Internal audit and the health crisis


Internal audit and the health crisis

The spring of 2020 was a difficult time. Economic activity in Luxembourg abruptly shut down for the first time ever due to the government-ordered lockdown. There were indications of a gradual return to normality in early summer, but uncertainty ultimately took over once again. Under these circumstances, internal audit departments as various economic operators across all sectors have had to adapt to the pace of change in their working environments. In this article, we will illustrate this necessary adaptation with reference to the role of internal audit within organizations, while also setting out the emerging risks to be taken into account by the third line of defense in future.

Against the current backdrop of uncertainty, internal audit departments need to be proactive and prepared while remaining pragmatic and adapting to the ever-changing circumstances. As such, the points made below should not be taken to be exhaustive or definitive, but rather as an essential reflection on this unprecedented situation.

The role of internal audit

Rearranging plans

During these times, some plans inevitably have to be rearranged. This may entail an agile approach to the management of established internal audit tasks, including a more frequent review of the audit plan with short-term prioritization and regular reviews and updates. Doing so will enable more effective reflections on any changes in inherent risks and the performance of risk management systems (ongoing checks).

Adjusting plan coverage to take account of risks pragmatically and objectively

Against a backdrop of ever-changing risks, internal audit departments must be able to continue to provide a sufficient level of assistance to reassure the organization’s governance bodies. There must be regular interactions and conversations with all parties involved both internally and externally (company auditors or regulatory authorities) in order to identify and quickly understand any emerging risks and/or any deterioration of existing risks. Internal audit departments thus need to be able to assess whether they have everything under control within their organization in the most efficient way possible.

Ensuring continuity of internal audit operations during crises

To avoid excessive disruption to critical operational roles and departments during times of crisis, internal audit must carefully:

  • assess the conditions for and consequences of carrying out audit work remotely for the evaluation of the control environment concerned, before taking any action. To do so, internal audit will need to know how much documentation is available digitally and will need to get hold of it far enough in advance to avoid disrupting the already strained operations of the positions/departments being audited;
  • identify the key players for each aspect addressed and ensure they are available on the relevant dates. Internal audit will need to arrange the remote “walkthroughs” with them, along with the usual reviews and discussions concerning any weaknesses observed;
  • ensure blanket use of communication platforms for exchanging documents and organizing meetings and workshops. Screen sharing should be used for certain observation tests and screenshots should be taken to document the work carried out;
  • speed up the development of analytics in order to deliver remote internal audit work, increase coverage and focus on the anomalies detected while continuing to provide results and ensuring high added value.

Under the current circumstances, dialogue with other internal control departments, which would normally be regarded as facilitating the detection of potential risks and weaknesses, should now be considered as a genuine opportunity to reduce duplication and minimize contacts with management and/or critical operational departments.

An approach based on a more systematic review of the relevance of the work carried out by these departments (focusing mainly on the second line of defense – essentially compliance and risk management) will provide an up-to-date overview of the scope of their work and of the coverage and depth of the tests already carried out.

Where capacities are under pressure, it may be appropriate to reconsider the implementation of the internal audit plan in order to avoid any delays. By the same token, internal audit may be able to take advantage of less busy periods for most of its work. Internal audit departments must plan for:

  • having to rely on information-sharing technologies or accepting that the scope of some work will have to be altered or reduced in order to be able to complete tasks. Any face-to-face meetings needed may then have to be rescheduled or organized through the necessary communication platforms;
  • prioritizing a review of the design and day-to-day functioning of emerging risk controls, such as an analysis of crisis recovery scenarios or the modeling of liquidity and financing needs.

In these unprecedented times, teams taking urgent decisions need impartial advice and reassurance, while the organization needs to remain focused on the future. Internal audit can play a key role here and should be involved in particular in the following cases:

  • in project steering committees and when input from an independent, objective voice is required to challenge managers regarding crisis management. A critical review of project portfolios may also help with projects that provide greater added value for the organization;
  • with critical reviews of new controls or controls that have been changed prior to implementation in view of changes in the working environment.

Internal audit’s overview of an organization's risk exposure has never been so important. This forward-looking analytical task rounds out the initiatives that form part of the first and second lines of defense in identifying areas at particular risk (e.g. stoppage or slowdown of operations, financial risks, changes in working behavior, remote interactions with clients, more digital environment).

For the internal audit department to be able to tailor its priorities, it must quickly establish close ties with its audit committee (if there is one) and with the board of directors and other stakeholders on which the organization is dependent, such as the regulator. These early exchanges will allow teams to more effectively define and approve the conduct of critical work and identify whether it is necessary to incorporate new and/or high risks into the internal audit plan. Moreover, any change to internal audit’s focuses can be agreed upon without delay.

If any of internal audit’s non-essential work has to be postponed or redefined, the department has to assess the impact this will have on compliance with regulatory obligations and the ability of the head of internal audit to issue an opinion concerning the control environment. This issue must be considered by either the audit committee or the board of directors and must take account of the head of internal audit’s duty to ensure adequate oversight. It must be possible to adjust the depth of controls, and thus the level of assurance provided in consultation with governance bodies.

It is important at this stage to consider and specify what has been or has not been covered, or what will or will not be covered, over the course of the year in order to adopt an approach for limiting the scope of work, where doing so is necessary and possible. The selected approach must then be clearly set out in the reports issued.

In some sectors, such as banking/investment fund management or financial sector professionals, an annual summary report must be drawn up and submitted to the regulator detailing the work carried out. Against the backdrop of the current crisis, however, the scope of the internal audit plan may be reduced. It is therefore crucial for internal audit departments to clarify what has and has not been covered over the course of the year and adopt an approach that addresses all the regulatory aspects to be covered at least once a year.

The stakeholders concerned must remain in contact with the authorities and keep up-to-date with the regulator’s published positions and opinions, even while the situation continues to evolve.









Emerging risks to be taken into account by internal audit

Emerging risk areas

Main points to take into account

User access control and security

In view of flexible working arrangements and the broader opening up of systems to people who have to cover temporary absences, user access controls may be compromised and mistakes or malicious acts may occur as a result:

  • Controls in place must be monitored. Although in occasional urgent situations it may be necessary to waive the access and task segregation rules, it is crucial that this is governed by a framework of rules and that organizations maintain an audit trail to which they may refer at a later stage.
  • The risks of fraud and waiver management must be identified.


With greater access to remote work and the use of third-party software to improve efficiency, staff may inadvertently compromise company security. The following questions need to be considered:

  • Are remote access controls properly secured?
  • How can organizations raise awareness among their teams, enhance threat detection and act to promote proactive identification of any malicious acts?
  • How can organizations monitor the security measures put in place by third parties (suppliers, service providers, intermediaries, etc.) in order to incorporate this into the use of their services?
  • Are portable devices, which are being used ever more often for remote working, sufficiently secured and monitored?
  • Does the organization hold enough licenses for the increased use of remote working technologies and software?
  • How does the organization manage the risk of internal threats from staff or third parties, whether malicious or inadvertent?
  • How is the organization managing the growing use of collaborative tools and other SaaS applications, which are often less heavily monitored and understood (shadow IT)?
  • How is the organization ensuring that its infrastructure is sufficiently resilient in the event of any cyber-attacks, which occur more frequently during times of crisis?


Understanding liquidity or working capital needs compared with hypothetical scenarios, and reviewing cashflow forecasts:

  • Has the organization accessed government support schemes (either fiscal or financial)? Does it fulfill the eligibility requirements? What are the longer-term implications of this support (e.g. future repayment of guaranteed loans)?
  • Challenge the impact analyses carried out by financial managers, in particular when drawing up financial statements.


Ongoing projects are being hit in terms of resource availability, deadlines and compliance with budgets, whether due to organizational, operational or IT issues. As such, with the assistance of internal audit, organizations must answer the following questions:

  • Over the short term, how should organizational projects be prioritized to allocate capacity (resources and budgets) to projects providing greater added value?
  • Over the long or medium term, what capacity should be planned and how should it be kept available to ensure a stronger recovery?
  • Which governance, supervisory and communication arrangements should be put in place to support the projects that are deemed priorities and cannot be managed in a “normal” manner?

Insurance policies

Remote working by staff raises questions in terms of insurance cover and compliance with rules:

  • Do insurance policies cover staff for working from home?
  • What employment law limitations are applicable? Are health and safety rules still being respected?

Risk management

Does the organization have any processes in place for ensuring continued compliance with all of its regulatory obligations, in particular for dealing with any additional (potentially temporary) regulatory requirements and the principles set out in internal policies?

  • Does the risk assessment process have to become more agile with more dynamic and proactive risk assessment methodologies?

Continuity plan

Check that the organizations understand each point of failure, for example in relation to processes, staff and technologies:

  • Develop and/or test appropriate scenarios, plans or measures, including crisis simulations, in order to restore operations (post-accident recovery plan).
  • Approve and challenge the main indicators used by management when taking decisions concerning critical operations, and challenge and benchmark management hypotheses concerning the nature, extent and duration of the situation.
  • Challenge management forecasts concerning the impact of the crisis on operations.
  • Examine management’s assessment and monitoring as well as the crisis plans for the main outsourced service providers.

Internal controls

Internal audit must understand the changes (both temporary and permanent) to the internal control environment, paying particular attention to the following:

  • Hierarchical controls
  • Accounting controls (provision for bad debt and for inventory, amortization of goodwill and intangible assets, fair value of financial and non-financial assets)
  • Accounting controls over associates or joint ventures
  • Transaction processing controls
  • Cash payment controls
  • Automated process controls
  • Outsourced service providers
  • Monitoring of insider offenses
  • Dependence on a key person/access by super-users
  • Resilience and remote working

Compliance and financial security

During these times of crisis, money laundering, terrorist financing, corruption, fraud and embargo busting could become much more widespread. Internal audit teams must not lose sight of these risks and must continue, even more so than in the past, to question the following:

  • The correctness of the information organizations hold on their clients, the relevance of client assessments and the effectiveness of client transaction monitoring;
  • The detailed and regular assessment of the company’s exposure to these risks and the action plans being implemented to achieve compliance and optimize financial security mechanisms (development of tools and processes); and
  • The handling of alerts that need addressing within a particular timescale, at the risk of accumulating delays in the handling of alerts that do not need addressing until a later stage.

Supply chain

Assess whether sufficient resources are in place (internally and externally) to maintain the level of supply necessary to keep critical operations at a sufficient level:

  • Establish how organizations can understand and prepare for changes to the types and extent of needs and adjust stocks and sources of supply accordingly.

Suppliers and other third parties

Reassess supplier relations in terms of their financial soundness and the services provided (quality, volume), as well as more generally in order to take account of new risks: sustainable development, social responsibility, respect for human rights, combating corruption, money laundering and terrorist financing, compliance with international sanctions, etc.:

  • Consider the “extended company”, i.e. both the company and affiliated third parties, within development scenarios, enabling operations to be refocused on the core business and allowing for flexibility in terms of the functioning of organizations, in particular during times of economic uncertainty.

Clients and contracts

Has the organization adopted a communication plan that is clear for its clients, with particular attention on its most vulnerable clients?

  • Has the organization identified and reviewed the main contractual clauses that could reduce the commitments taken on, such as:
    • force majeure
    • notice provisions
    • provisions concerning post-accident recovery and continuity of operations
    • disclaimers
    • damages
    • applicable law and jurisdiction
    • termination rights
    • insurance policies
    • any other applicable clause

Human capital

Assess the adequacy of the plans put in place by organizations in order to maintain their staff’s health and wellbeing, including in relation to the impact of remote working on mental health:

  • Are any workaround solutions used during the lockdown period appropriately monitored and swiftly formalized?
  • Are there clear, precise and widely-known instructions within the organization concerning the appropriate use of social media and communication during this crisis?
  • Has the impact on standard HR processes been taken into account, such as any delays to performance assessments?

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?