Impact on Internal Audit Impact on internal auditing
2 April 2020
The Corona virus has become a global pandemic The impact is going to be longer than expected The impact is going to be more severe than anticipated
John Bendermacher RA CIA
• 1979 - 1991 Rijksaccountantsdienst Amsterdam
• 1991 - 1996 Belastingdienst/Grote Ondernemingen Amsterdam
• 1997 - 1998 De Nederlandsche Bank
• 1999 - 2004 NIBC Director Internal Audit & Compliance
• 2005 – 8/2011 Robeco Groep Director Group Internal Audit
• 9/2011 – 9/2013 SNS REAAL Director Group Audit
• 10/2013 – 4/2019 ABN AMRO Chief Audit Executive
• 5/2019 - .. Euroclear Group Chief Audit Executive
• 2012 – 2018 Board IIA Nederland; chairman 2016 - 2018
• 2015 – 2019 Board IIA Global
• 2018 – 2019 Vice-Chair Professional Practices, ExCo IIA Global
Content
Adding value to crisis management
• Internal Audit’s role in crisis meetings
• Auditing crisis management
• Auditing deep dives on risks and the like
Impact on Internal Audit
• Risk assessment Ad Hoc audits
• Impact on audit plan
• Impact on resources
• Impact on staff and wellbeing Survey results and discussion
Adding value to crisis
management
Internal Audit’s role in crisis meetings
”Stay out of the way” but help crisis management
• Observe preparation of the meetings and the topics discussed
• Judge the materials for completeness, clearness, correctness
• Observe mechanism in meetings
• Judge clarity of decisions
• Observe communication
• Observe reporting and escalation from lower to higher levels
• Observe involvement of management committee
• Observe Q&A regulators, workers council, et cetera
Usefull input for auditing crisis management, an independent and objective assessment, reported to the Board
Auditing crisis management
Topics to include
• Continuity plan and related risk management guidelines
• Timely update of the continuity plan after pandemic outbreak
• Design and effectiveness of the crisis organization (+ cooperation)
• Sufficiency of dashboards and management information
• Decision making process (management committee crisis teams)
• Arrangements to have employees work remotely
• Communication plan to staff, clients and regulators
• Impact on client servicing and client satisfaction
• Impact analysis on financials
• Impact on strategic objectives
• Relevant deep dives on emerging risks performed?
• Reporting to the Risk Committee/Audit Committee/Board
• …
Auditing crisis management
Timely update of continuity plan after pandemic outbreak
• Reasonable assumptions about the nature and impact
• Flexibility of the supply chain
• Flexibility of HR policies and procedures to adapt for changes
• Technology and processes ready for working remotely
►Webex
►Controls like signatures, four eyes principle
• Impact on sales and delivery channels
• Preparedness of relevant stakeholders, business relations, servicers and suppliers
Source: Protiviti
Auditing crisis management
Arrangements to work remotely
• Connectivity
• Facilities: laptops, virtual meetings
• Healthy workplace (budget?)
• Access to information
• Security of information sharing
• Volumes handling
• Incidents handling
• Printing?
• Awareness for phishing
• Keeping up morale
Auditing crisis management
Relevant deep dives
• Audit of ‘Extreme but plausible scenarios’
►Completeness of the gross list of scenarios
►Sufficiency of the impact analysis
►Quality of the decision process to choose (17 2)
►A tempo involvement in exploring scenario(s) chosen
►..
• Audit of ‘Impact on financial markets’
►To be started soon
►Assumptions
►Hardening of figures used
►Risk appetite/attitude
►..
Impact on Internal Audit
Impact on Internal Audit
Risk assessment Ad Hoc audits
• Risks are changing, new risks may arise
• Some of these the 1st and 2nd LoD will see, some maybe not
• Make an inventory of changes in risks and control environment
►Assess the additional measures/compensating controls taken by management
►Schedule Ad Hoc engagements
• Examples:
► Operational risk: Processes with many manual steps: staff morale, key person risk
► Outsourcing risk: Continuity of services safeguarded (India total lock down)?
► Model risk: Models still expected to provide viable outcome, algorithms still valid?
► Reputation risk: Relationship management clients through proper communication?
► Settlement risk: All markets open, stakeholders successfully in working remotely
► IT Security risk: Instructions and reporting by e-mail sufficiently secure?
► Cyber risk: increased intensity of attacks observed
► Country risk: specific given governmental measures
Impact on Internal Audit
Impact on audit plan
! Stakeholders, including the Audit Committee, may
consider us as less important in the given circumstances
! Auditees: We have to give some breathing space
Audit plan needs to flexible – report changes to the Audit Committee
• Add Ad Hoc audits based in changing risks and controls
• Postpone audits not possible because physical presence required
• Suspend audits with limited urgency or lower priority in case of stress with the auditee (illness, extra workload, ..) or staff shortage
• Change the audit approach to real-time auditing/controls monitoring, e.g. through Data Analytics and Continuous Auditing
• Be sensitive to push back from auditees
• Be sensitivity while bringing negative messages
• Be reasonable in follow-up monitoring
• And…..maybe step out of auditing when the situation gets worse
Impact on Internal Audit
Impact on resources
Resources plan needs to adjusted – report changes to Audit Committee
• Illness may impact available resources
• Potential loss of productivity (a.o. child care)
• Slowing down of recruitment and onboarding
• Insourcing no longer fully practical, much lower than budgeted
• Vacation postponed to second half of 2020
• Keep good track of staff being sick, or unable to work stay in contact
• Review audit team capabilities and facilities
►Make sure everybody has a laptop and connectivity
►Home office should be healthy
►Availability of audit workflow tool and other tools
►Promote online trainings
• Increase communication within the teams and for division
• Find ways to keep up morale (and maybe measure)
• Avoid too many hours of teleconferencing
• Just randomly call staff to catch-up
Impact on Internal Audit
Impact on staff and wellbeing
?
?
?
??
?
?
?
?
?
?
?
Q & A
Impact on Internal Audit Survey results &
discussion
Survey results (NL+BE = 119)
NL=74 BE=45
1. Internal Audit should stay out of the way during a crisis.
2. Internal Audit is able to add value to the crisis management.
3. My internal audit function will perform an audit on the crisis preparedness and management.
4. My internal audit function is/was fully prepared for remote working.
5. We are experiencing substantial push back from the auditees as a result of the crisis.
6. I will analyse the impact on the audit plan and resources, adjust the plan and report to the Board on it.
7. My internal audit function stopped performing audits to be able to assist the business get through the crisis.
8. My board asked me to support with operational issues.
9. During this extended teleworking, I keep staff morale high by: “………”
Internal Audit should stay out of the way –
NL+BE
Internal Audit is able to add value – NL+BE
Perform an audit on crisis preparedness
and management – NL+BE
My internal audit function is/was fully
prepared for remote working – NL+BE
Experiencing substantial push back from
the auditees – NL+BE
Analyse impact on audit plan and resources, adjust the plan and report to the Board –
NL+BE
Stopped performing audits to be able to
assist the business get through the crisis –
NL+BE
Board asked me to support with
operational issues – NL+BE
During extended teleworking, in NL you
keep staff morale high by….
IIA Guidance (IIA Global)
https://na.theiia.org/Pages/Updates.aspx