insight magazine

Internal Controls in a Remote World

As remote work takes hold at CPA firms and organizations, getting a grip on internal controls is essential for overcoming the security risks of an at-home workforce. By Natalie Rooney | Fall 2020

remote internal controls 800

Before COVID-19, working from home full time was the exception rather than the rule. According to a June 2020 survey by IBM Security and Morning Consult, 83 percent of respondents said that prior to the pandemic they worked from home either rarely or not at all. In face-to-face, pre-pandemic office settings, employers and IT teams managed, implemented, and monitored security measures and protocols from a central location. Now those systems are upended.

“Managing internal controls in an office setting is one thing. Managing internal controls when everyone is working from their kitchen tables is another thing altogether,” says Bob Dohrer, CPA, CGMA, chief auditor for the AICPA.

As pandemic concerns remain high, many workplaces plan to continue remote work into 2021 and beyond, and organizations may find themselves playing catch-up as they try to manage potential security risks in a world where in-person oversight is impossible and traditional controls are ineffective. The pandemic has exacerbated the usual risks, with remote work, furloughs, and layoffs all creating new weaknesses. “Suddenly there may be fewer people available to process financial transactions, and that creates pressure,” Dohrer says. “Combine all of this with issues surrounding the segregation of duties, and teams that aren’t interacting in a live setting, and problems can develop quickly. Controls designed for the office just don’t work as well in a virtual environment. We have a new level of consideration that has to take place.”

If you haven’t revisited your internal controls lately, now is the time, says Jenny Deloy, CPA, MBA, Marcum LLP’s Chicago office managing partner and Illinois region partner in charge of assurance services. “Change, anxiety, and uncertainty are creating an environment where fraud proliferates, and fraudsters are out there with new scams to convince people to do things they wouldn’t normally do,” she explains.

As a result, companies need to be very aware of the steps they can take to avoid the opportunity for fraud, advises Elizabeth Sloan, CPA, managing director in Grant Thornton’s Chicago audit methodology and standards group: “Since we’re not all physically together, we need to think about the basics. What changes have occurred to the control environment because of remote work? We need to be sure we’re thinking about the right things and not becoming complacent.”

Here’s how to ensure your internal controls remain relevant in a remote environment.

Ten Steps to Developing Robust Remote Internal Controls

Step zero, Sloan says, is to embrace the change: “Think of this as an opportunity to improve and build a more effective structure of internal controls rather than just having an interim structure.” After that, take these steps:

#1: Reexamine segregation of duties. Look for gaps or dead ends in workflows created by virtual work. How might duties need to change or be restructured? If signoffs were previously handled manually, how are they handled now? Has there been a loss of checks and balances?

#2: Take advantage of technology. Use secure portals to transmit documents, leverage the cloud, and embed timestamps on files to tighten security.

#3: Track, document, and confirm. These steps are so basic that they’re often overlooked, Dohrer says. Reach out to the information sender. Confirm they sent it, and it’s what you received. Track and document any changes made to approval levels, access rights, procedures, or responsibilities.

#4: Know your data. What data do you have? Who can access it? Verify that data, including something as simple as a videoconferencing link, is not publicly accessible or open to more internal access than necessary.

#5: Find new lines of communication. “Casually passing someone’s office used to spark conversations,” Deloy says. “Now that you’re not in front of someone, you might not hear about problems. Initiate conversations on a regular basis and in a collaborative way. Make sure you’re on the same page and pursuing the same goals.” Consider checking in daily with your team and using video more often than telephone or email.

#6: Assess cyber risk. IBM’s report found that fraud has risen dramatically since March. “Cyber risk assessment is crucial right now,” Deloy cautions. “Provide teams with training and awareness of cyber-related matters so they recognize current scams.” Now is a good time to confirm your IT systems are in place and working securely and that proper passwords, encryption services, and multifactor authentication are in place.

#7: Get leaders involved. “Those charged with governance need to remain visible to employees, particularly in the accounting function,” Deloy stresses. She suggests using live video for meetings. “Your team needs to see leaders involved, monitoring, and supporting positive behaviors. People want to do the right thing. Provide the support they need to do so.”

#8: Draw attention to ongoing monitoring. Continuously discussing processes demonstrates to team members that someone is always assessing the situation, and that can be a real fraud deterrent. “If someone is considering bad behaviors, just knowing someone is watching is helpful, even if they’re watching from home,” Deloy says.

#9: Remember the human element. Don’t forget about the people behind the processes. “Make sure team members are engaged and not burned out,” Sloan recommends. “Working virtually in a pandemic means the opportunity and pressure to potentially commit fraud are already there. If people lose their engagement, they can easily rationalize things they usually wouldn’t do.”

#10: Communicate with your clients. A review of internal controls presents a perfect opening for firms to reach out to clients. “Help them think about these matters within their organizations, because their attention is definitely elsewhere,” Deloy urges. “Take advantage of this opportunity to advise, guide, and help your clients revisit, refresh, and improve their internal controls.”

Different Can Be Better

Do you really need to think about internal controls differently in a virtual world? Yes. Do organizations need to panic? No. Remember: The fundamental principles don’t change. “You don’t need to adopt a new framework and change everything,” Dohrer says. “Think about a control objective in the manual world, and then consider how that can be accomplished in the virtual world. Most businesses and auditors will find that a good understanding of fundamental principles will go a long way in this environment.”

Rather than dragging organizations down, virtual work and rethinking internal controls and processes should be propelling organizations forward, Sloan suggests. “At Grant Thornton, we’re focusing on quality and are working smarter by utilizing more advanced data. Examining data analytics has allowed us to be more precise and to home in on specific risks,” she shares. “From a technology perspective, remote work has helped us improve our communication and use more tools to facilitate collaboration. We’re not just doing what we’ve always done. Even when we’re back in the office, we won’t go back to the way things used to be.”

Leave a comment