Auditing During the Crisis
Internal auditors are an essential component of microfinance providers’ internal control and risk management functions, but how should they react to a sudden crisis? Experience in Vitas Group shows that a quick pivot from auditing to advising, supported by management and collaboration among auditors, helps financial institutions adjust internal controls and manage risk.
Vitas Group operates micro and small enterprise lending companies in Egypt, Iraq, Jordan, Lebanon, Palestine and Romania, with over 90,000 borrowers. All have independent internal auditors reporting to board-level audit committees. Nearly all institutions are used to dealing with crises, but none had ever seen a health emergency or a crisis that affected all companies at the same time.
A pivot from auditing to advising
When COVID-19 hit in March and countries imposed lockdowns, internal auditors could no longer visit clients and branches. They quickly moved from auditing to advising management on how to deal with important risks, focusing on four key areas: compliance, collections, fraud, and IT.
Compliance: Regulators issued orders to delay loan payments by one to four months during the pandemic, but the details were unclear or contradictory. For instance, if a client has a moratorium on payments, is the loan term extended? How is interest calculated? In Lebanon, it was not clear if a loan moratorium required a client’s physical signature – which could not be obtained during the strict curfew. In Romania, the National Bank offered loan moratoriums for four months, but then Parliament considered extending them to nine months. In Jordan, the Central Bank did not issue guidance on loan rescheduling until late April, six weeks after ordering lenders not to require loan payments. Internal Auditors provided management risk committees with advice on how best to interpret the spirit of new regulations and avoid compliance issues.
Collections: Most companies handle loan collections through their branches or third parties, such as banks or money transfer companies. But with all outlets closed, the only way to collect loan payments was to receive cash in the field. Normally, this practice is strongly discouraged due to risks of fraud, misreporting and the personal security of staff. During COVID-19, however, we were forced to relax our collections policies in order to continue receiving payments. Internal auditors helped each Vitas company figure out the best way to adjust their collections policies to allow credit staff to collect cash directly from clients. For example, Vitas Iraq raised the limits of its fidelity insurance coverage – a policy that covers the loss of cash by certain employees - to $3,000 for loan officers and $5,000 for loan officer supervisors.
Fraud: Vitas Group has over 90,000 clients, and many of them need loans to restart their businesses. As an important part of due diligence and fraud prevention, all loans require a loan officer to visit a client’s business and collect information. In general, strong communication between loan officers and clients is crucial during the loan application process and beyond. While risks remained for in-person contact, auditors have had to think about how operations would need to be adjusted. In Iraq, credit staff are starting to use video calls to confirm that a business exists, has inventory and operates. As part of our digitization strategy, new loan officer apps allow staff to collect information more accurately and have reduced loan turnaround time. Vitas companies have also recently launched apps for clients that allow them to check balances and check on the status of applications.
IT risk: As lenders move to more digital channels, how can we ensure data accuracy and security? Vitas Palestine has offered a loan application through Facebook Messenger, but how can we be sure that know-your-customer (KYC), anti-money-laundering (AML) and regulatory requirements are met? These questions have become increasingly important as more countries develop privacy rules based on the EU’s General Data Protection Regulations (GDPR). During the COVID-19 crisis, Vitas internal auditors have advised management on how to assess data protection risks. In Lebanon and Palestine, external auditors had recently completed IT audits, and internal auditors worked with management on the best ways to implement recommendations. We are also working with our in-house IT provider to strengthen data security across Vitas Group. An important lesson from this pandemic has been that all internal auditors need to pay more attention to cybersecurity and ensure greater data privacy protections are in place in future audit plans.
Finding a way forward
Once countries opened up, some auditors were able to perform basic branch audits by reviewing files and data and calling clients. In Jordan, however, as branches opened again, staff were so focused on reopening, ensuring compliance with client hygiene and social distancing requirements, and dealing with a backlog of client questions, that they told auditors to postpone visits – which they did. Some auditors audited head office functions, but others found they could not locate needed documents or talk with colleagues focused on the pandemic crisis and working remotely.
Starting in early April, shortly after lockdowns were imposed, Vitas Group established weekly check-in calls so auditors could compare their experiences and offer advice. For instance, in 2019, Palestine had rescheduled a significant part of its portfolio in Gaza after an economic and political crisis. Based on that experience, the auditor from Palestine advised others to be careful to ensure procedures were clear because clients and loan officers would want to push rescheduling. However, “if a payment is $400 and the client can only pay $50, rescheduling does not make sense,” she told her colleagues. Such clients will be unlikely to ever repay their loan, and other arrangements need to be made for them.
The auditors found these meetings productive. There is no clear playbook on how to respond to a global pandemic, so auditors needed and appreciated their colleagues’ advice on how to best respond to new challenges. “Finance can go and look up the rules and IFRS (International Financial Reporting Standards), but we don’t have these manuals,” the Vitas Iraq auditor said.
Since the start of the COVID-19 pandemic, internal auditors have used their credibility with management and support from colleagues to revise their plans and maintain internal controls. Their work should support institutions’ resilience during what may be the greatest challenge the microfinance industry has ever faced.