By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Are your internal controls still working as intended in a remote environment?
With COVID-19, everyone’s lives have been changed from social distancing, to wearing masks, to increased online shopping and delivery. In the workplace, in mid-March many employees went home and were told not to come back into the office – instantaneously moving to a remote work environment that has lasted nine months and appears will continue well into 2021. With that sudden move, unanticipated internal control gaps may have arisen. Company executives could be wondering if their internal controls are still sufficient and consistently being applied in the remote work environment.
When evaluating internal controls, a framework that is widely used to design and implement internal control systems is the COSO Internal Control – Integrated Framework®. The Framework is made up of five components that include:
- Control Environment –the standards, processes, and structures of a company – an organization’s “tone at the top”
- Risk Assessment – the process of identifying and assessing risks to achieve a company’s objectives
- Control Activities – the actions established through policies and procedures that help ensure management directives are carried out
- Information and Communication – the process of identifying and capturing information and communicating in a form and timeframe that is necessary for individuals to carry out their responsibilities
- Monitoring – the process of evaluating over time whether the system of internal controls is functioning properly
In today’s virtual environment, having a strong “tone at the top” is of the upmost importance. Companies with strong Control Environments have implemented standards, processes, and structures such as a Code of Ethics Policy that employees are required to read and sign, knowledgeable and independent Board of Directors, a Whistleblower Policy, organization charts that are communicated via the company intranet, and annual performance reviews to name a few.
Risk Assessment and Control Activities
For many companies, the Risk Assessment that is performed is informal and focused on the specific risks related to its Control Activities, including the risks of fraud. These companies design their accounting processes and controls to mitigate these process-level risks. Example controls activities include approving invoices/payments, independently reviewing bank reconciliations, and segregating incompatible duties. We find most companies struggle with segregating incompatible accounting responsibilities because of limited staffing and the need to have backups for employee absences/vacations.
Information and Communication
In today’s remote environment, companies quickly had to pivot from paper-based and in-person reviews to Information and Communication that is electronic, electronically transmitted, and reviewed remotely. Many companies have moved to using electronic signature features within contracts, PDF documents such as invoices, and Excel spreadsheets. With the switch to electronic evidence of approvals comes new risks that companies need to ensure are properly mitigated. Additionally, companies need to consider the impact to information security with the move to a remote workforce. Listen to our insightful Webinar for security considerations that need to be addressed when moving to a remote work environment.
The job of Monitoring controls often falls to the internal audit group. However, many small to mid-sized companies do not have an internal audit function. For these companies, performing periodic internal control reviews can be a cost-effective solution. Internal control reviews are targeted evaluations of specific processes often higher-risk areas such as cash disbursements and cash receipts. An internal control review will:
- Identify internal control gaps, including segregation of duties concerns
- Identify process inefficiencies
- Benchmark company processes against industry best practices
- Provide cost effective recommendations to improve controls or process efficiencies.
The key to a good internal control review is to develop recommendations that consider the company’s size, complexities, risks, and resources. In certain cases, a company might not be able to segregate responsibilities. Thus, instead of recommending adding headcount, a good control reviewer helps to identify other more cost effective mitigating controls.
With the move to a remote work environment, many companies are making the investment of having an internal control review performed to ensure that controls have been properly modified to reflect the new remote environment. In the internal control reviews that we have performed, we are finding more segregation of duties issues that are arising because of more/different employees now backing up employees. For example, only certain employees are going into the office that now have the access to and responsibility for depositing checks, which were not originally part of their responsibilities and creates segregation of duties concerns.
Has your company changed its processes in the remote environment? Are you concerned that these changes might have created unanticipated internal control gaps? If so, now might be a good time to have an independent review of the new processes and controls. Keiter’s Risk Advisory Services team can help you with this process and provide management with valuable insights on opportunities for enhancing internal controls and thereby reduce risks.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.