Critical watchpoints for audit and risk committees

Feb 09, 2021
Patricia Barker outlines red flags for audit and risk committees as they continue to navigate the coronavirus pandemic and the fallout from Brexit.

It’s hard to imagine audit and risk committee members as frontline workers in the face of the COVID-19 pandemic. However, time will undoubtedly show that the guidance of a good, active audit and risk committee was a pivotal oxygen tank for companies as they stumbled through these difficult times.

In providing effective oversight, the audit and risk committee’s contribution must be responsive to the additional risks and uncertainties arising from COVID-19 and Brexit. The radar is picking up new bleeps, which include the following.

New risks on the risk register

It is vital to identify new risks, the appetite for those risks, and mitigations that can be put in place. These risks include, but are not limited to, failure of suppliers or customers due to economic pressures; invocation of force majeure clauses to avoid performance of contracts; reputational damage caused by a failure of staff to comply with Government guidance; a cluster outbreak of COVID-19 among staff; insufficient funding; and health and safety failure on the premises.

Going concern

All audit and risk committees will have to conduct a deep dive into the appropriateness of using the going concern concept for the 2020 financial statements. This work must be completed in advance of the arrival of the external auditors.

Business continuity plan

Audit committees should be very familiar with the robustness of the business continuity plan. They should also be satisfied that it has been rigorously tested to cope with the potential crashes that may result from the black swan event that is the COVID-19 pandemic.


There are high risks associated with rushed procurement practices, which were necessary due to the emergency nature of the pandemic. Audit and risk committees should create a schedule of any instances where management had to speed up or bypass procurement practices due to the need to procure for the pandemic. They will need to be satisfied that all material exemptions from procurement regulations have been appropriately applied and authorised. The exemptions provided for in legislation include situations of extreme urgency, where there is a genuine emergency due to events that could not have been foreseen in situations that were not controlled by the company. It would seem that the pandemic (although not Brexit) complies with these conditions, which would permit the procurement of goods or services in a fast-tracked way outside the standard procurement policy. However, the current question for audit and risk committees is how long it can reasonably be assumed that COVID-19 is an emergency that could not have been foreseen.

Control of government supports

There are high risks associated with the very rapid deployment of government resources to a vast range of beneficiaries. To the extent that such resources have been claimed by the company or on behalf of staff, the audit and risk committee should be happy that appropriate controls were put in place to ensure that the claim was made in accordance with the terms of issue, that the funding was applied as stipulated, and that anti-fraud measures were appropriately applied. The external auditors will likely examine the transparency and governance associated with benefits drawn down, such as:

  • Grants;
  • Subsidies;
  • Liquidity loans;
  • Credit guarantees;
  • Short-term compensations;
  • Payroll support;
  • Tax alleviation;
  • Additional human resources deployed; and
  • Tax losses carried back.

Economic fraud and cybersecurity robustness

There have been significant incidences of cybersecurity and IT failures due to opportunistic frauds arising from COVID-19 such as email compromise, investment scams, and phishing scams. In an Economic Crimes Survey conducted by PwC in 2020, 18% of organisations surveyed reported that they had incurred losses due to fraud in excess of €800,000 and 13% said they had incurred losses in excess of €5 million. These costs do not account for the losses arising from remediation, fines, brand damage and reputational damage. Economic crime dealt with by the European Commission Crime Bureau includes the following:

  • Cybercrime;
  • Customer fraud;
  • Asset misappropriation;
  • Money laundering;
  • HR/employee fraud;
  • Deceptive business practice;
  • Intellectual property theft; and
  • Accounting fraud.
Audit and risk committees must seek evidence that economic risks were explicitly addressed and closed off by the company, including assurance that such risks are adequately insured.

Third-party risks

Focusing on internal risks is only part of the challenge; the risks associated with outsourced goods and services also need attention. These risks are elevated as our direct controls change due to virtual working. The risk attack field related to external service providers is as varied as stationery, security, catering and HR, resulting in additional risks of fraud and cyberattack. According to PwC’s Global Economic Crime and Fraud Survey 2020, one in five respondents identified vendors and suppliers as the source of their most disruptive external fraud. Half of the respondents lacked a mature third-party risk management programme, and 21% had none at all. Audit and risk committees should address this issue with the leadership team to ascertain the extent of the vulnerability and the potential need to seek professional assistance.

Remote working

Audit and risk committees must be proactive in implementing robust health and safety and human resource protection policies to safeguard employees working from home and safeguard the company’s assets. Issues raised should include health and safety mechanisms to ensure that staff have suitable stress management supports; good ergonomic working conditions; and reasonable boundary control over working hours. Furthermore, where company assets such as docking stations, laptops and other equipment have been taken home, mechanisms should be in place to control those assets and to appraise valuations and impairments. Appropriate protocols should also be in place to ensure that employees are fulfilling their contracts. GDPR policies will need to be stress-tested to assure the audit and risk committee that there have been no breaches of the regulations. The audit and risk committee will also need to confirm that the company’s insurance policies cover the changed working theatre.

Risk of redundancies

If it seems likely that squeezed resources will lead to redundancies, the audit and risk committee will want to see an assessment of this risk, the mitigations in terms of spreading the load, the policy on the redundancy payment matrix, and budgetary planning.

Provision of ad hoc board support

During the emergency, the audit and risk committee should be willing to convene to conduct deep dives, specific investigations, or advisory analysis as may arise due to unforeseen issues relating to the COVID-19 pandemic or Brexit.

All in all, this is a busy time for audit and risk committees, and we will likely look back on this period and determine that committee members provided a highly professional, emotionally intelligent, and effective service to boards. It is unlikely that citizens will stand on their doorsteps and applaud them, but at least they will know that they did a good job.
Patricia Barker chairs the audit committees of the Marine Institute and Tallaght Hospital and is a member of the Ethics and Governance Committee at Chartered Accountants Ireland.