Moving through recovery: Re-thinking Internal Audit’s remit post COVID-19

The current COVID-19 situation presents new opportunities for IA functions to add more value around assurance, improve the advice they provide and increase their anticipation of risk. As organisations have navigated uncharted territory with often imperfect information, IA’s enterprise-wide viewpoint, ability to ‘join the dots’ and bring external industry insights has heightened its impact and influence. It has also highlighted what stakeholders really value from IA and challenged how functions provide this, within the boundaries of independence.

As part of Deloitte’s ongoing mission to make FSIA better, we’ve identified five areas which will become increasingly important as functions move through recovery and look to thrive in the future:

• Developing new products and more rapid insights
• Being true to an organisation’s values
• Culture and psychological safety
• Lessons learned
• Looking forward

Born of necessity, recent developments in these areas show the way to more permanently re-imagine IA’s remit in the provision of assurance, advisory insight and the anticipation of risk.

Adding new value through Assurance

1. New products and more rapid insights

In the current fast paced environment a traditional, rated, “3 months to deliver”, end-to-end audit report with pages of actions has not grabbed the attention of time-poor executives or generated timely improvements to the risk and control environment. As a result, a number of functions have revisited their product suite.

However functions can’t leave their disciplines entirely. A function that gives opinions without grounding them in facts or evidence will quickly undermine its reputation for providing independent credible assurance, and will become just another opinion in the room.

To balance this, IA functions should:

• consider the frequency and nature of communications with key stakeholders – typically we see functions communicating more frequently, adopting a “shorter and sharper” approach to respond more effectively to the current volatile and high risk environment;
• look at the range of audit products they offer, for example incorporating more frequent memo style reporting when an issue is uncovered (with such reports eventually being pulled into a larger report, maybe without an overall rating), or providing more regular  “flash reports” on the control environment.  “Reporting” can take many forms and does not have to be long, formal or even written;
• perform continuous, swift, data-led risk assessments both informing audit plans and the scope of audits. Whilst appreciating the need for governance over changes to audit plans, IA needs to find a way to rapidly shift areas of focus and skilled resources to areas of emerging risk and be brutal in cutting areas from plans that no-longer take priority; and
• re-time work to go through an entire cycle (risk, controls design, controls operation, reporting) risk by risk rather than for each step in the process as set out below, reporting frequently as phases of work are completed and issues identified. This work re-alignment is often squarely aligned to the adoption of Agile Audit techniques:

2. Being true to an organisation’s values

Much has been said about business’s purpose in recent years.

It’s easy for a business to be true to its values and purpose when things are going well. It is much more difficult when things are not, or is it? If an organisation’s values, purpose and red lines are clear then decision making becomes in some ways simpler - certain options are closed off because they don’t align to the stated purpose or values.

For IA the pandemic has presented opportunities to add significant value to organisations by providing cultural insights or observations about how a board or management team are performing in their responses to the pandemic.

Key questions to consider include:

• Were the purpose and values espoused by the organisation being held to during the pandemic?
• Were they used as a decision making filter or not considered at all?
• What does this tell us about whether the values are actually compatible with the organisation?

Sometimes it is necessary to make shorter-term compromises in the pursuit of longer-term ambitions. Were decisions made to keep the business solvent or still trading that compromised these in the short term but allow the organisation to continue existing in the longer term and able to pursue its purpose?

The key challenge for IA will be how to undertake these assessments – we will return to this subject in a later blog.

3. Culture and psychological safety

Like purpose, the topics of culture and psychological safety have been debated widely over the recent past. In our 2020 Planning Priorities publication we highlighted how IA has an important role to play by:

• reviewing the tone at the top, including seeking evidence to demonstrate senior management are promoting a culture of psychological safety.
• assessing the design and operating effectiveness of initiatives that promote a psychologically safe environment, particularly with regards to risk and controls.
• reflecting on audit findings and opining on psychological safety through the assessment of stakeholder behaviours observed during audits (including when discussing audit findings) and whether they support psychological safety.

Over recent months, organisational cultures have been placed under new pressures in response to an increasingly volatile, uncertain, complex and ambiguous risk landscape. Concurrent global events have placed increased psychological pressure upon many different groups, including employees, customers, regulators, politicians and all other stakeholders.

Whilst some data points are factual (call volumes to a whistleblowing line for example), other information should be considered as part of both the response to COVID-19 but also the “new normal” of a remote office environment. Key questions to consider include:

• how did the organisation treat its most vulnerable employees and customers, e.g. those with mental health issues or with physical disabilities?
• what surveys were undertaken and what correlations do we see in linking this data with other metrics (sick leave, net promoter scores etc.)? What actions were taken as a result?
• workplace bullying has in the past been considered to be face-to-face in nature. The work from home environment changes behaviours, the categories of those who might be vulnerable and increases the risk of cyber bullying in the workplace. How does the organisation identify detrimental behaviours and weaknesses in risk culture in this virtual environment?

Increasing IA’s advisory role

4. Lessons learned

The COVID-19 pandemic has been a test case for many recent areas of regulatory focus:

• operational resilience scenarios and disaster recovery plans have been enacted quickly;
• customer vulnerability frameworks and processes have been stressed;
• new digital and cyber risks have emerged from the remote working environment;
• call centres and websites have been overwhelmed; and
• trading algorithms have struggled to cope with the levels of market volatility or were deactivated where intra-day price movements exceeded risk tolerance levels.  

During COVID-19, functions have needed to plan and deliver work to cover new risks and related activities in the business, including tactical responses to the launch of new lending schemes, responses to increased and contentious insurance claims, heightened fraud risk (including Cyber) and other challenges posed by remote working (management, staff and customers alike).

IA is uniquely placed to perform timely, thorough and impactful “lessons learned” reviews that will help business drive continuous improvement in the risk and control environment and prepare for future incidents of this type. Whilst “lessons learned” reports are nothing new to IA functions, the uniquely broad and fast-paced nature of the COVID-19 pandemic make this an area where IA can raise its impact across the organisation, specifically with key members of management.

Useful questions for IA to consider, answer and report are often around the decisions taken, the governance and oversight arrangements and the evidence produced not just in making decisions but in recording them:

• What lessons about preparedness can organisations learn from these incidents? How did incident management protocols work and how rapidly were decisions escalated?
• Were papers prepared appropriately balancing the risks of each potential option? Was imperfect information presented as such? How were customer interests or conduct risks considered? Were exceptions and accepted risks considered and documented appropriately?
• How did algorithms perform during stressed times? Was there adequate oversight in place to identify when algorithms did not perform as intended? How quickly were issues resolved? Should conclusions around the effectiveness of algorithm control procedures be revisited? For more on the role of Internal Audit regarding algorithms please see: https://www2.deloitte.com/uk/en/blog/auditandassurance/2019/mifid-ii-rts-6-requirements-annual-self-assessment.html
• How and when were accountable executives and SMFs engaged and how well evidenced were the decisions? Did they meet SMCR standards? Both the FCA and the PRA are taking steps to alleviate certain compliance pressures on firms however the duties and obligations on SMFs have not and will not change. More thoughts can be found in the below blog: https://ukfinancialservicesinsights.deloitte.com/post/102g43z/smcr-blog-reasonable-steps-and-the-impact-of-covid-19-key-questions-for-smfs

Anticipating new and emerging risks

5. Looking forward

IA also has the opportunity to challenge the business around potential forward looking pressures and the adequacy of management’s response.

Examples include increased litigation or regulatory challenge to COVID-19 related decisions; operation of schemes implemented in a rapid, tactical control environment; legal and operational risks presented by “return to work”; expected long term changes to employee and customer behaviour; technical interpretation and application (including availability of reliable data) of accounting standards in financial and management reporting  (e.g. impairment and expected credit losses, insurance reserving, fair/ market pricing, going concern assumptions and other areas involving forecasting and management judgment);  and the impact of the end of government employment support schemes such as furlough.

As we move through the Recover phase, IA has demonstrated its increased organisational importance and influence and now has a significant opportunity to accelerate its change journey and continue to grow its impact and influence.  Future blogs will focus on what Financial Services IA can do to lock-in best practices, maintain and enhance audit quality and commence activities to Thrive in an environment when the effects of COVID-19 are less pronounced.