Richard Chambersin blogi 18.5.2020
Richard Chambers (IIA President and CEO, CIA, QIAL, CGAP, CCSA, CRMA) kertoo näkemyksiään sisäisen tarkastuksen ammatista blogissaan yhdistyksen kansainvälisillä sivuilla.
Tässä blogissaan Chambers käsittelee työpaikalle paluun riskejä ja sisäisen tarkastuksen roolia henkilöstöön liittyvien terveyteen ja turvallisuuteen liittyvien riskien arvioinnissa ja hallinnassa. Chambers nostaa esiin neljä avainkysymystä
- Onko johto riittävässä määrin identifioinut ja arvioinut toimistolle palaamisen riskit?
- Onko esitetyissä palaamiseen liittyvissä politikoissa ja kontrolleissa otettu avainriskit huomioon?
- Ovatko politiikat ja kontrollit hyvin implementoitu ja kommunikoitu?
- Toimiiko ohjelma odotetulla tavalla, onko parannukset varmistettu?
Kysely Pohjois-Amerikan tarkastusjohtajille osoittaa hajontaa siinä, ovatko organisaatiot varautuneita ja onko sisäinen tarkastus riittävästi mukana. Kyselyn mukaan saattaa olla niin, että yli puolet organisaatioista ei ole hyvin varautunut toimistoon paluun avaintekijöihin, kuten Covid 19:n testaukseen ja alueiden desifiointiin. Lisäksi liian suuri osuus vastanneista ei voinut ottaa kantaa tekijöihin, mikä Chambersin analyysin mukaan viittaa siihen, että liian iso osa sisäisestä tarkastuksesta tarkastelee isoimpia organisaatioiden kohtaamia riskejä tällä hetkellä ulkoa päin. Tästä ei kuitenkaan tule vetää johtopäätöstä, ettei sisäinen tarkastus tee mitään. Kolme neljästä päivittää riskiarvioitaan, kaksi kolmesta konsultoi töihinpaluussa. Harva kuitenkaan katselmoi tiettyjä kriittisiä riskejä, alle puolet vastaajista arvioi, että organisaatiolla on hyvä valmius seuraavien avaintekijöiden hallintaan:
- Työpisteiden eriyttäminen
- Testaukset tartunnalle
- Testaukset vasta-aineille
- Henkilösuojaimet
- Työpisteiden muokkauksen kustannukset
- Vastuu sairauden tai kuoleman varalta
Tätä tilastoa huolestuttavampaa oli niiden vastaajien määrä, jotka eivät voineet ottaa kantaa organisaationsa nykytilanteesta näiden tekijöiden suhteen, vain 8% vastanneista raportoi olleensa mukana terveys- ja turvallisuusarvioinneissa.
Chambersin mukaan sisäisellä tarkastuksella ei ole varaa jättäytyä näin isojen organisaation kriisiaikojen riskiharjoitusten ulkopuolelle. Vielä on mahdollista kertoa johdolle ja tarkastusvaliokunnille, mitä arvoa sisäinen tarkastus voi tuoda terveys ja turvallisuusarvioihin.
Return-to-workplace Risks: Is Internal Audit Stepping Up?
Richard Chambers Blog, May 18, 2020
Last week, I urged internal auditors to ”roll up their sleeves” and help their organizations navigate risks related to returning workforces to their normal places of business. Part of that examination was a look at internal audit’s role in providing assurance on employee health and safety risks.
I outlined four key questions for practitioners to consider:
- Has management adequately identified and assessed return-to-workplace related risks?
- Do proposed return-to-workplace policies and controls address the key risks?
- Are policies/controls effectively implemented (including communications)?
- Is the overall program functioning as intended, or are improvements warranted?
A new IIA poll of chief audit executives in North America provides a decidedly mixed answer to whether organizations are prepared and whether internal audit is sufficiently involved. The poll, conducted by The IIA’s Audit Executive Center, finds more than half of organizations may not be well prepared to address some key factors for returning to the workplace safely. This includes some factors directly related to COVID-19 transmission, such as testing and disinfecting workplaces, as well as evaluating potential organizational liability.
What’s more, I find it troubling that too many respondents could not provide an opinion on the readiness of their organization for about a third of the factors examined. This signals that a large number of internal audit functions are on the outside looking in on some of the biggest risks facing their organizations. This is unacceptably high, considering risk assessments should have been updated to cope with the pandemic crisis.
This is not to say internal audit is doing nothing. Nearly three-quarters of respondents noted that they are identifying emerging risks and updating risk assessments. Two-thirds are performing consulting activities in preparation for organizations returning to the workplace. However, few internal auditors are performing reviews of certain critical risk areas.
A deeper dive into the data shows that fewer than half of the respondents report their organizations are well or very well prepared to deal with six key risk factors:
- Workplace modifications for distancing.
- Testing for current infection.
- Testing for previous infection.
- Personal protective equipment.
- Costs to adapt workplace.
- Illness or death liability.
Even more troubling is the number of respondents who were unsure about their organization’s level of readiness in some of those key areas. For example, more than one in five respondents could not offer an opinion on readiness on testing for current infection, testing for previous infection, infection of cleaning staff, and their organization’s liability for workplace illness or death. The first three tie directly to potential transmission of COVID-19 and the third addresses potential consequences of just such transmission. Indeed, only 8% of respondents report being involved in health and safety reviews.
My intent here is not to browbeat practitioners during extremely challenging times. I believe many internal audit functions have performed admirably during the pandemic crisis and have stepped up to help their organizations overcome a dizzying array of challenges and risks. However, I have written many times before about my dread at hearing the question, ”Where was internal audit?”
There may be times in the coming months and years when consequences of the pandemic — foreseen and unforeseen — will lead to organizational failures and enhanced litigation risks. Invariably, the question will be asked about internal audit’s involvement. We cannot answer, ”We didn’t know” or ”We weren’t involved.”
As our organizations’ last line of defense, we cannot afford to be left out of efforts to manage key risks, especially during a crisis. It is not too late to alert management and audit committees about the value that internal audit can bring to health and safety reviews ahead of a return to the workplace. I urge all practitioners to do so and be prepared to deliver that value.
As always, I look forward to your response.