Internal Controls in a Remote World
As remote work takes hold at CPA firms and organizations, getting a grip on internal controls is essential for overcoming the security risks of an at-home workforce.
By Natalie Rooney | Fall 2020
Before COVID-19, working from home full time was the
exception rather than the rule. According to
a June 2020 survey by IBM Security and Morning Consult, 83 percent of respondents
said that prior to the pandemic they worked from home either rarely
or not at all. In face-to-face, pre-pandemic office settings, employers
and IT teams managed, implemented, and monitored security
measures and protocols from a central location. Now those systems
are upended.
“Managing internal controls in an office setting is one thing.
Managing internal controls when everyone is working from their
kitchen tables is another thing altogether,” says Bob Dohrer, CPA,
CGMA, chief auditor for the AICPA.
As pandemic concerns remain high, many workplaces plan to
continue remote work into 2021 and beyond, and organizations
may find themselves playing catch-up as they try to manage
potential security risks in a world where in-person oversight is
impossible and traditional controls are ineffective. The pandemic
has exacerbated the usual risks, with remote work, furloughs, and
layoffs all creating new weaknesses. “Suddenly there may be fewer
people available to process financial transactions, and that creates
pressure,” Dohrer says. “Combine all of this with issues surrounding
the segregation of duties, and teams that aren’t interacting in a live
setting, and problems can develop quickly. Controls designed for
the office just don’t work as well in a virtual environment. We have
a new level of consideration that has to take place.”
If you haven’t revisited your internal controls lately, now is the
time, says Jenny Deloy, CPA, MBA, Marcum LLP’s Chicago office
managing partner and Illinois region partner in charge of assurance
services. “Change, anxiety, and uncertainty are creating an
environment where fraud proliferates, and fraudsters are out there
with new scams to convince people to do things they wouldn’t
normally do,” she explains.
As a result, companies need to be very aware of the steps they can
take to avoid the opportunity for fraud, advises Elizabeth Sloan,
CPA, managing director in Grant Thornton’s Chicago audit
methodology and standards group: “Since we’re not all physically
together, we need to think about the basics. What changes have
occurred to the control environment because of remote work? We
need to be sure we’re thinking about the right things and not
becoming complacent.”
Here’s how to ensure your internal controls remain relevant in a
remote environment.
Ten Steps to Developing Robust Remote Internal Controls
Step zero, Sloan says, is to embrace the change: “Think of this as
an opportunity to improve and build a more effective structure of
internal controls rather than just having an interim structure.” After
that, take these steps:
#1: Reexamine segregation of duties. Look for gaps or dead ends
in workflows created by virtual work. How might duties need to
change or be restructured? If signoffs were previously handled
manually, how are they handled now? Has there been a loss of
checks and balances?
#2: Take advantage of technology. Use secure portals to transmit
documents, leverage the cloud, and embed timestamps on files to
tighten security.
#3: Track, document, and confirm. These steps are so basic that
they’re often overlooked, Dohrer says. Reach out to the information
sender. Confirm they sent it, and it’s what you received. Track and
document any changes made to approval levels, access rights,
procedures, or responsibilities.
#4: Know your data. What data do you have? Who can access
it? Verify that data, including something as simple as a
videoconferencing link, is not publicly accessible or open to more
internal access than necessary.
#5: Find new lines of communication. “Casually passing someone’s
office used to spark conversations,” Deloy says. “Now that you’re not
in front of someone, you might not hear about problems. Initiate
conversations on a regular basis and in a collaborative way. Make
sure you’re on the same page and pursuing the same goals.”
Consider checking in daily with your team and using video more
often than telephone or email.
#6: Assess cyber risk. IBM’s report found that fraud has risen
dramatically since March. “Cyber risk assessment is crucial right
now,” Deloy cautions. “Provide teams with training and awareness
of cyber-related matters so they recognize current scams.” Now is
a good time to confirm your IT systems are in place and working
securely and that proper passwords, encryption services, and multifactor
authentication are in place.
#7: Get leaders involved. “Those charged with governance need
to remain visible to employees, particularly in the accounting
function,” Deloy stresses. She suggests using live video for
meetings. “Your team needs to see leaders involved, monitoring,
and supporting positive behaviors. People want to do the right
thing. Provide the support they need to do so.”
#8: Draw attention to ongoing monitoring. Continuously discussing
processes demonstrates to team members that someone is always
assessing the situation, and that can be a real fraud deterrent. “If
someone is considering bad behaviors, just knowing someone is
watching is helpful, even if they’re watching from home,” Deloy says.
#9: Remember the human element. Don’t forget about the people
behind the processes. “Make sure team members are engaged
and not burned out,” Sloan recommends. “Working virtually in a
pandemic means the opportunity and pressure to potentially
commit fraud are already there. If people lose their engagement,
they can easily rationalize things they usually wouldn’t do.”
#10: Communicate with your clients. A review of internal controls
presents a perfect opening for firms to reach out to clients. “Help
them think about these matters within their organizations, because
their attention is definitely elsewhere,” Deloy urges. “Take
advantage of this opportunity to advise, guide, and help your clients
revisit, refresh, and improve their internal controls.”
Different Can Be Better
Do you really need to think about internal controls differently in a
virtual world? Yes. Do organizations need to panic? No. Remember:
The fundamental principles don’t change. “You don’t need to adopt
a new framework and change everything,” Dohrer says. “Think
about a control objective in the manual world, and then consider
how that can be accomplished in the virtual world. Most businesses
and auditors will find that a good understanding of fundamental
principles will go a long way in this environment.”
Rather than dragging organizations down, virtual work and
rethinking internal controls and processes should be propelling
organizations forward, Sloan suggests. “At Grant Thornton, we’re
focusing on quality and are working smarter by utilizing more
advanced data. Examining data analytics has allowed us to be more
precise and to home in on specific risks,” she shares. “From a
technology perspective, remote work has helped us improve our
communication and use more tools to facilitate collaboration. We’re
not just doing what we’ve always done. Even when we’re back in
the office, we won’t go back to the way things used to be.”