Strengthening resilience: lessons learnt from the impacts of the pandemic

As a consequence of the Coronavirus pandemic, organisations have had to re-think, act quickly, and in many respects change how they have been operating. Throughout the pandemic we have seen a rise in fraud, cyber risk, supply chain disruption and economic uncertainty, coupled with the adoption of homeworking arrangements and the relaxation of certain controls.

Throughout the pandemic, RSM's internal audit teams have continued to undertake reviews in a remote setting. Just like many organisations across the globe, we have had to navigate our way through the effects of the pandemic and adapt to the new ways of working while continuing to provide quality services for our clients. Some audit plans were paused during the early stages of the pandemic, but many organisations were keen to restart their internal audit work given the importance of seeking assurance over the controls in place, particularly where new processes had been established at pace. Our audit work has focused on our clients’ responses to the pandemic and the lessons that have been learnt; with a focus on business continuity, agile and remote working, return to work and mental health.

Management actions in focus

As part of our research, we have analysed pandemic related management actions that were agreed with our clients as part of internal audit reviews during the latter part of 2019/20 and 2020/21. Overall, we have analysed 289 high, medium and low priority management actions agreed across 70 different reviews with a broad range of clients. Management actions were agreed with 63 organisations across the public and third sectors, and corporate organisations including several financial services businesses.

Key findings

1. The majority of management actions we agreed related to business continuity (101 management actions) across all sectors that were a part of this review. The focus of management actions is on ensuring that plans and policies are reviewed and updated where necessary, and that key members of staff involved in the business continuity plan receive sufficient training.
2. The majority of secure remote working related management actions we agreed were related to security, IT systems and infrastructure, and policies and procedures. Other areas included training, risk assessments and equipment provision. From our reviews, only 12 per cent of organisations could take a substantial level of assurance that the controls in place to ensure secure remote working were operating effectively to manage risks.
3. Reviewing and updating risk assessments was a key area where we agreed management actions and ensured a stronger alignment and communication among boards, committees and other key risk management members regarding the challenges and opportunities created by the pandemic.
4. Very few organisations could have predicted that the pandemic would manifest as it has done, and organisations have had to move quickly to respond. In practice this has likely led to marked changes in risk appetite and often to significant changes in the control environment, as new or revised processes and procedures have been put in place. The need for both effective risk management and to gain assurance over internal controls has been magnified.
5. As hybrid working starts to become the ‘new normal’, organisations have had to pay particular attention to people; their health, safety and mental wellbeing, as well as their training and personal development. A host of factors should be considered in relation to employee wellbeing, including developing strategies and initiatives to engage and support staff as needed

Read our 'Analysis of internal audit review outcomes' report to discover more key findings or get in touch with Mark Jones to discuss your organisation's needs.