Emerging Risks for Internal Audit during the Covid-19 Crisis



Over the last few months several trends have emerged relating to internal audit and business operations, many of which are of great interest. However, this article focuses on the emerging risks that have been highlighted most often among organisations during the Covid-19 crisis. These risks will to a greater or lesser extent be relevant across all sectors and company sizes.


What are the emerging risks for internal audit?

Many businesses are reporting that risk frameworks and audit plans have had to be stopped, changed and in many cases entirely re-written. Practical constraints of auditing aside, the risk agenda has changed, and internal audit is having to adapt. 

So, what are the risks that have consistently been raised? 

Are these now being considered within your organisation?


1.  Covid 'second wave' Potential - are we ready and have we learnt important lessons from the 'first wave'?

Depending on your geographical location, you may still very much be in the first wave, but regardless of your position the risks associated with longer term adjustment are still valid. It is conceivable that organisations will adjust, adapt and re-set only to be hit by another period of reduced income, disrupted supply chains and remote working. Organisations in the Northern Hemisphere are particularly nervous as to what happens when the winter flu season arrives whilst Covid-19 remains a threat.


2.  Countries are all at differing stages in the Covid-19 cycle, therefore different risks are needed to be considered across a global remit

This is a particular challenge for global supply chains that may remain interrupted and intermittently disrupted for many months to come. How do you take this risk into account, and how do you audit when you can only partially access the supply chain?


3.  Fraud risk / cyber risk is higher due to remote working and change in duties

This is a complex and potentially high-risk area that many acknowledge requires serious thought. This is especially true for those trying to operate teams remotely using legacy and outdated systems. Internal fraud becomes potentially easier and external threats have noticeably increased across all areas. There has been a marked increase in demand for Cyber Security skills.

4.  Social distancing for the foreseeable future

The majority of companies, teams and individuals have adapted to social distancing during an emergency period, but is that sustainable? What are the long-term implications for sites not built for this? How will productivity and morale be affected over the long term?


5.  Mental health of staff

Almost everyone has highlighted this risk. The sustained morale and energy impact of tough economic conditions, fear of job loss, working alone, and an unclear future without the support of a team around you is having a negative impact. The short and long-term implications of this are not yet clear but the consensus is that it needs to be monitored and programmes need to be in place to provide support where possible.


6.  Company culture

This risk is that cultures are, or may start to, break down in a detrimental way. However, it is also possible that positive cultural changes may be occurring. Therefore, culture surveys have been discussed as a solution.


7.  Less focus on crisis management, more focus on how we come out of the pandemic and the evolving risk around this

The intense speed and shock of the crisis understandably led to a focus on dealing with the crisis in the moment. Many acknowledge that by now there should be a forward-looking agenda and risk analysis. This requires not only an intellectual shift, but an emotional one, to look beyond the now and into what remains an unclear future.


The above list represents the most discussed risks, but there are of course many others. How you choose to assess, grade and mitigate your risks are of course a decision for you, but it is demonstrably the case that the risk environment has changed and all need to adapt.



A number of broad solutions have been suggested that can assist across all risks. Some of the most discussed are:


1.  Appreciation that risk conversations need to happen more regularly

The time horizon for risk and associated auditing has reduced markedly. Most have dropped 12-month audit plans for some kind of rolling audit programme, and therefore a regular and ongoing discussion of risk is critical.


2.  Chasing management on relevant follow up actions from prior audits to ensure they have been addressed

Not all risks have changed and not all historical issues can be simply forgotten about just because there is a crisis. Now is the time to ensure critical controls remain effective.


3.  Control owners to take more responsibility for their risk and controls - audit can help management see where the risk is and then hand it off to them before moving on to the next department

The military understand the concept of ‘mission command’, essentially the devolving of decision making to those at the closest point to the action and best informed to make a command decision. In times of crisis, when decisions often need to be made quickly, this concept is invaluable and can be applied to risk and audit management.


4.  Data Analytics

Even if advanced systems are not in place, all organisations generate data that can be analysed. In the absence of auditors able to travel and with so many personnel working from home, many teams can at the very least gain indications of where issues may lie by taking greater advantage of data analytics.



If 2020 has taught us anything it is that we can never be certain of where we stand, and any list of potential risks can only ever be subjective, and we should always assume many are missing. However, hopefully the above list provides valuable guidance as to what your peers are considering at this time.


Back to article list