When COVID-19 began to disrupt businesses across the globe last year, internal auditors shifted their focus to the critical risks posed by the virus, identifying and reviewing management’s assessment of those risks as well as related remediation plans and controls. Audit committee members we surveyed last summer said that, by and large, that shift was successful, and internal audit plans proved flexible. Today, internal auditors face a similarly difficult challenge: identifying emerging risks that are critical to the company’s operations, strategy, and reputation while ensuring that their audit plans are risk-based, flexible, and dynamic in light of COVID-19 developments, the recession, and other macrotrends.
From an internal audit perspective, assessing the critical risks and strategic opportunities in this environment will require
In addition, internal audit should ask the following key questions to help frame and focus its work:
As internal auditors adjust their audit plans, seven emerging risks should be front-and-center.
Cybersecurity and data governance. Cybersecurity remains a top risk, given the shifts to remote work, digital transformation, online customer engagement, and the growing sophistication of cyber attackers. The recent SolarWinds cyberattack has increased concerns about the risks posed by third-party vendors. Among the questions internal audit should be asking: Does the company’s data governance framework make clear how and what data is being collected, stored, managed, used, and accessed—and who makes decisions regarding these issues? Are monitoring and response plans focused on limiting day-one impacts when a breach occurs?
Culture, ethics, and compliance. COVID-19 has increased the reputational costs of an ethics or compliance failure, particularly given the changed control environment, increased fraud risk, and the pressure on management to meet financial targets.
Evolving COVID-19 risks. Leaders must grapple with reopening their businesses, managing remote workforces, accelerating digital transformation, building more resilient supply chains, and strengthening connections with customers. Navigating this uncertain environment will require a sharp focus on people, liquidity, operational risks, and contingencies while maintaining sight of the overall strategy.
Accelerating megatrends. From climate risk to cyber threats, scenario planning will be critical as we adjust to the new normal, and internal audit needs a seat at the table.
Environmental, social, and governance (ESG). COVID-19 is accelerating shifts in how stakeholders view corporate performance and companies oversee and disclose ESG risks. Internal audit should understand ESG strategy to provide assurance and advise on controls.
Human capital management. Issues related to COVID-19 and social unrest have amplified the importance of human capital management to a company’s performance and reputation, driving demand for better disclosure of how the board oversees human capital and talent development programs and their link to strategy.
Regulatory enforcement. Consider the risks posed by increased regulatory enforcement going forward. Tax reform, the U.S. Securities and Exchange Commission’s regulatory agenda, trade policy, climate-related regulation, and other changes will require internal audit’s attention in coordination with the enterprise response.
Crisis readiness. Is the company prepared for the next major crisis? Can the lessons of 2020 help build a more resilient enterprise that can quickly respond to growth opportunities and adversity?
Given the unprecedented complexity and uncertainties ahead, it has never been more important for internal audit—as the audit committee’s eyes and ears—to help paint a holistic picture of the company’s vulnerabilities and opportunities. That will require details and data, but the big picture is vital.
This article originally appeared in the March/April 2021 issue of NACD Directorship magazine.
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.