Providing Internal Audit Value during COVID-19

May 18, 2020

COVID-19 has brought sweeping changes to the higher education landscape. The most proactive internal audit functions are rapidly shifting their plans to maximize relevancy. For example, with a daily influx of new information and ever-changing regulations, internal audit can assist institutions with addressing the often-ambiguous compliance requirements attached to various federal regulations and stimulus programs (e.g., Coronavirus Aid, Relief, and Economic Security [CARES] Act). When operating in an uncertain and continually evolving setting, it can be difficult to know where internal audit can focus its efforts to provide the most value. Consider incorporating into the internal audit plan one or more of the following areas:

Using an agile audit approach, internal audit departments can assess areas to add value to institutional efforts.

Relief funding (e.g., CARES Act)
Financial aid impacts of refunds and credits
COVID-19 impact on research grants and contracts
Online course management
Construction project COVID-19 financial risks

Using an agile audit approach, internal audit departments can assess these areas to add value to institutional efforts in maintaining operations, meeting compliance requirements, remaining economically viable, and adapting to the “new normal.”

Assessing risks in the midst of a pandemic

There are numerous risks to consider in evaluating the five areas noted above, and it can be challenging to understand how and where to begin assessing risks and their impact to the institution. An overview of institutional objectives, keys risks to consider, and questions to ask your institution in evaluating these relevant areas are detailed below.

Relief funding (e.g., CARES Act)

Overarching institutional objective	Risks to consider	Questions to ask
Ensure appropriate and allowable costs are claimed to allow for maximum cost recovery and to prepare for imminent downstream audit and sponsor scrutiny	Configuration of expense tracking system in accumulating and assigning costs to awards Retention of documentation to meet applicable requirements Compliance requirements for transactions	Does your institution have policies and procedures in place to receive, report, and seek reimbursement for relief funding? Does your institution have policies, tools, and templates that can be used in administering awards?

Financial aid impacts of refunds and credits

Overarching institutional objective	Risks to consider	Questions to ask
Understand, monitor, and adhere to compliance requirements regarding refunds and credits	Accuracy of refunds processing related to extraordinary circumstances of COVID-19 Title IV compliance requirements (e.g., length of academic year, date of withdrawal) for unrestricted and restricted institutional aid	Has your institution established guidelines or criteria to increase the consistency and fairness of financial aid refund and credit issuances? If your institution changed the length of its academic year (e.g., extended spring break or ended the semester early), has the calculation of return to Title IV funds been reassessed? Does your institution have controls in place to document and follow-up on federal and audit reporting requirements?

COVID-19 impact on research grants and contracts

Overarching institutional objective	Risks to consider	Questions to ask
Minimize financial and research continuity impact from COVID-19 on grants and contracts	Continuity of projects requiring human or animal subjects, or the use of a research lab Impact of increased costs (e.g., salary expenses) and decreased productivity on budgets Clarity on how additional COVID-19-related costs can be recouped	How is your institution handling the charging of salaries for researchers and support teams? How is your institution updating budgets to account for changes in scope and increasing costs? How has COVID-19 affected research data concerns and cybersecurity risks? How has COVID-19 impacted institution concerns regarding foreign influence risks?

Online course management

Overarching institutional objective	Risks to consider	Questions to ask
Establish an online learning framework to ensure academic continuity and proactively evaluate and address control and compliance gaps to enhance efficiency and effectiveness of online learning	Online curriculum, delivery of coursework, engagement with students, and maintenance of academic quality Programmatic and accreditation requirements for online course materials Secure and effective technology and system design to meet demands of online learning platforms	Has institutional leadership shared expectations about online course offerings and faculty responsibilities? Has your institution offered training to faculty on how to develop and deliver online courses? How has your institution assessed the impact of online learning on students who may have personal or developmental issues (e.g., technology accessibility) that prevent them from continuing their education virtually?

Construction project COVID-19 financial risks

Overarching institutional objective	Risks to consider	Questions to ask
Prepare for and manage increased costs related to COVID-19 limiting the impact on current and future construction projects Modify future contract terms detailing pandemic response and cost responsibility Partner with contractors to enable successful COVID-19 management	Responsibility for construction project costs (e.g., job site safety) impacted by COVID-19 Management of project change orders due to COVID-19 Quantifying the consequences resulting from construction delays Shifting non-allowable project costs into force majeure (i.e., unforeseeable circumstances preventing the fulfillment of a contract) reimbursements	Has institutional leadership determined who is responsible for project costs impacted by COVID-19, and which costs (e.g., hygiene, project delays) are acceptable versus should be avoided? Has your institution developed a process for managing COVID-19-related project change orders? Has risk management identified losses covered by insurance?

In support of effective enterprise risk management (ERM) within the above areas (whether via a formal ERM program or otherwise), internal audit departments can also work with their institutions to identify the following for each risk area:

Clear roles (e.g., risk owner, risk manager) to enable quick action
Potential gaps in compliance or in relation to industry-leading practices
Approaches to minimize risks and impacts due to COVID-19
Lessons learned in mitigating risk that can be applied to future enterprise risk assessments and considered for inclusion in internal audit and/or institutional compliance plans

Internal audit can provide CARES Act funding support in various ways while appreciating that many institutions are in crisis response mode and may not be in a position to be audited at this time:

For those institutions in earlier phases of addressing the CARES Act, review distribution plans for compliance and assess whether processes incorporate the necessary controls to execute those allocation plans and effectively distribute the funds
Serve as a thought partner related to the reporting requirements and assess completeness, accuracy, and consistency
Provide assurance that funds were distributed in accordance with your institution’s plan to prepare for imminent audit scrutiny (either Single Audit or Department of Education) by confirming the eligibility of the recipients, determining if the amount disbursed was accurately calculated and supported, and assessing whether sufficient documentation has been retained (e.g., citizenship, application, etc.)

Adopting remote internal audit practices

In assessing the five areas noted above, and in carrying out remote internal audit plans, internal audit departments are adjusting operations to adapt to the changing environment, such as:

Adopting agile audit practices ... and adjusting the methods by which audits are performed can support successful audit engagements without sacrificing quality.

Focusing on data analytics and leveraging technology to limit documentation requests
Devoting time to both internal and external education and developing training materials
Planning for upcoming audits
Engaging in stakeholder outreach

Given a remote environment, adopting agile audit practices such as those noted above, and adjusting the methods by which audits are performed, can support successful audit engagements without sacrificing quality. This is also an opportunity for internal audit to brainstorm ways to help the institution automate processes or develop preventive controls, which can ultimately lead to less internal audit time spent on sample-based testing and more time applied to value-added analytics (e.g., trend analysis).

Undertaking successful remote operations

Working remotely and conducting internal audits virtually can present unique challenges, such as limited face-to-face interaction and a shift in priorities. In serving as a partner to institutions, internal audit can consider the following leading practices to successfully engage with remote teams and auditees/stakeholders and conduct internal audit engagements:

Initiate – Emphasize the project scope and objectives, top risks, timelines, key process owners, and stakeholders. Engage early with the appropriate stakeholders to better understand stakeholders’ priorities and challenges.
Communicate and connect – Leverage video conferencing platforms (e.g., Zoom) to communicate with team members and stakeholders; video conferencing can help convey body language and tone that may not translate well with other platforms (e.g., email); increase frequency of communications (e.g., status updates) with team members and key stakeholders to build rapport and strengthen relationships.
Collaborate – Utilize a secure cloud collaboration software to share documentation and thought leadership in a secure environment.
Share – Deliver virtual trainings to institution stakeholders to aid the institution in continuing to build risk awareness while operating remotely.

Internal audit should prioritize its work to align with institutional objectives and address changing risks within the evolving environment during this time of uncertainty.

By effectively communicating while operating remotely, internal audit departments can continue to move work forward while fostering a healthy and productive remote work environment.

Conclusion

Despite the uncertainty in the current environment, internal audit remains a value-added partner to higher education institutions. Internal audit can help institutions mitigate the risk of noncompliance with regulations and relief funding from the CARES Act, as well as other stimulus efforts. Internal audit should prioritize its work to align with institutional objectives and address changing risks within the evolving environment during this time of uncertainty. Furthermore, by adopting agile audit practices and leveraging technology, internal audit can continue to aid institutions while working remotely.

About the Authors

Mumta Taneja

Mumta Taneja, CRMA, is a Baker Tilly senior manager, delivering risk advisory, internal controls and internal audit services. She has a diverse industry background across higher education, manufacturing and distribution, software technology, and food and beverage organizations. Her experience includes conducting enterprise risk assessments, auditing business processes, performing data analytics and auditing internal controls over financial reporting.

Articles
Providing Internal Audit Value during COVID-19

Raina Rose Tagle

Raina Rose Tagle, CPA, CISA, CIA, is a Baker Tilly partner who leads Governance, Risk, Compliance and Cybersecurity services for the Baker Tilly International network. Raina served for more than a decade as Baker Tilly’s industry leader for higher education and research institutions, which serves over 400 institutions nationally, and led Baker Tilly’s practice of over 300 professionals who specialize in helping clients via industry-specialized capabilities in areas such as enterprise risk management and compliance programs, internal audit, cybersecurity and information technology, financial and operational risk management, grants and research contracts compliance and construction risk management. Raina specializes in working with higher education institutions and academic medical centers and serves on Baker Tilly’s board of partners.

Articles
Providing Internal Audit Value during COVID-19