounce ideas off the visible auditor and thus it is both interactive and educational. The process is informative and likely to assist in the drafting of reports and the formulation of recommendations.
If an auditor is working remotely and is out of sight, this drip feeding of knowledge and observation of culture, is harder or impossible and audit management may have to request and obtain minutes of team meetings that may discuss recurring problems, as a substitute, in the hope that such matters are covered and are fully documented.
Turning to feedback from auditees, this takes the form, like other communications, of a combination of the spoken word, the tone in which it is delivered and the body language (including facial expressions and eye contact; head movements; hand gestures; body posture) of the speaker and their colleagues, as they hear the words spoken. Dissonance and leakage may occur which cast doubt on part of what is being said and of any important omissions. This is not so easy for internal auditors to detect when working remotely even if the speaker is seen and heard in a small box viewed on screen. Heightened awareness of voice tone and a little more scepticism may be justified in controversial and risky areas without being overly cynical. Verification of responses needs to be rigorous. Furthermore, audit management will need to consider carefully the degree of assurance that may be forgone and caveat any material gaps in that consistency of assurance.
By using new technologies in cloud-based applications for collaborative working, video conferencing and remote access infrastructure, auditing will be effective if we ensure that adequate security measures are used for video conferencing and data access, transfer and storage. The increased adoption of technological and digital tools may require better internal audit file management, workflow systems, data analysis and artificial intelligence. Furthermore, internal audit functions should take the opportunity to introduce strengthened continuous auditing activities thus enabling Internal Audit to automate the monitoring of key risks and the operation of key controls, gaining time to concentrate on complex areas of risk.
There is an opportunity to improve audit effectiveness by building stronger internal audit teams. When auditing is done remotely, the location of auditors does not matter and audit teams can be built to ensure the most suitable auditors are assigned to each audit, irrespective of where they are based.
The risk of fraud increases now because criminals thrive on chaos, uncertainty and disruption and Covid-19 responses have provided these in abundance. During a paradigm shift, where everything has changed rapidly, unusual activity that could be red flags for fraud may go unnoticed. What has been noticed though is that financial institutions have seen spikes in false positive alerts generated by their monitoring software which reflects the fact that customer behaviour has changed suddenly but for good reason.
Lots of employees are now working remotely, so criminals who can use sophisticated analysis to seek out weak links will take advantage of any weaknesses in controls and in IT security. External fraudsters have sought to exploit people working from home by impersonating managers in order to give payment instructions.
Supply chains have been broken and employees are under increased pressure, so it is easier for normal supplier controls to be circumvented and due diligence diluted.
Auditing for fraud events is harder when not done face to face and supplementary data analysis may be needed, some of which have been available for some time. For example Benford’s Law analyses may be used to search for anomalies and data patterns that are unnatural and which may indicate suspicious activity. This may be more efficient but also more reliable than traditional control compliance testing based upon relatively small samples. Not only can this analysis be very effective and insightful but it has been recommended by the Association of Certified Fraud Examiners for twenty five years.
The Association of Certified Fraud Examiners’ 2020 Report to the Nations  included amongst its Key Findings that the use of targeted anti-fraud controls has increased over the last decade and that a lack of internal controls contributed to nearly one-third of frauds. The presence of anti-fraud controls is associated with lower fraud losses and quicker detection and these include:
An anti-fraud policy
Fraud training for employees
Fraud training for managers/executives
A whistle-blowing hotline
Clearly these are essential elements of strong corporate governance. The fraud training should be structured around the anti-fraud policy and decisions can then be taken on whether the whistle-blowing hotline is run in-house or contracted out.
Past crises and watershed moments for the profession supplied internal audit with important lessons on where controls fail, which remain relevant:
that good controls being overridden (may only be 1% or more likely 0.1% of the time) may be a greater risk than inadequate or ineffective controls because the latter can be understood and mitigated in practice
whenever controls fail the auditors must keep digging until they get to the root of the problem.
If, as the Association of Certified Fraud Examiners has found, the absence of internal controls contributed to one-third of frauds, it is implicit that control circumvention is a major component of the other two-thirds of fraud. Dealing with it must be a major priority of control system design and corporate governance.
In the June 2020 quarter and because of the pandemic, management has concentrated on employee and customer safety, business continuity and financial resilience. The shift to telecommuting across the board and slowdown in activity has changed the risk levels and business operating practices. Some controls may no longer function as intended. It is necessary to evaluate how management has adjusted financial and operational procedures to cope with remote work arrangements and offices being unavailable.
This evaluation should include the:
Re-evaluation of separation of duties when many employees are ill, away from the office or furloughed.
Adjustment of credit risk and payment terms to reflect changes in customers’ risk profiles.
Review, approval, and documentation protocols for changing static data and making accounting entries.
Re-alignment of IT security controls to deter social engineering attacks and mitigate the lack of employee experience with remote working and using internet communication methods.
The review should extend beyond the company to cover the continuity of services and controls from third-party vendors, including large business process outsourcing providers operating overseas.
Agile auditing is a good solution
The main difference between agile and traditional auditing is that inflexible, early stage planning is replaced by iterative planning and a series of sprints, incorporating short bursts of activity covering planning and testing. Continuous communication and collaboration both among the internal audit team and with management, are delivered. Typically the eight weeks or so spent on planning, fieldwork and reporting are replaced with, say, three agile phases totalling six weeks.
Agile auditing is built around a flattened structure, with empowered job roles. Teams can decide to continue on a project track or change directions based upon experience gained during sprints. Re-alignment can be made by more junior auditors, as senior auditors will have set appropriate guidelines during planning phases. A more responsive internal audit approach can deliver the value that senior management needs.
Within sprints, auditors can monitor and revise their priorities every two weeks or so and are not constrained by a traditional internal audit cycle. Fieldwork and review are quicker and reporting is too.
Agile internal audit planning involves a continuously updated backlog of audits and projects, prioritised on risks. Communication is both very frequent and more informal, with reporting via dashboards and update memos, rather than formal, long form audit reports.
Testing priorities are reassessed and redirected as priorities evolve; every two weeks or so (depending on the length of sprints) audit teams review priorities, testing and goals. Major weaknesses are surfaced as they arise, so that action can be scheduled quickly. Audit teams can be more adaptive.
Thus, agile assurance is given in real time over risks that are currently rather than historically, critical or important is desired, as are important matters that can be sharpened by agile methods:
Very prompt feedback to Management.
Independent assurance over risks assessed and related controls, with an eye to the future.
Closer involvement in assessing continuity planning and stress testing.
Demonstration that current technology supports the audit process, whether or not it is mainly done remotely.
Understanding the control implications of remote working across the company, including data security and process integrity.
Sticking to Internal Audit’s existing change agenda for agile auditing, data mining and analytics.
Expectations that Internal Audit can demonstrate its independence and objectivity, as it increasingly adopts agile practices.
Emphasis on the susceptibility of certain controls to circumvention in difficult circumstances. This has fraud risk implications and may need enhanced expertise in fraud auditing and investigation in some departments. Fraud investigation in particular, will still need higher levels of face to face discussion, interviews and challenge. Management’s detective controls over fraud prevention may be rendered less effective as their operation becomes more remote.
Reduction in the human element of auditing will reduce the ease of spotting certain red flags of fraud, weak culture and ethics.
Not all internal audits are suitable for an agile approach and companies may need a hybrid system rather than forcing agile audits on every element of the audit universe.
In future, internal auditors need to give:
Stronger assurance on high risk activity, at the risk of attending less to relatively low risk matters. The confidence to do this can be built on greater concentration on evolving risks and monitoring changing risk patterns. Cyclical assurance plans are yesterday's solution.
Clearer documentation of their modus operandi to allow strong challenge and review for those working remotely.
Improved early confirmation of findings with management to ensure auditors who cannot see body language have properly understood the written word.
Promotion of Internal Audits’ value based on the observed benefits during the pandemic of earlier internal audit findings and insights.
Greater consideration of more extreme stress scenarios.
Assurance on control resilience to circumvention and fraud.
Better use of the reduced time that can be spent with auditees.
Re-assessment of how companies operate and have changed so that control effectiveness can be tested in this light.
Auditors need to be wary of looking like Generals who seek to re-fight the previous war, oblivious of new forms of attack, technology and techniques.
The entirety of what has been set out may be a significant change agenda and greater for some departments than others, so it is best to get the audit team involved, individually and collectively. As with any change, people who are actively involved in it, rather than simply subject to it, will be more content and effective in development and implementation. They can then assist it to be resilient and are more likely to surface weaknesses and resultant errors than if they had not been involved from the start.
I would emphasise the importance of Internal Audit and Audit Committees re-evaluating previous audit actions. Work priorities have changed and the implementation of previously agreed audit actions may no longer be a main priority. Internal Audit should consider:
Reviewing and re-prioritising the action tracker with the audit committee.
For high priority internal audit actions, talk to auditees to confirm the status of relevant actions and whether their deadlines remain achievable.
Internal Audit’s role after the crisis should reflect the main lessons covering the:
Heightened fraud risk and of greater control circumvention opportunities at the same time as the motivation of nervous, or even desperate, staff to commit fraud, increases.
Ability of management to make appropriate decisions during times of stress.
Any cultural concerns arising from employees ability to adapt and respond to the crisis.