Mindset Matters: A Permanent Shift to the New Normal in IT Audit

On 11 March 2020, just two months after the initial cases were uncovered in Wuhan, China, the World Health Organization officially declared COVID-19 a pandemic. Eight days later, the US State of California became the first state to issue a stay-at-home order, requiring all residents to remain at home except to perform essential jobs or shop for essential needs.

With these developments on these two dates, enterprises around the world were faced with unprecedented challenges, and internal audit departments were as well. Some were better prepared than others, having already taken steps to increase their agility and adaptability. Some were still in the process of implementing change, and still others were caught unaware and had to scramble to make the necessary adjustments in both mindset and behavior. The pandemic vastly accelerated an evolution that was already underway, whether internal audit teams and the business partners that supported them were ready or not.

By now, this narrative is familiar. Less certain is whether audit teams can adapt long term to remote workplaces, new challenges to IT security and functionality, less face-to-face interaction, and, in many cases, diminished resources. There is no going back to prepandemic circumstances. Instead of viewing COVID-19 as a problem to be dealt with, industries and individual organizations must discern how they will look, operate and thrive in a postpandemic world.

Internal audit departments, including those that focus on IT audits, must evolve to meet organizational challenges across four areas:

1. Remote employees
2. Audit planning
3. Technology
4. Internal audit talent

Remote Employees

As efforts to mitigate the spread of COVID-19 forced many employees to work remotely—often for the first time—there was a logical increase in risk related to assets, governance, information security and audit coverage. In addition, enterprises had to deal with disrupted business environments, increased uncertainty about reputation and sustainability, and the need to implement more innovative tools and skills. These outcomes placed a greater burden on internal audit departments to adapt to a dynamic landscape while ensuring secure oversight. In many instances, internal audit practitioners have had to do more with less, delivering a wider range of services with fewer resources and tighter deadlines. McKinsey and Company summed up the situation with this insight: “The aggregate picture is consistent across the board—an imperative to align with a new normal and unlock more efficient and effective assurance processes.”¹

A key aspect of this new normal is employees who enjoy, or have grown accustomed to, working remotely and are reluctant to resume a rush-hour commute to the office when it becomes safe to do so. Some employees may harbor concerns about being infected with COVID-19 (or unknowingly infecting others) if they are required to return to the office. These issues require chief audit executives (CAEs) to tap into their emotional intelligence and, in some cases, assume the role of counselor as they devise plans for staff to return to the office (or not) that both ensure the proper functioning of the internal audit department and address team members’ needs and fears.

Just as important, CAEs need to keep a keen eye on their teams’ mental health. As weeks turn into months and months potentially turn into years, the isolation of remote working can take its toll on employee morale. Internal audit employees once enjoyed daily face-to-face interaction with coworkers, but since COVID-19, they have not had that opportunity. If, in the postpandemic world, enterprises decide that some, many or all internal audit employees will continue to work remotely, leaders will have to devise methods to alleviate the stress and anxiety of working independently. “There are typically ebbs and flows to morale, but this [the pandemic] is making the ebbs longer and deeper.”²

The internal audit department of the near future must increase its versatility while redeploying resources to those areas with the greatest need.

Another challenge posed by remote work is how to facilitate auditors’ proximity to technology assets. For IT audit teams with limited access to facilities, physical access must be incorporated into audit planning with the same degree of thought that goes into travel planning. A standard audit engagement plan must address whether physical access to hardware is required, when that access should be allowed to take place and how to maximize the value of that activity across multiple engagements.

Audit Planning

There has been a noticeable shift within audit departments toward a focus on emerging risk factors and a reshaping of audit plans to keep staff fully engaged and agile enough to address special projects. The internal audit department of the near future must increase its versatility while redeploying resources to those areas with the greatest need. This change in strategy must seamlessly interact with faster business cycles and greater complexity. It may become imperative for the internal audit function to shift its attention to areas that were not considered high risk (or any risk) in the past. For example, given changes in work environment:

Basic control steps such as supervision and segregation of duties may be compromised—especially where companies rely on technology workarounds that preclude physical oversight and inquiry. Remote-technology latency issues, meanwhile, may undermine time-sensitive processes.³

Technology

The internal audit department of the not-so-distant future needs to embrace technology in the performance of its own roles and functions. Identifying control weaknesses directly correlates to the early identification of emerging risk factors. To do this, organizational resources must be invested in advanced analytics techniques. Those internal audit departments that make this investment will possess the capacity to prioritize audits and testing that reflect a highly dynamic internal and external environment. They will have the ability to perform a wider range of functions with greater accuracy, including risk assessment, audit planning and execution.

With internal auditors working remotely, teams are challenged to adopt more sophisticated technological elements, including:

• Site reconnaissance—Making virtual site visits using local staff to record and transmit video and audio information back to the audit manager at headquarters
• Segregation of duties (SoD) violations—Retrieving security and SoD violations, errors and alerts from IT reports to assess governance, risk and compliance (GRC)
• Historical patterns—Using historical data to compute and assess potential patterns in the enterprise’s chronological development
• Data sharing—Using online sharing tools to enable direct access to specific folders and information (thus eliminating data or document requests)
• Data analytics—Using advanced data analytics options, including process mining, correlation analysis, and exception or anomaly seeking⁴

Auditors are being pressured from two directions. On the one hand, enterprises are more vulnerable to fraud and cybersecurity attacks because of remote work environments (and a more online lifestyle in general), leading to significant changes in internal controls. On the other hand, internal audit departments face daunting circumstances due to potential staff reductions and resource constraints. But neither expectations nor standards have changed, and COVID-19 has forced internal audit departments to find new ways to carry out their functions. Auditors must leverage:

…existing and new technology to conduct audits remotely, from remote data extraction and analysis to inventory counts using drone technologies.… These new ways of operating need to be done in a way that adheres to established standards and delivers assurance to stakeholders.⁵

However, new technologies often come with new challenges. If post–COVID-19 internal audit teams remain even partially remote, enterprises need to ensure greater levels of information security and invest more resources to provide employees with adequate computer access. Expect enterprises to continue “investing in infrastructure analytics, and security-based tools…to enable efficient and effective remote audit work.”⁶

Regardless of the challenges confronting internal audit departments, it is clear that they cannot focus solely on remote audits. They must remain committed to “transforming underlying processes using technology to achieve three objectives: a higher quality audit, a more efficient audit and better business insights… through the traditional audit process.”⁷

If post–COVID-19 internal audit teams remain even partially remote, enterprises need to ensure greater levels of information security and invest more resources to provide employees with adequate computer access.

Internal Audit Talent

With resources strained and the audit function tasked with more responsibilities, CAEs must reimagine the shape and makeup of not only their internal audit departments, but also their individual team members. The remote audit approach naturally lends itself to testing the resilience, skills and capabilities of team members. Auditors need to sharpen several valuable skills to maintain audit momentum despite new challenges and changing circumstances:

• Critical thinking—Gathering, validating, analyzing or evaluating, and interpreting data and arriving at a conclusion
• Deductive reasoning—Basing understanding and recommendations on logic and clearly defined preconditions, including internal SoD rules or standards; documented procedures, guidelines and policies; and control requirements based on internal control system (ICS) frameworks
• Inductive reasoning— Basing understanding and recommendations on objective interpretations of evidence supplied (e.g., signatures, initials, dates) and personal experiences (e.g., knowledge of best practices)
• Resilience—Possessing the ability to cope with multiple parallel activities while focusing on key matters and maintaining a connection with auditees⁸

CAEs must know their teams’ strengths and weaknesses, which requires the ability to evaluate personnel skills and capabilities, map these attributes to revised auditing strategies, promote appropriate professional development, and expertly synchronize skill development to staff goals and performance evaluations. In addition, CAEs must balance organizational and team needs with their visions of the ideal auditor. This may require a change in the department’s seniority level, a reconfiguration of work teams or a change in audit staff.

If change is required, the question becomes: Is there a robust talent pool to provide the necessary employees to achieve the stated objectives? Furthermore, will those new employees mesh well with existing team members, leading to a seamless transition? If new talent cannot be found, the onus will be on leadership to provide existing personnel with opportunities to gain the necessary expertise to produce the desired results.

Conclusion

CAEs who are unwilling to change their mindsets or deviate from how things have always been done will find little footing. COVID-19 is no longer a contingency to be worked around. In many ways, it has irrefutably changed the audit industry going forward. More important than any tactical decision they might make, CAEs must adopt mindsets that accept and focus on the current reality and consider with open minds what must be done to succeed in today’s new normal and effectively lead in the areas of talent management, audit planning and technology adoption. Once those objectives are accomplished, the path forward may be surprisingly clear.

Endnotes

¹ Kristensen, I.; M. Manocaran; E. Sannini; H. Usman; “Building the Internal-Audit Function of the Future,” McKinsey and Company, 21 February 2021, https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/building-the-internal-audit-function-of-the-future
² Kohnke, A.; “Sizing Up the Impact of COVID-19 and Remote Work on IT Auditors,” ISACA Now, 3 December 2020, https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/sizing-up-the-impact-of-covid19-and-remote-work-on-it-auditors
³ Op cit Kristensen et al.
⁴ Zupan, L.; “IA After COVID-19: New Skills and Capabilities Needed,” KPMG, 11 November 2020, https://home.kpmg/ch/en/blogs/home/posts/2020/11/ia-after-covid-new-skills.html
⁵ Kalia, N.; “How the Pandemic Is Accelerating the Future of Audit,” KPMG, 19 October 2020, https://home.kpmg/ca/en/home/insights/2020/10/how-the-pandemic-is-accelerating-the-future-of-audit.html
⁶ Parker, S.; “What Will the Future of Audit Work Look Like?” AuditBoard, 8 July 2020, https://www.auditboard.com/blog/future-audit-work/
⁷ Op cit Kalia
⁸ Op cit Zupan

KEVIN M. ALVERO | CISA, CDPSE, CFE

Is senior vice president of internal audit, compliance and governance at Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning the enterprise’s Global Media products and services.