Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
COVID-19 AND THE ROLE OF INTERNAL AUDITSUPPORTING RESILIENCE IN TIMES OF UNCERTAINTY
3
C O U RS E A G E N DA
1 The Fundamentals of Business Continuity
2 The Critical Role of IA in Crisis Management
3 Adapting IA Operations to Covid-19
4 Refocusing IA
5 Identifying and Evaluating Processes Under Stress
6 Assurance Over Crisis Response Activities
7 Multi-tiered Response Plans
3
DAY - 1
I N T R O D U C T I O N
The COVID-19 outbreak have brought BCM and Crisis Management to the forefront of doing business.
Organizations who have effective crisis management programs have proved to be more resilient, flexible andefficient.
In times of crisis, the management of many organizations argue that it is best to slow down Internal Audit activitiesto ease the burden of process owners.
Internal Audit has a vital role to play in such challenging times.
Internal Auditors however must move away from their business as usual activities and refocus on what matters themost during these difficult times.
This aim of this course is to strengthen the participant’s understanding of the role of Internal Audit in crisismanagement and how Internal Auditors should adapt their methodologies and scope of work to support theirorganizations in times of crisis.
E M E R G E N C Y R E S P O N S E Q U E S T I O N N A I R E
Question Answer
How much working capital (cash flow) does your organization need to cover 3 months ofoperations in a Coivd-19 worst case scenario?
If a 20% discount have been mandated by law over your key services, how would yourorganization’s financial sustainability be affected?
Who are the top 5 professionals in your organization that can cause a disruption inoperations if they were infected and quarantined?
Does your organization maintain a comprehensive list of regulations related to Covid-19that must be enforced?
Does your organization’s business continuity plan provide for necessary escalation if theCovid-19 situation deteriorates?
What external event would invoke a maximum alert status in your organization?
What are the key areas in your organization where cost can be reduced to respond toslowing economic conditions as a result of Covid-19?
Does your organization have a clear plan for how to operate in the first 6 months after theCovid-19 crisis ends?
Ta k e 2 0 m i n u t e s t o r e v i e w a n d a n s w e r t h e q u e s t i o n s b e l o w f r o m t h e p e r s p e c t i v e o fy o u r c u r r e n t e m p l o y e r :
C O V I D - 1 9 I A Q U E S T I O N N A I R E
Question Answer
To what extent have you modified your IA plan since the outbreak of Covid-19?
Do you agree that IA activities should be reduced to avoid over crowding critical operationsand personnel?
If you have made changes to your IA plan, what are the top 3 areas of focus for IA over thenext 3 months?
Did your IA function call for an urgent Audit Committee meeting or was the committeeconvened as scheduled? If an urgent meeting was called, what was the top 3 agendaitems?
Did the IA function identify the critical supplies and services of the organization? If so listthe top 3 of each.
Did your IA function complete an audit of your organization’s Covid-19 response plans?
Is one of your IA ongoing activities right now, to provide continuous assurance to topmanagement and the BOD over ongoing crisis response activities?
Ta k e 1 0 m i n u t e s t o r e v i e w a n d a n s w e r t h e q u e s t i o n s b e l o w f r o m t h e p e r s p e c t i v e o fy o u r c u r r e n t e m p l o y e r :
T H E C O V I D - 1 9 C R I S I S H AV E P O S E D U N P R E C E D E N T E D R I S K S T O B U S I N E S S E S
S t r a i n o n R e v e n u e C y c l e a n d W o r k i n g C a p i t a l
R i s k o f K e y P e r s o n n e l B e i n g Q u a r a n t i n e d
I n t e r r u p t i o n s o f K e y S u p p l i e s
C r i t i c a l S e r v i c e F a i l u r e
N o n c o m p l i a n c e t o C o v i d - 1 9 S p e c i f i c G o v e r n m e n t R e g u l a t i o n s
D r a s t i c C h a n g e I n C u s t o m e r B e h a v i o r
B r e a k d o w n s i n T r a d i t i o n a l C r i s i s R e s p o n s e P l a n s
C L E A R S T R AT E G I E S M U S T B E D R AW N U P F O R K E Y B U S I N E S S A R E A S
A s t h e n o v e l c o r o n a v i r u s o u t b r e a k h a s d r a m a t i c a l l y i m p a c t e d b u s i n e s s e s a r o u n d t h e w o r l d , t w o t h i n g s h a v eb e c o m e c l e a r ; F o r m i d a b l e a c t i o n s a r e r e q u i r e d a t l i g h t n i n g s p e e d , a n d t r a d i t i o n a l c r i s i s - r e s p o n s e m e t h o d sw i l l n o t s u f f i c e . S t r a t e g i e s m u s t b e d r a w n u p t o r e i n f o r c e k e y b u s i n e s s a r e a s , i n c l u d i n g :
04 Financial Resilience
Safeguarding revenues,
optimizing costs and
managing working capital
02 Operations
Adapting operating model to
escalating circumstances
03 Value Chain
Securing key supplies and
critical services
05Monitoring and
Reassessment
Continuous monitoring and analysis
of changing circumstances and
responding effectively
06 Communication
Maintaining effective
communication with workforce,
customers and stakeholders
People
Identifying key personnel,
adapting working arrangements,
managing workforce distress
01
I L L U S T R AT I O N O F T I E R E D R E S P O N S E P L A N S
Moderate Criticality Response
Plan
Engage medium alert mode. Limit unnecessary spend, secure key personnel, ensure security of
supply, limit uncritical operations
Optimistic Scenario
Response Plan
Continue operating as-is. Focus on continuous reassessment of market conditions, scenario modelling and
performance management
Crisis Plan
Deploy full crisis response mode. Implement break-the-glass cost reductions, shut down uncritical activities, strengthen reserves
Full-scale country wide lock down is imposedConditions remain relatively unchanged or virus spread starts to slow down
Uncontrolled virus spread, severe business exposures and government imposed restrictions
PanicTriggers
PanicTriggers
FUNDAMENTALS OF BCM
Identify critical activities
Establish a common risk appetite
Business Impact AnalysisDefine authorities and
triggers for invoking crisis status
Develop response plans for different levels of
crisis
Establish clear communication channels for potential continuity risks in critical business
areas
Define BCP owners and key responsibilities
clearly
Define disaster communication plans
Test, communicate and learn
K E Y B C M FA I L U R E S
BIAs are performed bottom-up rather than top-down leading to the inability to identify critical functions in line with organizational governance and strategic objectives.
Absence of an approved risk appetite matrix leading to the inability to assess BCM risks in a manner that reflects corporate priorities.
While BCM documentation is established (e.g. BCPs, BIAs, etc.), the BCM functions are not activated with clear targets, ownership, drills, ongoing review and updates, etc.
Disaster recovery plans for critical IT business applications are not aligned to organizational continuity priorities.
Lack of awareness regarding BCM within the organization due to the absence of awareness workshops, training programs and BCM testing.
Communication and Media Response Plans do not define clear parameters for what information should be communicated to which parties in case of an emergency.
Absence of annual audits of BCM activities and annual revision of BCM policies and plans in line with changing external environment.
T H E C R I T I C A L R O L E O F I A I N R E S P O N D I N G T O C O V I D - 1 9
Redefine the IA plan around critical supplies, critical services, financial resilience, BCM activities and other critical business activities. Increasing the tolerance for advisory activities to suit business needs. An urgent Audit Committee
meeting should be called for to agree the way-forward in light of the above.
Establish a process for providing regular assurance to management and BOD over ongoing crisis response activities (bi-monthly or monthly)
Re-valuate risk priorities in light of the pandemic and put the approved
IA Plan on hold
Perform an evaluation of existing BCM/ Crisis Response plans and
ongoing activities
Re-design IA operations based on current limitations (e.g. working
from home, social distancing, etc.)
Identify key risk areas in light of the pandemic and issue an interim
report to Top Management and BOD
E X E R C I S E – R E F O C U S I N G I A E F F O R T S
Ta k e 2 0 m i n u t e s t o r e v i e w a n d a n s w e r t h e q u e s t i o n s b e l o w f r o m t h e p e r s p e c t i v e o f y o u rc u r r e n t e m p l o y e r :
• W h a t a r e t h e c r i t i c a l a c t i v i t i e s o f y o u r o r g a n i z a t i o n ?
• W h a t a r e t h e s u p p l i e s y o u r o r g a n i z a t i o n ’s c o n t i n u i t y i s d e p e n d e n t o n ?
• W h a t a r e t h e c r i t i c a l s e r v i c e s t h a t y o u r o r g a n i z a t i o n m u s t c o n t i n u e t o p r o v i d e ?
• I n w h a t w a y s d o e s C o v i d - 1 9 a f f e c t y o u r o r g a n i z a t i o n ’s f i n a n c i a l p e r f o r m a n c e ?
• C o u l d C o v i d - 1 9 i m p a c t y o u r o r g a n i z a t i o n ’s l i q u i d i t y ? I f y e s w h a t w o u l d b e t h ea p p r o p r i a t e r e s p o n s e ( e . g . c o s t r e d u c t i o n , f i n a n c i n g / f u n d i n g , e t c . ) ?
• W h a t r i s k s d o e s w o r k i n g f r o m h o m e p o s e t o y o u r o r g a n i z a t i o n ?
• H o w d o e s C o v i d - 1 9 i m p a c t y o u r w o r k f o r c e ? I s t h e r e a n i n c r e a s e i n w o r k f o r c ed i s t r e s s ? I s t h e r e a n i m p a c t o n p e r s o n n e l p r o d u c t i v i t y ?
• I s y o u r o r g a n i z a t i o n d e p e n d e n t o n t h e a b i l i t y o f s p e c i f i c p r o f e s s i o n a l s t o p e r f o r my o u r d u t i e s ? I f s o , w h i c h p r o f e s s i o n a l s a n d i s t h e r e a c l e a r l i n e o f s u c c e s s i o n ?
• D o e s C o v i d - 1 9 p r o v i d e o p p o r t u n i t i e s f o r y o u r o r g a n i z a t i o n t o o u t g r o w o r o u t p e r f o r mc o m p e t i t i o n ?
T E C H N O L O G Y R I S K S A R I S I N G F R O M C O V I D - 1 9
Video Conferencing -Security
• Video conferencing should be performed on software with enterprise licenses. • All video conferences should be set to private mode and access should be password protected. • Meeting organizers should regularly check during the meetings that only the invited attendees are logged in to
the call.
Key Risks Model Controls
Home WIFI - Security• Home WIFI connections should be subject to stricter controls including; strong passwords, regular changing of
WIFI password, regular updates of router firmware and enabling secure encrypted connection.
Working Off Corporate Servers -
Data
• Access to corporate servers should be secured through VPN.• 2 factor authentication should be applied to critical business applications. • Back-up procedures should be updated to ensure data on laptops is regularly backed up.
Email Phishing -Security
• Awareness should be specifically raised about phishing email themes prevalent during the pandemic.• An email account should be set up for users to report any suspected phishing emails. The IT department
should review suspected emails and communicate to the overall organization on preventive procedures.
3
END OF DAY - 1
3
DAY - 2
R E F O C U S I N G I A P L A N – U N I V E R S I T Y C A S E S T U D Y
• Accreditation.• Student
recruitment.• Research and
publications.• Revenue and
collections.• Procurement.• IT General
Controls.• Facilities
management.• Human
Resources.• Employability and
student affairs.
Assurance Engagements:• Business Continuity Management process and
Covid19 specific crisis response plan.• Ongoing crisis response activities to date.• E-learning platform/ application.• Key-man risk and succession plans, specifically for
academic staff.• Working capital and revenue management.• Covid19 specific compliance.• IT security and disaster recovery.
Advisory/ Consulting Engagements:• Continuous assurance over ongoing crisis
response activities. (Bi-weekly reporting)• Financial modelling for potential discounts and
reduction of non-academic revenue.• Design of Covid19 compliance framework.• Assessment of key-man risk and development of
succession plan.
Typical IA Plan Refocused IA Plan
• Changing delivery to 100% online.
• Majority of staff working from home.
• Expectations from community to offer discounts on tuition fees.
• Higher risk of key staff being unavailable.
• New regulations from MOH and MOE regarding Covid19.
• Limited revenue from non-tuition related revenue streams.
Changes to Risk Universe Due to Covid-19
• IA Plan is subject to change in light of new circumstances.
• Assurance engagements do not need to fulfill IA methodology steps by 100%.
• Independence should be considered but is not a priority.
Key Considerations
E VA L U AT I N G C O V I D 1 9 C R I S I S M A N A G E M E N T A C T I V I T I E S
Scenario Assessment and Financial
Modelling
Establish Crisis Response
“Team Alpha”
Approval
Assess and Equip
COVID-19Resilience strategy
Best Practice Methodology for Developing Covid19 Response Plan What to Check
• Has management developed clear plans and processes to address the following:• Key-man risk and succession planning.• Adapting the operating model to align with
regulations and Covid19 related precautions.• Securing key supplies and ensuring the continuity of
critical services.• Optimizing working capital and establishing thresholds
for reserves. • Communication with staff, customers, shareholders
and stakeholders.• Did management develop a multi-tiered response plan
with defined triggers for escalation?• Was a multi-disciplinary task force/ committee
established to monitor and respond to changing circumstances?
• Does the task force have clearly articulated roles, responsibilities and authorities, and do they meet weekly at least?
• Is there a regular (bi-weekly) process to report to top management and the BOD on Covid19 response?
• Are IT availability, security and recovery risks addressed?
E X E R C I S E – R E F O C U S I N G I A E F F O R T S
Ta k e 3 0 m i n u t e s t o r e v i e w a n d a d d r e s s t h e b e l o w r e q u i r e m e n t s I n l i n e w i t h t h e c a s es t u d y c o m p l e t e d o n t h e p r e v i o u s s l i d e :
• L i s t d o w n t h e a u d i t s t h a t w e r e s u p p o s e d t o b e c o m p l e t e d i n t h e f i r s t 3 q u a r t e r s o ft h e y e a r, p r i o r t o t h e o u t b r e a k o f C o v i d 1 9 .
• L i s t d o w n t h e k e y c h a n g e s t h a t C o v i d 1 9 h a s f o r c e d u p o n y o u r o r g a n i z a t i o n a l o n g w i t hk e y r i s k s .
• L i s t d o w n a r e f o c u s e d I A p l a n s t a t i n g k e y a s s u r a n c e e n g a g e m e n t s t o b e c o m p l e t e d a sw e l l a s a d v i s o r y e n g a g e m e n t s t h a t a r e n e e d e d f o r y o u r o r g a n i z a t i o n t o f i l l e x i s t i n gg a p s .
• L i s t d o w n 3 t o p a g e n d a i t e m s t o b e d i s c u s s e d w i t h y o u r a u d i t c o m m i t t e e i n t h e n e x tm e e t i n g .
• P r e p a r e a 3 - 5 m i n u t e p r e s e n t a t i o n .
I A W O R K I N G R E M O T E LY O P E R AT I N G M O D E L
C u r r e n t u n p r e c e d e n t e d t i m e s r e q u i r e f l e x i b i l i t y i n t h e
p r o c e s s e s o f I n t e r n a l A u d i t s t o e n s u r e m a x i m u m e f f i c i e n c y a n dm i n i m a l d i s r u p t i o n s o f b u s i n e s s .
I A W O R K I N G R E M O T E LY O P E R AT I N G M O D E L ( C O N T. )
Common Concerns
• Audits may not provide the expected results due to remoteworking arrangements.
• Remote working arrangements may result in a number ofscope limitations.
• Remote working arrangements may increase data securityrisks.
• Use of digital technologies for communication during the auditprocess may increase the required time commitment from theauditees.
• The audit process is inherently flexible. Face-to-faceinteraction is typically required in the phases of processunderstanding and closing meetings. Digital alternatives suchas video conferencing are just as effective.
• The audit cycle is designed over those areas that matter themost to the continuity of the organization. Where access toinformation or personnel is restricted, partnerships will besought with process owners to fulfil the audit requirementsunder the common goal of ensuring the organization prevails.
• Strict regulation pertaining to data safety shall be followed inline with overall organizational procedures.
• The audit process ensures that we do an extensive review ofavailable information prior to conducting meetings withauditiees. This ensures that we minimize the time requiredfrom the auditees to facilitate the audit requirements.
Responses
I A W O R K I N G R E M O T E LY O P E R AT I N G M O D E L ( C O N T. )
A smart approach to fieldwork places high
reliance on digital data exchange and limits the
need for reviewing physical documentation
Reliance on digital technology as a substitute for face-to-face
interactions
Conducting periodic update sessions ensures all parties are on the same page and working
towards a common goal
We emphasize the use of email confirmations on key audit milestones to
avoid miscommunication
No physical meetings/interactions required
We capitalize on the inherent flexibility of the co-sourcing model to
ensure full audit coverage
We employ the highest standards of data protection and privacy to ensure your
information is well protected
H i g h e r e m p h a s i s i s p l a c e d o n a n u m b e r o f a r e a s w i t h i n t h e
a u d i t p r o c e s s t o e n s u r e I n t e r n a l A u d i t w o r k d e l i v e r s t h er e q u i r e d o u t c o m e s .
O N G O I N G C O V I D 1 9 A S S U R A N C E P R O C E S S
Identify key factors of the Covid19 response
programs
Design tests and checklists for ensuring the response plans are
being followed
Dedicate 4 hours a week to review news and
available info on Covid19 and relate it to your
organization
Assess whether Covid19 circumstances require an
escalation of organizational alert mode
IA should be a member in the Covid19 response
task force to keep updated
Identify prevailing risks and key gaps in Covid19
response program
Evaluate the need to launch advisory
engagements to help fill existing gaps
Summarize key risks, issues, recommendations
and advisory engagements to support
Top management
Issue a report every 2 weeks to top
management and the audit committee
3
END OF DAY - 2