While preparing a risk-based audit plan, organizations include business continuity management as one of the important areas that serve not only as backup for pandemics but also day to day lapses in cybersecurity. The organizations continue to perform business continuity audits regularly.
So far, the recent pandemic has been a regional phenomenon, but COVID-19 is challenging not just because of widespread international impact, but the world today is more integrated, and economies, communications, travel, and supply chains are more connected than ever before.
The sudden change in the way the business is kept functional has a direct impact not just on business continuity but various other risks such as Cybersecurity/Technology Risk, Fraud Risk, Employee/Third Party Fraud Risk, Ethics and Compliance Risk, Reputation Risk, Operational Risk, Financial Risk, Supply Chain Risk, Health & Safety, Key Person Dependency Risk, Regulatory Risk, and Market Decline Risk.
Internal audits can add more value during critical times by being agile. This means moving away from the audit plan and other routines that do not add value at this point and focusing on those areas that need immediate attention. The first step and internal audit can do are to assist in an advisory role with the risk assessment to identify the risk in key areas:
1. Health and Safety
2. Business Continuity and Crisis Management
3. Information and Cybersecurity Management
4. Human Resource Management
5. Operations and Supply Chains
6. Finance
7. Strategy and Reputation
Based on the experience, the typical risks challenges organizations are going to face are listed below:
- Health and Safety Area – Considerations include employee privacy, anti-discrimination, job-protected leave, regular guidance for employees, and work from home policy considerations such as operational requirements, technology capabilities, the security of work data, etc.
- Business Continuity and Crisis Management – Considerations include roles and responsibilities, escalation process, communication, business recovery strategies, contact lists, equipment and personnel requirement, vendor contacts and availability, etc.
- Information and Cybersecurity management- Considerations include network connectivity and security, increased VPN or mobile device usage, data privacy, protection from scammers and hackers, emergency access, privileged access, etc.
- Human Resource Management – In addition to health and safety impact areas, this includes productivity, adherence to company policies, employee morale, collaboration challenges, etc.
- Operation and Supply Chain – Impact areas include third party risk, fraud risk, availability issues, quality issues, suppliers going out of business, etc.
- Finance – Impact areas include loss of revenue, interest payments, credit risk, increased bad debts, fraud, etc.
- Strategy and Reputation – Impact areas include long term planning, reputation risk, catastrophic loss, customer satisfaction risk, etc.
The certain areas where a focused audit could be a priority includes:
- Health and Safety and Human Resource Management – Employee communication, team welfare, contact list, work from home policy, data privacy, and staff contingency planning.
- Cybersecurity – Focused review of network security, remote access, privileged access, emergency changes to the firewall, changes to high-risk systems, access management, patches and vulnerability management, cybersecurity updates, cloud risk, capacity management, and breach management.
- Business Continuity and Crisis Management – Review of response and recovery, contacts list, critical vendor support, roles and responsibilities, and resource plan.
- Third-Party Risk Management – Review of critical contracts, third party access to corporate systems, emergency access changes, cloud vendor risk, and third party COVID-19 preparations.
- Finance – Fraud reviews, emergency changes, and approvals, receivables management, liquidity management, indirect cost management, etc.
- Regulatory compliance and reporting – Analyze the impact on regulatory reporting, operational compliance, and organization readiness to address compliance issues.
Depending on the nature of the business and industry such as Healthcare and Financial, the risk impact areas could vary. The banks will have to provide more attention to their online presence, cybersecurity, hackers, etc.