By Antoine van Vlodorp
One of the internal audit’s roles is ensuring the effective management of risk within the first and second lines of defense. Little attention is given to managing risk within the Internal Audit Function (IAF) itself. The emerging risk of the Coronavirus (Covid-19) should trigger an update of the Risk Register of the IAF.
“The internal audit department is not free from risks and must deal with the emerging risk of the Coronavirus”
Like management in the first and second lines of defense, CAEs are expected to assess the risks of the IAF and define a set of controls to ensure that the IAF operates as planned. Regular Control Self Assessments or similar techniques must be implemented to monitor the ongoing effectiveness of these controls.
What do the Standards Say?
Practice Advisory 2120-2: Managing the Risk of the Internal Audit Activity states that “the internal audit activity is not immune to risks. It needs to take the necessary steps to ensure that it is managing its own risks”. The IAF should have its own Risk Management process. Typically such a process, like any risk management process, should include the following stages:
- Risk Identification: What are the risks the IAF is facing?
- Risk Assessment: How severe are those risks? Often assessed by applying an impact/likelihood matrix.
- Risk Mitigation: Accept, mitigate or transfer of risks depending on their severity.
- Risk Monitoring: Look out for new risks, changes to the risk assessment for existing risks and effectiveness of mitigation actions put in place.
The IAF’s risks and controls should be documented in a Risk Register. The Practice Advisory advise CAEs executives to address risks related to the IAF and its objectives and specify 3 categories of risks:
- Audit Failure: This refers to the inability or “failure” of the IAF to identify or make recommendations to prevent control failures. The question asked is usually “Where were the internal auditors?”. Reasons for Audit Failure include poor risk assessments, improperly designed audit procedures, auditors who are not skilled in the area they are auditing, etc.
- False Assurance: This occurs when the management believes that the IAF is covering a particular area or risk when in fact it is not. It is important to make sure that the risks being audited are clear and that the internal audit’s involvement in projects is clearly defined.
- Reputation Risk: While some CAE’s worry about having a reputation of being a policeman, there can be far worse labels which result from various control failures in the organization, the quality of internal audit staff, the attitude of auditors, etc
The impact of the Coronavirus (Covid-19) on the IAF
As the Coronavirus is a quickly emerging risk, the impact on the IAF should be assessed. Below some possible risks related to the Coronavirus:
- Coronavirus prevents auditors to travel to certain markets to perform planned audits.
- Auditors or family members are infected by Coronavirus and the auditor is put into quarantine (at home or in a hotel) affecting the audit plan execution.
- The organization closed its offices because staff members are infected or trying to prevent staff members from being infected. The auditor must work from home and is challenged in the execution of audits.
- Auditors are infected during travel and put into quarantine at their hotel abroad. The IAF will incur additional lodging costs affecting the IAF budget.
- Staff members of the organization are infected and are in quarantine and not able to provide the auditor with the requested audit information. As a result, the audit is delayed.
- The business of the organization is impacted by the Coronavirus resulting in a freeze of investments, travel and training budgets, travel restrictions and/or a freeze on recruitment. These decisions could have a direct impact on the IAF’s operations.
Evaluating the effectiveness of risk management and the first line of defense is an important part of Internal Audit’s work. But it is equally important that internal audit apply the same standards of Risk Management that it expects to see during an audit to itself. Every CAE should have a departmental Risk Register for the Internal Audit function that shows all risks Internal Audit is facing and the steps required to manage these risks. New emerging risks like the impact of the Coronavirus (Covid-19) should trigger an update of the IAF’s Risk Register.
About Antoine van Vlodorp
Antoine van Vlodorp is Head Internal Audit Netherlands, Europe, and Middle East & Turkey at Travelex and board member (secretary) at IIA Nederland.