Internal audit has always had responsibility for auditing an organization’s crisis management plans, but we have never before experienced what we are living through today. Most of the time we audit desktop disasters, mock trials for disaster recovery plans, and simulations for communication with staff who are cut off from the office. In addition to these scenarios—now a reality—internal audit can add enriched value by considering the addition of three areas to the audit plan:
- Business Continuity Planning
- Emergency Employee Communications
- Extended Remote Work Feasibility
Business Continuity Planning
Our operations consist of people, processes, and technology, and disruptions occur when any one of these three pillars is not available. During the current pandemic, people have less availability as many of work from home with small children who also demand attention. Not all our processes were designed with remote work in mind. Even with technology advances, some applications are not available remotely, and not everyone has a laptop to bring home. Has your organization developed a business continuity plan that covers disruptions from natural disasters (i.e. hurricanes, tornadoes, fires, earthquakes, blizzards), pandemic events (e.g. COVID-19), or technology interruptions (i.e. network failures, cyber-attacks, piracy)? And, if so, are some or all of those part of your audit plan? If you are looking for a resource with more details, check out Ready.gov.
Emergency Employee Communications
Companies should also have a process for staying in touch with employees during a crisis. I’ll use my company as an example. TeamMate has its headquarters in Tampa, FL, so we live with hurricanes. When a storm forces us to shut down the office, an automated tracking system kicks in, sending us emails, texts, and phone calls to both check in with staff and to provide important updates.
All crisis communications are not about emergencies. In a unique time like the COVID-19 pandemic we are all working from home, and teams have increased virtual meetings to stay in touch. We have company wide “Ask Me Anything” meetings with the CEO along with frequent Town Hall meetings with our General Manager, and even virtual coffee breaks (or happy hours) with our smaller teams. Our parent company has even increased our virtual wellness program, getting us access to an online fitness subscription since we are all stuck inside. All these outlets ensure the team is safe, communicating, and still working to the extent that is possible. What is your organization doing to maintain employee engagement during the pandemic and how might internal audit review those programs to ensure they are ready and effective?
Extended Remote Work Feasibility
If the COVID-19 crisis has taught us anything, it is the importance of remote working. In the past few weeks we have all seen failed virtual meetings, newscasts that cannot connect to interviewees, and a host of other failed attempts to work from home. We’ve struggled with bandwidth issues and webcam snafus. Many companies simply did not anticipate the need for an infrastructure to handle this magnitude of remote work. How has your organization met this challenge? Did everyone have the capability to work remotely? Did your network (e.g. VPN) handle increased remote traffic? Did everyone have a laptop? Did you have access to a virtual meeting platform? Was it feasible to expect people to work from home? These, and similar readiness questions, are also a potentially new area where internal audit can add value.