​Return-to-workplace Risks: Is Internal Audit Stepping Up?

Last week, I urged internal auditors to “roll up their sleeves” and help their organizations navigate risks related to returning workforces to their normal places of business. Part of that examination was a look at internal audit’s role in providing assurance on employee health and safety risks.

I outlined four key questions for practitioners to consider:

• Has management adequately identified and assessed return-to-workplace related risks?
• Do proposed return-to-workplace policies and controls address the key risks?
• Are policies/controls effectively implemented (including communications)?
• Is the overall program functioning as intended, or are improvements warranted?

A new IIA poll of chief audit executives in North America provides a decidedly mixed answer to whether organizations are prepared and whether internal audit is sufficiently involved. The poll, conducted by The IIA’s Audit Executive Center, finds more than half of organizations may not be well prepared to address some key factors for returning to the workplace safely. This includes some factors directly related to COVID-19 transmission, such as testing and disinfecting workplaces, as well as evaluating potential organizational liability.

What’s more, I find it troubling that too many respondents could not provide an opinion on the readiness of their organization for about a third of the factors examined. This signals that a large number of internal audit functions are on the outside looking in on some of the biggest risks facing their organizations. This is unacceptably high, considering risk assessments should have been updated to cope with the pandemic crisis.

This is not to say internal audit is doing nothing. Nearly three-quarters of respondents noted that they are identifying emerging risks and updating risk assessments. Two-thirds are performing consulting activities in preparation for organizations returning to the workplace. However, few internal auditors are performing reviews of certain critical risk areas.

A deeper dive into the data shows that fewer than half of the respondents report their organizations are well or very well prepared to deal with six key risk factors:

• Workplace modifications for distancing.
• Testing for current infection.
• Testing for previous infection.
• Personal protective equipment.
• Costs to adapt workplace.
• Illness or death liability.

Even more troubling is the number of respondents who were unsure about their organization’s level of readiness in some of those key areas. For example, more than one in five respondents could not offer an opinion on readiness on testing for current infection, testing for previous infection, infection of cleaning staff, and their organization’s liability for workplace illness or death. The first three tie directly to potential transmission of COVID-19 and the third addresses potential consequences of just such transmission. Indeed, only 8% of respondents report being involved in health and safety reviews.

My intent here is not to browbeat practitioners during extremely challenging times. I believe many internal audit functions have performed admirably during the pandemic crisis and have stepped up to help their organizations overcome a dizzying array of challenges and risks. However, I have written many times before about my dread at hearing the question, “Where was internal audit?”

There may be times in the coming months and years when consequences of the pandemic — foreseen and unforeseen — will lead to organizational failures and enhanced litigation risks. Invariably, the question will be asked about internal audit’s involvement. We cannot answer, “We didn’t know” or “We weren’t involved.”

As our organizations’ last line of defense, we cannot afford to be left out of efforts to manage key risks, especially during a crisis. It is not too late to alert management and audit committees about the value that internal audit can bring to health and safety reviews ahead of a return to the workplace. I urge all practitioners to do so and be prepared to deliver that value.

As always, I look forward to your response.