Report: How Covid Is Changing Internal Audit

The internal audit world is bracing for big change thanks to Covid-19: tighter budgets, more risk assessments, changes to the audit plan, and — like so many others these days — lots of working from home. 

So says a special report published by the Institute of Internal Auditors on Monday, based on a survey of nearly 500 audit executives in early June. The report is posted in the IIA’s Audit Executive Center, and IIA president Richard Chambers posted his own commentary about the results too.  

Let’s start with the budget cuts. Forty-five percent of survey respondents said they expect cuts to the internal audit budget over the next 12 months, compared to only 9 percent who were expecting cuts one year ago. 

That sounds gloomy, but much of those cuts seems to be targeted at business travel: 65 percent of respondents said they expect “significant” cuts to that line, compared to only 6 percent who expect significant cuts to staffing. Professional development and external sourcing will also get squeezed, but nowhere near as much as travel. See Figure 1, below. 

One interesting item: 16 percent of respondents expect significant cuts to external sourcing, but 17 percent expect to increase spending on external sourcing. So are some companies cutting outside spend to save the money for internal staff? Are others cutting staff with the hope they’ll find cheaper outside help? Or are some firms planning to spend more on external sources because they know they’ll need special expertise in the coming year their team doesn’t have? 

In his post analyzing the results, Chambers speculates on the latter. I speculate that rationales for external spend are all over the place — but the more important priority is keeping internal audit staff as intact as possible anyway. 

More Risk Assessment, Audit Updates

Survey respondents also said they will both conduct risk assessments and update their audit plans more often. This should surprise nobody, given how Covid-19 has put standard risk scenarios through the blender. Fraud risk, cybersecurity risk, user access controls, management review and sign-off of reconciliations or controls; they’ve all gone haywire.

So as you can see in Fig. 2, a majority of respondents expect to increase their risk assessments to at least some degree, and 11 percent expect to increase the frequency significantly. Meanwhile, 68 percent percent of respondents say they’ll at least increase the frequency of updates to the audit plan. 

That’s a lot of change and improvisation for the audit function. It implies an embrace of “agile auditing” — a concept the IIA and many others in the audit profession heartily support. It’s the idea that an audit function will run light on staff, heavy on technology, and stand ready to jump on emerging or fast-changing risks by working with other parts of the enterprise. 

Covid-19 certainly fits that paradigm. It poses new risks all over the enterprise, and audit teams have neither the time nor the manpower to do some ponderous risk assessment, audit, and action plan. Audit teams will need to embrace a more swift, data-driven approach to assessment, testing, and remediation. 

Ah — but will they actually do that? 

Changes to Audit Process & Competencies

Figure 4, below, shows the changes to audit processes that chief audit executives expect to make. Some are no surprise, such as lots of working from home and more flexible audit plans. 

I’m more interested in the items further down the chart: more use of data analytics, more consulting activities, more focus on cost savings. Any audit team can take those steps right now, because the steps don’t necessarily involve much (or any) new spending and investment. On the other hand, more innovative steps like using audit software, automated controls, or robotic process automation — those things will need investment, because most companies haven’t embraced them yet; and so we see fewer audit teams expecting to implement those measures soon. 

And last is Figure 5, a snapshot of the audit competencies that are likely to be in more demand. Communication, cybersecurity, innovation, health and safety, data analytics, fraud — for each discipline, a majority of survey respondents say they’ll need more more of that expertise in the year to come. 

Again, no surprise. If Covid-19 is putting tremendous strain on operations, and audit teams will need to help operating units understand the new risks and internal controls to keep those risks at acceptable levels, then competency in any and all of these fields will be an urgent need. That’s how internal audit will be adding value to the corporate enterprise today, tomorrow, and a long time after that. 

The complete IIA report has lots more data, including industry-by-industry breakdowns. If you’re looking for benchmarking information to help you understand what’s normal for your field these days, it’s worth a read.