Did you know that May is International Internal Audit Awareness Month? I wanted to use this little-known holiday to remind mutual fund board members about an often underutilized resource that can help them navigate some of the new risks posed by COVID-19.
Internal audit is normally a function of the adviser. However, in the mutual fund industry most advisers' internal audit teams provide their fund boards with relevant audits and/or summaries to help the directors with their oversight responsibilities. During these challenging times, internal audit can help provide assurance regarding the effectiveness of critical internal controls.
At their next board meeting, fund directors should consider asking the internal audit team what risks they see related to COVID-19. I have highlighted some potential pandemic-related issues below, and individual internal audit teams can better define the top risks for their fund families.
BCPs: Most business continuity plans were designed with the idea that certain employees would work from home, but other employees would work from recovery centers or other offices. Under the COVID-19 restrictions, all employees are required to work remotely—many for the first time in their careers. This can cause stress on BCP system capacity and critical controls.
Additionally, most BCPs were designed to address finite events. What works in the short term is not necessarily sustainable for longer periods. With the COVID-19 restrictions potentially lasting for many more months, this is the perfect time for internal audit teams to evaluate how BCPs are currently functioning. Internal audit teams can also help review whether the BCPs are sustainable for the long term—including both expected and worst-case scenarios.
The adviser must ensure that the BCPs for all critical vendors are in place and functioning effectively. Internal audit can help independently review BCPs for critical vendors and also review management's plans to address instances where the vendors or service providers are not able to deliver necessary data or services.
Cybersecurity, Privacy: In a physical office, companies have the ability to automate critical cybersecurity controls. For example, companies can download and install security patches to computers overnight. In a remote environment, however, employees must install—and maintain—necessary security patches themselves. Other important BCP cybersecurity and privacy controls include limits on printing and downloading data, as well as monitoring data usage and employee access. Many of these controls are automated, but they can often be overridden by IT or, in some cases, by employees themselves.
Therefore, training is critical to ensure employees understand how to protect company data when working at home. Without fully understanding the reasons behind certain controls, employees may find creative ways to circumvent what they may see as limits on their productivity. And because all employees are working remotely, the number of potential vectors for a bad actor to access a company's systems or introduce viruses or malware are at unprecedented levels. Testing of BCP cybersecurity and privacy controls is crucial during these extraordinary times. Internal audit is experienced in auditing cybersecurity and is therefore uniquely positioned to help independently review the BCP cybersecurity controls.
Key-Person Risk: In the current environment, it is possible that key personnel could become incapacitated. Front office is an obvious area of concern, but there are many other areas of potential key-person risk. For example, is there an important report or key monitoring function that only one employee knows how to run?
Another potential key-person risk is associated with at-home work during this COVID-19 pandemic. What happens if a key person inadvertently spills coffee on her computer? In the office, IT would immediately bring a new computer to that employee. But in a remote work environment that could take hours—or more likely days. The loss of internet access or electrical power is a real risk with a remote workforce. For office environments, companies generally have redundant infrastructure systems, generators, etc., but in a remote work environment, companies cannot control the infrastructure risk for employees. If internet or power goes down for a house or an area, impacted employees may not be able to perform necessary functions.
Shelter-in-place restrictions are also impacting employee productivity. Employees may have small children or other family members who need care during the workday. Other employees may be juggling home schooling and necessary errands with work demands. We are living in a world where it takes much longer to shop for groceries and is often safer to do so during normal working hours rather than on weekends. Finally, the social strains of isolating at home are impacting employees and their families.
Because of its broad mandate, internal audit can help identify key-personnel risks across the organization and can help review key-person controls—including identified back-up personnel, good written procedures, and training.
Re-Entry Plans: As states and communities begin to re-open, employers need to quickly evaluate how and when to bring employees back to work. Re-entry BCPs need to meet new, disparate, and ever-changing governmental safety standards, and companies may want to implement additional controls to help keep employees and customers safe. Internal audit is well suited to help identify necessary controls relating to re-entry BCPs.
Fraud: During times such as these, external and internal fraud risks increase.
External bad actors may seek to take advantage of the remote work environments to try and circumvent controls. These could include sophisticated attacks on company firewalls or public-facing websites, phishing attempts, or even targeting employees' homes to gain access through unsecured wi-fi connections, unlocked doors, or documents discarded—but not shredded—by employees.
Internally, employees may be facing significant financial difficulties due to the loss of a job by a spouse, or they could be concerned about potential layoffs due to the current economy. In either instance, the risk of internal fraud is amplified by COVID-19 and remote work. Internal audit continually focuses on fraud risks and can help independently review controls designed to detect and prevent both internal and external fraud.
Management Oversight: Management oversight is probably the most important control in a remote work environment, and it is different from oversight in the office. As discussed above, increased fraud and cybersecurity risks heighten the need for effective management oversight. However, many areas are working remotely for the first time, and their oversight controls may not have been fully adjusted to account for the unique challenges of remote oversight. Today's work environment will require some processes to change; internal audit can help design a governance framework for making changes to processes and procedures to accommodate remote work and also can offer an independent review of the oversight controls for key areas such as wire desks, trade desks, IT governance, cybersecurity, and customer-facing operations.
Market Volatility: Volatile markets pose challenges in the best of circumstances. Standard controls for information sharing, insider trading, and trade allocations are complicated when employees are working from so many different locations. Crucial compliance, risk management, and liquidity controls must now be done remotely.
Pricing during volatile markets is complicated enough when everyone is working in the office, but remote work for advisers, fund accounting agents, and custodians can stress valuation and pricing controls. The unprecedented number of NYSE circuit breakers triggered recently also offers challenges for transfer agents and customer service representatives. Internal audit can help test existing controls and make recommendations for control enhancements that might be appropriate during these volatile markets.
Regulatory: While employees are working at home, advisers are still responsible for complying with a broad range of new regulations, some of which go into effect during the mandated isolation periods. Internal audit can review controls designed to address these new regulations (both pre- and post-implementation).
The SEC, FINRA, and several state regulators have announced plans to continue, and in some cases even expand, potential examinations and requests for information. Internal audit can help review areas that may be a focus for these examinations.
Auditing During COVID-19: Conducting internal audits is challenging right now. With most employees working from home, internal audit must find new ways to observe processes, interview employees, and access data. Management may be requesting that audits be delayed or cancelled since employees are busy trying to get their normal work done in challenging circumstances, and internal audits can feel like an unnecessary obstacle or distraction. But because of the heightened risks related to COVID-19, I believe certain internal audits are more essential than ever. In addition to assurance audits, COVID-19 offers internal audit teams the opportunity to partner with management and consult on the design of new controls for an ever-changing environment.
Fund boards can help by ensuring that the audit teams have the resources and flexibility to determine how to best add value during these extraordinary times. And don't forget to wish your audit teams a Happy International Internal Audit Awareness Month!
Kate Ives spent her career at OppenheimerFunds, serving as director of internal audit from 2011 to 2019 and before that in the legal department from 1991 to 2011, where she was deputy general counsel. She served as chair of the Internal Audit Committee for the Investment Company Institute for nine years and has been a board member for the Institute of Internal Auditors for the past four years and a member of the board and the executive committee for Junior Achievement, Rocky Mountain since 2013. She is an adjunct professor at the University of Denver, Strum College of Law.