COVID-19 AND THE ROLE OF INTERNAL AUDITSUPPORTING RESILIENCE IN TIMES OF UNCERTAINTY

3

C O U RS E A G E N DA

1 The Fundamentals of Business Continuity

2 The Critical Role of IA in Crisis Management

3 Adapting IA Operations to Covid-19

4 Refocusing IA

5 Identifying and Evaluating Processes Under Stress

6 Assurance Over Crisis Response Activities

7 Multi-tiered Response Plans

3

DAY - 1

I N T R O D U C T I O N

The COVID-19 outbreak have brought BCM and Crisis Management to the forefront of doing business.

Organizations who have effective crisis management programs have proved to be more resilient, flexible andefficient.

In times of crisis, the management of many organizations argue that it is best to slow down Internal Audit activitiesto ease the burden of process owners.

Internal Audit has a vital role to play in such challenging times.

Internal Auditors however must move away from their business as usual activities and refocus on what matters themost during these difficult times.

This aim of this course is to strengthen the participant’s understanding of the role of Internal Audit in crisismanagement and how Internal Auditors should adapt their methodologies and scope of work to support theirorganizations in times of crisis.

E M E R G E N C Y R E S P O N S E Q U E S T I O N N A I R E

Question Answer

How much working capital (cash flow) does your organization need to cover 3 months ofoperations in a Coivd-19 worst case scenario?

If a 20% discount have been mandated by law over your key services, how would yourorganization’s financial sustainability be affected?

Who are the top 5 professionals in your organization that can cause a disruption inoperations if they were infected and quarantined?

Does your organization maintain a comprehensive list of regulations related to Covid-19that must be enforced?

Does your organization’s business continuity plan provide for necessary escalation if theCovid-19 situation deteriorates?

What external event would invoke a maximum alert status in your organization?

What are the key areas in your organization where cost can be reduced to respond toslowing economic conditions as a result of Covid-19?

Does your organization have a clear plan for how to operate in the first 6 months after theCovid-19 crisis ends?

Ta k e 2 0 m i n u t e s t o r e v i e w a n d a n s w e r t h e q u e s t i o n s b e l o w f r o m t h e p e r s p e c t i v e o fy o u r c u r r e n t e m p l o y e r :

C O V I D - 1 9 I A Q U E S T I O N N A I R E

Question Answer

To what extent have you modified your IA plan since the outbreak of Covid-19?

Do you agree that IA activities should be reduced to avoid over crowding critical operationsand personnel?

If you have made changes to your IA plan, what are the top 3 areas of focus for IA over thenext 3 months?

Did your IA function call for an urgent Audit Committee meeting or was the committeeconvened as scheduled? If an urgent meeting was called, what was the top 3 agendaitems?

Did the IA function identify the critical supplies and services of the organization? If so listthe top 3 of each.

Did your IA function complete an audit of your organization’s Covid-19 response plans?

Is one of your IA ongoing activities right now, to provide continuous assurance to topmanagement and the BOD over ongoing crisis response activities?

Ta k e 1 0 m i n u t e s t o r e v i e w a n d a n s w e r t h e q u e s t i o n s b e l o w f r o m t h e p e r s p e c t i v e o fy o u r c u r r e n t e m p l o y e r :

T H E C O V I D - 1 9 C R I S I S H AV E P O S E D U N P R E C E D E N T E D R I S K S T O B U S I N E S S E S

S t r a i n o n R e v e n u e C y c l e a n d W o r k i n g C a p i t a l

R i s k o f K e y P e r s o n n e l B e i n g Q u a r a n t i n e d

I n t e r r u p t i o n s o f K e y S u p p l i e s

C r i t i c a l S e r v i c e F a i l u r e

N o n c o m p l i a n c e t o C o v i d - 1 9 S p e c i f i c G o v e r n m e n t R e g u l a t i o n s

D r a s t i c C h a n g e I n C u s t o m e r B e h a v i o r

B r e a k d o w n s i n T r a d i t i o n a l C r i s i s R e s p o n s e P l a n s

C L E A R S T R AT E G I E S M U S T B E D R AW N U P F O R K E Y B U S I N E S S A R E A S

A s t h e n o v e l c o r o n a v i r u s o u t b r e a k h a s d r a m a t i c a l l y i m p a c t e d b u s i n e s s e s a r o u n d t h e w o r l d , t w o t h i n g s h a v eb e c o m e c l e a r ; F o r m i d a b l e a c t i o n s a r e r e q u i r e d a t l i g h t n i n g s p e e d , a n d t r a d i t i o n a l c r i s i s - r e s p o n s e m e t h o d sw i l l n o t s u f f i c e . S t r a t e g i e s m u s t b e d r a w n u p t o r e i n f o r c e k e y b u s i n e s s a r e a s , i n c l u d i n g :

04 Financial Resilience

Safeguarding revenues,

optimizing costs and

managing working capital

02 Operations

Adapting operating model to

escalating circumstances

03 Value Chain

Securing key supplies and

critical services

05Monitoring and

Reassessment

Continuous monitoring and analysis

of changing circumstances and

responding effectively

06 Communication

Maintaining effective

communication with workforce,

customers and stakeholders

People

Identifying key personnel,

adapting working arrangements,

managing workforce distress

01

I L L U S T R AT I O N O F T I E R E D R E S P O N S E P L A N S

Moderate Criticality Response

Plan

Engage medium alert mode. Limit unnecessary spend, secure key personnel, ensure security of

supply, limit uncritical operations

Optimistic Scenario

Response Plan

Continue operating as-is. Focus on continuous reassessment of market conditions, scenario modelling and

performance management

Crisis Plan

Deploy full crisis response mode. Implement break-the-glass cost reductions, shut down uncritical activities, strengthen reserves

Full-scale country wide lock down is imposedConditions remain relatively unchanged or virus spread starts to slow down

Uncontrolled virus spread, severe business exposures and government imposed restrictions

PanicTriggers

PanicTriggers

FUNDAMENTALS OF BCM

Identify critical activities

Establish a common risk appetite

Business Impact AnalysisDefine authorities and

triggers for invoking crisis status

Develop response plans for different levels of

crisis

Establish clear communication channels for potential continuity risks in critical business

areas

Define BCP owners and key responsibilities

clearly

Define disaster communication plans

Test, communicate and learn

K E Y B C M FA I L U R E S

BIAs are performed bottom-up rather than top-down leading to the inability to identify critical functions in line with organizational governance and strategic objectives.

Absence of an approved risk appetite matrix leading to the inability to assess BCM risks in a manner that reflects corporate priorities.

While BCM documentation is established (e.g. BCPs, BIAs, etc.), the BCM functions are not activated with clear targets, ownership, drills, ongoing review and updates, etc.

Disaster recovery plans for critical IT business applications are not aligned to organizational continuity priorities.

Lack of awareness regarding BCM within the organization due to the absence of awareness workshops, training programs and BCM testing.

Communication and Media Response Plans do not define clear parameters for what information should be communicated to which parties in case of an emergency.

Absence of annual audits of BCM activities and annual revision of BCM policies and plans in line with changing external environment.

T H E C R I T I C A L R O L E O F I A I N R E S P O N D I N G T O C O V I D - 1 9

Redefine the IA plan around critical supplies, critical services, financial resilience, BCM activities and other critical business activities. Increasing the tolerance for advisory activities to suit business needs. An urgent Audit Committee

meeting should be called for to agree the way-forward in light of the above.

Establish a process for providing regular assurance to management and BOD over ongoing crisis response activities (bi-monthly or monthly)

Re-valuate risk priorities in light of the pandemic and put the approved

IA Plan on hold

Perform an evaluation of existing BCM/ Crisis Response plans and

ongoing activities

Re-design IA operations based on current limitations (e.g. working

from home, social distancing, etc.)

Identify key risk areas in light of the pandemic and issue an interim

report to Top Management and BOD

E X E R C I S E – R E F O C U S I N G I A E F F O R T S

Ta k e 2 0 m i n u t e s t o r e v i e w a n d a n s w e r t h e q u e s t i o n s b e l o w f r o m t h e p e r s p e c t i v e o f y o u rc u r r e n t e m p l o y e r :

• W h a t a r e t h e c r i t i c a l a c t i v i t i e s o f y o u r o r g a n i z a t i o n ?

• W h a t a r e t h e s u p p l i e s y o u r o r g a n i z a t i o n ’s c o n t i n u i t y i s d e p e n d e n t o n ?

• W h a t a r e t h e c r i t i c a l s e r v i c e s t h a t y o u r o r g a n i z a t i o n m u s t c o n t i n u e t o p r o v i d e ?

• I n w h a t w a y s d o e s C o v i d - 1 9 a f f e c t y o u r o r g a n i z a t i o n ’s f i n a n c i a l p e r f o r m a n c e ?

• C o u l d C o v i d - 1 9 i m p a c t y o u r o r g a n i z a t i o n ’s l i q u i d i t y ? I f y e s w h a t w o u l d b e t h ea p p r o p r i a t e r e s p o n s e ( e . g . c o s t r e d u c t i o n , f i n a n c i n g / f u n d i n g , e t c . ) ?

• W h a t r i s k s d o e s w o r k i n g f r o m h o m e p o s e t o y o u r o r g a n i z a t i o n ?

• H o w d o e s C o v i d - 1 9 i m p a c t y o u r w o r k f o r c e ? I s t h e r e a n i n c r e a s e i n w o r k f o r c ed i s t r e s s ? I s t h e r e a n i m p a c t o n p e r s o n n e l p r o d u c t i v i t y ?

• I s y o u r o r g a n i z a t i o n d e p e n d e n t o n t h e a b i l i t y o f s p e c i f i c p r o f e s s i o n a l s t o p e r f o r my o u r d u t i e s ? I f s o , w h i c h p r o f e s s i o n a l s a n d i s t h e r e a c l e a r l i n e o f s u c c e s s i o n ?

• D o e s C o v i d - 1 9 p r o v i d e o p p o r t u n i t i e s f o r y o u r o r g a n i z a t i o n t o o u t g r o w o r o u t p e r f o r mc o m p e t i t i o n ?

T E C H N O L O G Y R I S K S A R I S I N G F R O M C O V I D - 1 9

Video Conferencing -Security

• Video conferencing should be performed on software with enterprise licenses. • All video conferences should be set to private mode and access should be password protected. • Meeting organizers should regularly check during the meetings that only the invited attendees are logged in to

the call.

Key Risks Model Controls

Home WIFI - Security• Home WIFI connections should be subject to stricter controls including; strong passwords, regular changing of

WIFI password, regular updates of router firmware and enabling secure encrypted connection.

Working Off Corporate Servers -

Data

• Access to corporate servers should be secured through VPN.• 2 factor authentication should be applied to critical business applications. • Back-up procedures should be updated to ensure data on laptops is regularly backed up.

Email Phishing -Security

• Awareness should be specifically raised about phishing email themes prevalent during the pandemic.• An email account should be set up for users to report any suspected phishing emails. The IT department

should review suspected emails and communicate to the overall organization on preventive procedures.

3

END OF DAY - 1

3

DAY - 2

R E F O C U S I N G I A P L A N – U N I V E R S I T Y C A S E S T U D Y

• Accreditation.• Student

recruitment.• Research and

publications.• Revenue and

collections.• Procurement.• IT General

Controls.• Facilities

management.• Human

Resources.• Employability and

student affairs.

Assurance Engagements:• Business Continuity Management process and

Covid19 specific crisis response plan.• Ongoing crisis response activities to date.• E-learning platform/ application.• Key-man risk and succession plans, specifically for

academic staff.• Working capital and revenue management.• Covid19 specific compliance.• IT security and disaster recovery.

Advisory/ Consulting Engagements:• Continuous assurance over ongoing crisis

response activities. (Bi-weekly reporting)• Financial modelling for potential discounts and

reduction of non-academic revenue.• Design of Covid19 compliance framework.• Assessment of key-man risk and development of

succession plan.

Typical IA Plan Refocused IA Plan

• Changing delivery to 100% online.

• Majority of staff working from home.

• Expectations from community to offer discounts on tuition fees.

• Higher risk of key staff being unavailable.

• New regulations from MOH and MOE regarding Covid19.

• Limited revenue from non-tuition related revenue streams.

Changes to Risk Universe Due to Covid-19

• IA Plan is subject to change in light of new circumstances.

• Assurance engagements do not need to fulfill IA methodology steps by 100%.

• Independence should be considered but is not a priority.

Key Considerations

E VA L U AT I N G C O V I D 1 9 C R I S I S M A N A G E M E N T A C T I V I T I E S

Scenario Assessment and Financial

Modelling

Establish Crisis Response

“Team Alpha”

Approval

Assess and Equip

COVID-19Resilience strategy

Best Practice Methodology for Developing Covid19 Response Plan What to Check

• Has management developed clear plans and processes to address the following:• Key-man risk and succession planning.• Adapting the operating model to align with

regulations and Covid19 related precautions.• Securing key supplies and ensuring the continuity of

critical services.• Optimizing working capital and establishing thresholds

for reserves. • Communication with staff, customers, shareholders

and stakeholders.• Did management develop a multi-tiered response plan

with defined triggers for escalation?• Was a multi-disciplinary task force/ committee

established to monitor and respond to changing circumstances?

• Does the task force have clearly articulated roles, responsibilities and authorities, and do they meet weekly at least?

• Is there a regular (bi-weekly) process to report to top management and the BOD on Covid19 response?

• Are IT availability, security and recovery risks addressed?

E X E R C I S E – R E F O C U S I N G I A E F F O R T S

Ta k e 3 0 m i n u t e s t o r e v i e w a n d a d d r e s s t h e b e l o w r e q u i r e m e n t s I n l i n e w i t h t h e c a s es t u d y c o m p l e t e d o n t h e p r e v i o u s s l i d e :

• L i s t d o w n t h e a u d i t s t h a t w e r e s u p p o s e d t o b e c o m p l e t e d i n t h e f i r s t 3 q u a r t e r s o ft h e y e a r, p r i o r t o t h e o u t b r e a k o f C o v i d 1 9 .

• L i s t d o w n t h e k e y c h a n g e s t h a t C o v i d 1 9 h a s f o r c e d u p o n y o u r o r g a n i z a t i o n a l o n g w i t hk e y r i s k s .

• L i s t d o w n a r e f o c u s e d I A p l a n s t a t i n g k e y a s s u r a n c e e n g a g e m e n t s t o b e c o m p l e t e d a sw e l l a s a d v i s o r y e n g a g e m e n t s t h a t a r e n e e d e d f o r y o u r o r g a n i z a t i o n t o f i l l e x i s t i n gg a p s .

• L i s t d o w n 3 t o p a g e n d a i t e m s t o b e d i s c u s s e d w i t h y o u r a u d i t c o m m i t t e e i n t h e n e x tm e e t i n g .

• P r e p a r e a 3 - 5 m i n u t e p r e s e n t a t i o n .

I A W O R K I N G R E M O T E LY O P E R AT I N G M O D E L

C u r r e n t u n p r e c e d e n t e d t i m e s r e q u i r e f l e x i b i l i t y i n t h e

p r o c e s s e s o f I n t e r n a l A u d i t s t o e n s u r e m a x i m u m e f f i c i e n c y a n dm i n i m a l d i s r u p t i o n s o f b u s i n e s s .

I A W O R K I N G R E M O T E LY O P E R AT I N G M O D E L ( C O N T. )

Common Concerns

• Audits may not provide the expected results due to remoteworking arrangements.

• Remote working arrangements may result in a number ofscope limitations.

• Remote working arrangements may increase data securityrisks.

• Use of digital technologies for communication during the auditprocess may increase the required time commitment from theauditees.

• The audit process is inherently flexible. Face-to-faceinteraction is typically required in the phases of processunderstanding and closing meetings. Digital alternatives suchas video conferencing are just as effective.

• The audit cycle is designed over those areas that matter themost to the continuity of the organization. Where access toinformation or personnel is restricted, partnerships will besought with process owners to fulfil the audit requirementsunder the common goal of ensuring the organization prevails.

• Strict regulation pertaining to data safety shall be followed inline with overall organizational procedures.

• The audit process ensures that we do an extensive review ofavailable information prior to conducting meetings withauditiees. This ensures that we minimize the time requiredfrom the auditees to facilitate the audit requirements.

Responses

I A W O R K I N G R E M O T E LY O P E R AT I N G M O D E L ( C O N T. )

A smart approach to fieldwork places high

reliance on digital data exchange and limits the

need for reviewing physical documentation

Reliance on digital technology as a substitute for face-to-face

interactions

Conducting periodic update sessions ensures all parties are on the same page and working

towards a common goal

We emphasize the use of email confirmations on key audit milestones to

avoid miscommunication

No physical meetings/interactions required

We capitalize on the inherent flexibility of the co-sourcing model to

ensure full audit coverage

We employ the highest standards of data protection and privacy to ensure your

information is well protected

H i g h e r e m p h a s i s i s p l a c e d o n a n u m b e r o f a r e a s w i t h i n t h e

a u d i t p r o c e s s t o e n s u r e I n t e r n a l A u d i t w o r k d e l i v e r s t h er e q u i r e d o u t c o m e s .

O N G O I N G C O V I D 1 9 A S S U R A N C E P R O C E S S

Identify key factors of the Covid19 response

programs

Design tests and checklists for ensuring the response plans are

being followed

Dedicate 4 hours a week to review news and

available info on Covid19 and relate it to your

organization

Assess whether Covid19 circumstances require an

escalation of organizational alert mode

IA should be a member in the Covid19 response

task force to keep updated

Identify prevailing risks and key gaps in Covid19

response program

Evaluate the need to launch advisory

engagements to help fill existing gaps

Summarize key risks, issues, recommendations

and advisory engagements to support

Top management

Issue a report every 2 weeks to top

management and the audit committee

3

END OF DAY - 2