Audit Committee Considerations in a COVID-19 Environment

John Gavens

There is currently a huge volume of content available regarding the impact on organisations of the COVID-19 pandemic and it can be difficult to cut through the noise. The purpose of this article is to provide high level guidance to Audit and Risk Committee (ARC) members on matters to consider in the current environment.

This guidance is linked to the objectives of the ARC and the impact of COVID-19 on the objectives. It will also assist in addressing these considerations by providing references to some helpful resources. 

A standard ARC terms of reference includes the following points, which are explained in further detail below:

  • Risk management
  • Financial reporting
  • External audit
  • Internal audit
  • Internal controls including fraud and corruption
  • Culture and ethics
  • Other matters

1. Risk management 

For most organisations, key changes in risks and mitigation include:

  • Increased staff and client safety risk
  • Increased business continuity risk
  • Decreased financial sustainability
  • Increased fraud and corruption including cybercrime risk
  • Increased data security and privacy risk
  • Decreased emphasis on achieving strategic goals
  • Increased risk of not delivering BAU
  • Workforce and HR alignment 
  • Change management 
Click here to access the ‘Business Resilience Self-Assessment checklist’.

Suggested action: ARCs need to understand the specific changes in risks impacting each organisation and review the adequacy of responses to these changing risks.

2. Financial reporting

Financial reports are prepared based on assumptions, estimates and measurements at the time of preparation. Measurement is often based on fair value and in uncertain economic times, the values attributed to revenue, expenses, assets and liabilities may vary significantly. 

For example, in an economic downturn, it is likely that expected credit loss from collecting receivables will increase and the carrying value of receivables will decrease. Similarly, the fair value attributed to certain financial and non-financial assets may vary, triggering the need for revaluations outside of the normal cycle.

Click here to access Crowe’s ‘Financial reporting guidance under COVID-19’

Suggested action: ARCs should expect to see an issues paper that includes an assessment of the impact of COVID-19 on financial reporting.  

3. External audit

ARCs usually engage with external auditors during the planning, interim and final stages of audits. As outlined above, the COVID-19 environment presents significant financial reporting issues to an organisation.  
This in turn impacts on the auditors’ assessed risks of material misstatement within financial statements and the availability of evidence to support assumptions and measurement. All of these factors may impact on the timing of the delivery of the audit.

Suggested action: ARCs should request a copy of a revised audit strategy including changes in audit emphasis and timing.

4. Internal audit

The strategic internal audit plan is generally aligned to key risks of an organisation and reviewed by the ARC. In a COVID-19 environment, the internal audit plan may need to be adapted to take into consideration factors such as:

  • Changes in organisational risk profile;
  • Inability to complete planned audits (due to unavailability of staff or absence of access to physical locations);
  • Changes in organisational focus;

Possible areas for internal refocus include:

  • Cash flow forecasting
  • Scenario planning
  • Business continuity response
  • Staff, contractor, customer and community safety
  • Privacy
  • Technology and cybersecurity
  • Supply chain vulnerability

Suggested action: The ARC should review and understand the proposed strategic internal plan including its scope, resourcing and timing.

5. Internal controls and fraud

In the current economic climate, organisations have made significant changes to work practices, IT systems and internal controls. Historically, during periods of disruption, the opportunity, rationale and motivation for fraud increases. Areas of potential vulnerability are:

  • Reduced IT security in a remote environment, particularly where home devices are used;
  • Reduced cross checks when working remotely;
  • Access to government incentive and support payments.

Cyber criminals view disruption as the perfect storm for increased attempts to hack into an organisation’s IT network and/or extort funds through phishing emails, amongst other schemes.  

Further, this environment increases risks associated with data security and privacy including:

  • The use of unsecure means for data transfer due to remote working – e.g. unencrypted emails and USBs;
  • The use of unsecure video conferencing platforms – e.g. ‘party crashing’ or unsolicited recording.

Click here to access the NSW ICAC guidance ‘Managing corrupt conduct during the COVID-19 outbreak’ 

Click here to access ‘COVID-19 pandemic exposing businesses to heightened fraud risk’

Suggested action: ARCs should seek assurance on:

  • The ongoing compliance of the organisation with a recognised IT framework (such as Essential Eight or NIST), and
  • Monitoring, awareness, training and reporting on the performance of the IT system to cyber-attack and potential fraud.

6. Culture and ethics

Culture reflects the moral values and ethical norms governing how people should behave and interact with each other. It is often argued that high performing organisations have a strong and well-defined culture and hold their people accountable to defined trademark behaviours and conduct.

However, operating in a new, unprecedented environment, whether remote or not, significantly changes how interactions occur and the ability to hold each other to account in relation to trademark behaviours.

To maintain a strong culture, organisations may need to:

  • Redefine trademark behaviours and interactions that are appropriate for the current situation;
  • Change how accountability occurs.

Suggested action: ARCs should review steps taken by organisations to assess culture, ethics and support in the COVID-19 environment.

If you or anyone in your committee have further questions, please reach out to your adviser for more information.