Duties of Internal Auditors in Pre-crisis Period
What is important for organisations in times of crisis is not trying to stave off or fudge the crisis. An organisation that can detect the crisis signal and sense that the crisis is coming before it starts and take advantage of this in the way to success will get the most out of the crisis (Ofluogjlu and Misirli 2001: 3).
In order for the organisations to enter the crisis preparedly, they should make some preparations in the normal period before the crisis signal in Fig. 4.1 and, if the proper detection can be made, after the detection of the crisis signal, i.e. before the crisis.
If we define the pre-crisis period, this period begins with the feeling of all kinds of actions, events, measures and indicators that will create the crisis and ends with the emergence of the crisis. During this period, crisis symptoms increase. The first activity to be carried out in this process is to identify the crisis risks and confirm that the crisis has begun to occur. Even if the crisis signal is not enough to prevent the crisis, it is of great importance in terms of managing the crisis in an efficient and least harmful way and even turning it into an opportunity. In fact, making preparations in the pre-crisis period is directly proportional to prevent the crisis before it deepens by sensing the signals before the crisis or to prevent the crisis from becoming chronic during the crisis (Campbell 2004).
In the “Normal Period” before the crisis signal is detected, two important processes that organisations will operate in order to detect the crisis signal are “Early Warning System” and “Environmental Analysis”.
The early warning system is a process that is used mostly in the process of detecting financial crisis signals, guides the organisations to take measures in the face of extraordinary situations, and it allows to analyse some early indicators of the crisis and make assumptions about what will happen in the future as a result of these analyses.
By means of this process, it is possible to take a position in advance after determining the time, intensity and depth of the crisis through the analyses in the relevant sector (Yeniςeri 1993: 224).Environmental analysis is defined as a step in the early warning system, but it is also considered as a different process used to determine the crisis signal alone. In this context, the indicators of the crisis can be determined by constantly following and analysing positive and negative events occurring in the near outer environment such as countries, regions which closely concern the organisation, and the internal environment, i.e. the local environment where the organisation is located. The positive and negative cases occurring in the internal environment, such as the, can be monitored and analysed continuously to determine (Ofluogjlu and Misirli 2001: 13).
Apart from these activities carried out to sense the crisis signal, some management processes that need to be designed and operated in order to support crisis management are also beneficial for the organisation. The leading management process is “Enterprise Risk Management”, which is the most important process that supports corporate managers to make the right decision, achieve the targets set by the organisations and develop strategies to that end.
Enterprise Risk Management, carried out under the responsibility of the organisation’s senior management, is defined by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) as, “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. The important point in this process is the ability to detect “the black swans” without any ignorance, such as the COVID-19 outbreak, which are unpredictable during the risk assessment process to be carried out with the participation of stakeholders, develops circumstantially and have a very high impact when it occurs (Ince and Ozbozkurt 2020: 128).
Instead of stereotyped methods such as developing measures based on previously identified risks, more detailed analysis should be made in the risk assessment process by identifying all kinds of risks including new, current, those with an enormous impact, surprise events that are not seen probable to occur and evaluating the results of early warning systems and environmental analysis. It should be noted that the main cause of the crises are the risks that are known but ignored and thus against which no measure is taken since they are not likely to occur due to their low probability.One of the efficient risk measures is “Business Continuity Management”. Business continuity management system is, “a process that is carried out in order to plan, establish, implement, monitor, review, maintain and continuously improve a written management system with a view to, in the event of a breach causing an interruption, protecting against the breach, reducing the likelihood of the breach occurring again, being prepared for the breach and take the necessary recovery action in the event of the breach” (TSE 2014). This process is a set of written procedures protecting especially the interests of stakeholders and the brand, reputation and value-creating activities of the organisation and increasing the resilience of the organisation by ensuring continuity of its crucial activities, in the event that the risks identified by the organisation occur and pose a threat. The most comprehensive of these written procedures is the “Business Continuity Plan” and is supported by auxiliary procedures. These auxiliary procedures are mainly;
• Business Impact Analysis
• Remote Access Plan
• Remote Working Plan
• Stakeholder Communication Plan.
In addition to these processes, determining the procedures for ensuring “Organisational Resilience” will also help the organisation to carry out its activities with the least loss in the threat environment it will be exposed to. In today’s world, organisational resilience with increasing popularity in the VUCA (volatile, uncertain, complex and ambiguous) environment in which organisations operate emphasises the importance of not only increasing profits but also protecting organisations against unexpected developments.
Basic approaches to be applied in this process are, flexibility, backup, rapid mobility, decentralisation, transparency, learning from mistakes and turning into opportunity (Marva and Milner 2013). Some of the road maps that should be prepared in order to ensure organisational resilience:• Emergency and Contingency Plan
• Back-up Plan
• Disaster Recovery Plan
• Evacuation Plan.
For the preparation of these plans, there is a need for “Business Impact Analysis”, which enables the analysis of activities that may have an impact on business interruption and that enables to analyse the impact. In general, these plans are procedures that can be evaluated within the scope of business continuity management.
When the important processes and plans mentioned above are designed by the organisations in the “Normal Period”, the crisis management process is supported in pre-crisis period. These plans should not only be designed, but also updated regularly, and their integration into the crisis management process should be carried out by rehearsals and drills to determine the accuracy, suitability and whether they provide the expected benefits.
Considering that it is difficult for the senior management to design and execute the aforementioned plans and processes in addition to its routine duties, efficiency and quality of these works will be questionable. In this context, it is vital for the board of directors and senior management that the above-mentioned plans and processes, which are planned, prepared and implemented together with crisis management and part of the internal control system, are evaluated by the internal auditors in a way to add value to the organisation.
In the normal period before the crisis, internal auditors will continue their auditing and consultancy activities in their annual plans. In this plan, it will be appropriate to periodically evaluate crisis management, business continuity management, organisational resilience and early warning systems and environmental analysis, which are already designed and that some of them are likely to be operated during the crisis period.
Considering the crisis example caused by the COVID-19 outbreak, in the “Normal Period” before COVID-19, internal auditors can carry out the activities listed below:
• During the enterprise risk management process, which is carried out periodically by the employees of the organisation, they can guide the management, within the scope of consultancy, about management of risks.
• Risk management process can be reviewed periodically. They can also provide assurance that risks related to different crisis situations have been identified and measures have been developed against them.
• Internal auditors can contribute to enterprise risk management by reporting this situation to senior management when they determine that there are high-level changes in a risk previously defined during the audit and consultancy duties, by means of the micro-risk assessment results performed at least once a year in macro-risk, audit and consultancy processes.
• They can offer improvement suggestions by testing the applicability of the plans prepared for the crisis process to different crisis scenarios and the rehearsals and drills made by the organisation for the plans (Chambers 2020a; IAAA 2020; McCafferty 2020).
• They can perform audits involving the analysis and evaluation of data obtained as a result of early warning systems and environmental analysis.
• In the “Pre-Crisis Period”, which is the phase between the detection of the crisis signal and the onset of the crisis, the organisations should, along with their routine activities, review the crisis management procedures and the plans that have been prepared in accordance with the specific conditions of the crisis they will face. It would be appropriate for them to update their plans by predicting the cause, magnitude, severity and duration of the crisis they will be exposed to and rehearse these plans if the time allows. In the example of the crisis caused by the COVID- 19 outbreak, the internal auditors of the organisations detecting the crisis signal of COVID-19 can carry out the activities listed below in the “Pre-Crisis Period”.
• They can prepare a short-term, flexible and changeable “Agile Audit” plan that enables issues such as; remote auditing, as specific to only times of crisis, if necessary, which will enable performance of critical audits; cooperation between internal auditors and stakeholders; unlimited communication; efficient use and allocation of resources, use of technology and rapid reporting, by discussing with the management on whether to make the necessary changes in the annual audit plan in accordance with the magnitude, severity and duration of the crisis (Chambers 2020b; PEMPAL-IACOP 2020).
• They can prepare for information systems infrastructure and security within the scope of “Remote Access and Work Plan” to ensure that critical audits are performed remotely.
• With the evaluation of internal auditors’ performance, competencies and their capacity to carry out their duties under pressure, a plan can be made on what kind of issues they can help the organisation during the crisis (McCafferty 2020).
• They can lead the redefinition and evaluation of financial, operational and security risks that they will be exposed to in the changing environment during the crisis, by meeting with the board of directors and senior management. They can update the plans designed in this context and prepare short-term action plans (McCafferty 2020).
• If the management decides that there will be a change in the risk appetite of the organisation regarding the crisis process, they may recommend that the enterprise risk management process be re-evaluated and updated.
4.6