New Strategic Audit Plan in Facing the Coronavirus Fallout


Written by : Michael Hezkia

Edited by : Muhammad Farhan Fajarmukti

Everyone should be familiar with the world renown pathogen called COVID-19. This virus that spreads primarily through droplets of saliva or discharge from an infected person has been the main trending topic for the last few months. The COVID-19 has been such a troublesome virus that by 11 March 2020, the WHO characterized it as a pandemic. This virus can cause a multitude of health complications and there are currently no specific vaccines or treatments for the virus.

COVID-19 does not only cause problems in terms of health. This virus also causes problems towards the operations of many organizations and companies. This, in turn, affected the roles of internal audits. Internal audits job is to provide assurance and insight on the effectiveness of governance, risk management, and control processes to help an organization achieve their objectives. These aspects of an internal audits job are heavily affected by the pandemic. Effectiveness of governance is dwindling because of the ceased operations, risk management is getting complicated with new emerging risks, and the control process gets harder because of the lack of immediate access towards resources and/or premises. Hence, Internal audits should re-evaluate these aspects because what was recognized usually as being important or relevant in terms of risks might be different as a result from the pandemic crisis.

In relation to audit focuses, the International Standards for the Professional Practice of Internal Auditing (2010 – Planning) states that the chief audit executive (CAE) must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Organization priorities obviously changed during these pandemic times. This results in new emerging risks that determine the priorities of said organization. According to Deloitte (2020), some examples of new emerging risk areas that internal audits should consider or re-consider during this pandemic are as follows:

  1. user access controls,
  2. finance,
  3. internal controls,
  4. cyber,
  5. insurance cover,
  6. risk management,
  7. business continuity,
  8. supply chain,
  9. customers,
  10. contracts, and
  11. human capital.

Based on these examples, the CAE then should reassess the strategic audit plan.

According to Luka Zupan (2020), a Partner from KPMG, the CAE should reassess the strategic plan in terms of 1) feasibility, 2) practicability and 3) usefulness of the audit missions.

1)  Feasibility: Example by assessing audits that need to travel to foreign countries so that they can still be executed on schedule due to travel bans, close borders of destination, etc.

2)  Practicability: This relates to audit activities that need to be done in person or physically whether it is still effective and efficient to perform while the organization is in lock-down.

3)  Usefulness: The strategic plan should be assessed whether some audits can be postponed from a risk perspective as they may no longer pose a threat in the current situation.

Other than assessments, the CAE should also evaluate the current corporate governance and internal control framework, especially how the pandemic might impact their effectiveness. Since most business operations become virtual, it results in lower level of control. This in turn gives opportunities for certain individuals or organizations to do frauds in terms of time, costs, or delivery of their operations. The CAE can reassign internal auditors to do preventive monitoring towards the governance and internal control effectiveness to combat the risk of frauds.

After the CAE has a clear understanding of the priorities and new risks of the organization during the pandemic situation, with the help of senior management and the board, he/she reassesses a new strategic audit plan. This plan is then put into action by evaluating on how to implement them. This evaluation can be based on whether the plan can be:

  • executed by remote work (online),
  • supported by local internal or external resources to access the premises for documents, walkthroughs, and control testing of the site,
  • used with IT data access to address certain risks (changes in access rights, overriding controls, etc.),
  • conducted using data analytics of the available mass-data to identify pattern and assess potential control failures, or
  • collaborated with other assurance functions (risk management, quality management, compliance, etc.) to support special audits.

In conclusion, the worldwide COVID-19 pandemic causes a lot of disruption in society functions. The disturbance towards organization operations, especially, causes a change of procedures of how internal audits do their roles. The new emerging types of risks caused by this pandemic should be re-evaluated and re-assessed towards a new strategic audit plan to be implemented by the internal audits. Therefore, internal audits can still play a vital role in ensuring that an organization can master this situation and survive amongst this hardest of times while still being efficient and effective in their operations.


Deloitte. 2020. Internal Audit considerations in Response to COVID-19, Navigating Change: an unprecedented challenge. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/audit/deloitte-uk-internal-audit-response-to-covid-19.pdf (5/18/2020)

Kelly, Matt. 2020. COVID-19: The Ultimate Governance Challenge. IA Online, The Institute of Internal Auditors. https://iaonline.theiia.org/2020/Pages/COVID-19-The-Ultimate-Governance-Challenge.aspx (5/15/2020)

Litzenber, Roy A. 2020. EHS Planning for COVID-19 and Beyond. Lake Mary: The Institute of Internal Auditors. https://global.theiia.org/knowledge/Public%20Documents/EHS-Planning-for-COVID-19-and-Beyond.pdf (5/13/2020)

The Institute of Internal Auditors. 2016. International Standards for the Professional Practice of Internal Auditors (Standards). https://na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf (5/25/2020)

The Institute of Internal Auditors. 2018. IIA Position Paper: Internal Auditing’s Role in Corporate Governance. https://na.theiia.org/about-ia/PublicDocuments/Internal-Auditings-Role-in-Corporate-Governance.pdf (5/15/2020)

World Health Organization. 2020. WHO Timeline – COVID-19. https://www.

who.int/news-room/detail/27-04-2020-who-timeline—covid-19 (5/15/2020)

World Health Organization. Coronavirus: Overview. https://www.who.int/health-topics/coronavirus#tab=tab_1 (5/18/2020)

Zupan, Luke. 2020. Coronavirus and the role of internal audit leaders. KPMG Voice. https://home.kpmg/ch/en/blogs/home/posts/2020/03/coronavirus-role-of-internal-audit.html (5/20/2020)