​Internal Audit, COVID-19 Risks, and the Year Ahead

Readers of my blog know that, in recent years, I have constantly emphasized the importance of internal auditors anticipating future risks for our organizations. As I observed in a 2018 blog post:

As a profession, internal auditors have cultivated a long and respected legacy as purveyors of hindsight. Almost all of us are adept at looking at last year’s data and telling management where past mistakes were made. While hindsight is a necessary part of internal auditing, 20/20 hindsight is one of our least valuable skills. Often, our clients are already aware of past mistakes.

With the advent of operational auditing and, ultimately, the introduction of consulting/advice into our portfolio of services, we also became purveyors of insight. Insight is generally seen as more valuable than hindsight to our beleaguered stakeholders, but it too suffers from limitations in an era when risks emerge at warp speed. Today’s insight may well be tomorrow’s hindsight.

There will always be a need for hindsight and insight, but foresight is the ultimate source of value. Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of tomorrow if we are to not only protect but enhance value for our organizations.

As important as it was to identify emerging risks two years ago, anticipating risks has never been more critical than it is today. The COVID-19 pandemic has accelerated the velocity of risk to an unprecedented level. For many organizations, risk assessments undertaken in 2020 have had shelf lives of only weeks or days. Each day brings new developments that directly influence the likelihood and potential impact of future events.

Consider a few of the uncertainties that organizations may face in just the fourth quarter of 2020:

• Will there be a second wave of COVID-19 infections where our organization operates?
• Will government officials and regulators relax quarantine restrictions that impact my company/industry?
• Will there be additional stimulus relief from the federal government?
• Will U.S. elections impact the equity markets?

As much uncertainty as there is in that list, remember that the fourth quarter is only days away. I believe those uncertainties will be only a drop in the bucket compared with the uncertainty of risks we face in 2021. Yet, if we are to be a source of value to our organizations, we must pull out our telescopes again and start surveying the horizon.

Better yet, we must start looking beyond the horizon – deep into 2021 – to identify emerging risks.

Many internal auditors are intimidated by the prospect of foreseeing future/emerging risks. We are uncomfortable because we lack the empirical evidence that we rely on in so much of our other work. However, this really isn’t rocket science. As I observed in the 2018 blog post:

There is no silver bullet for identifying emerging risks. Like all risk assessment, there is a degree of art in addition to science. However, if internal audit isn’t looking in the right direction, there is a greater likelihood of missing emerging risks. But just as storms in the Northern Hemisphere often emerge from the west, there are directions from which potential risks facing your company are likely to emerge.

For 2021, these could include:

• Prospects for a COVID-19 vaccine, its potential timing, and how it could impact your company/market.
• Prospects for renewed/extended COVID lockdowns in your region/market that will continue to disrupt or re-disrupt continuity of your business operations.
• Economic forecasts, macroeconomic as well as those facing your industry.
• Prospects for additional government stimulus and any provisions that would benefit your organization/sector.
• Other COVID-19-related disruptive threats or opportunities facing your industry.
• Resilience of the supply chain(s) upon which your organization depends.
• Outlook for the flu season and how it could exacerbate another COVID-19 wave.
• Geopolitical developments and the potential for extended international travel restrictions.

Regardless of the steps you take to identify emerging risks, you must remember that the risk assessment is a means and not an end. A risk assessment can serve several important purposes, but I believe the two most important uses for internal audit are: 1) to serve as a basis for audit planning, including securing the talent to address the risks and 2) to share internal audit’s perspective on emerging risks with management and the board.

Of course, our perspective will be useful, but certainly it shouldn’t be the first time management gives thought to these risks. As I noted before:

Identifying emerging risks should be a collaborative process with management. After all, management is likely to have already identified many emerging risks that threaten the organization. We should position ourselves as a partner, not a competitor trying to one-up management, when it comes to emerging risk acumen. After fully vetting our inventory of emerging risks, we should be prepared to share our perspectives with the audit committee. Our conversation must include our own plans for monitoring and responding to these risks as the organization’s internal auditors.

The COVID-19 pandemic presents both risks and opportunities for internal audit. If we are proactive in identifying the risks that the pandemic presents, we have the opportunity to reinforce the value we deliver. The world’s best internal audit functions are already looking at 2021, and they are preparing to address the emerging risks that are almost certainly heading our way.

To be ready for 2021, we must start preparing now.

I’d be interested in your thoughts on this.