www.bmf.cpa
COVID-19 Checklist: Reassessing Your Risks and Internal Controls
The global pandemic has caused nearly every business to rapidly adjust its operations to allow for remote and contact-less working environments. But during this abrupt pivot, some organizations may have adversely impacted their control environment, elevating their financial and fraud risks.
Below are five areas your business should evaluate for potential risk, including a COVID-19 Checklist to help guide your business through this evaluation.
RISK ASSESSMENT
If you currently have a documented risk assessment, now is the time to reevaluate considering the current environment. If you don’t have a documented risk assessment, you’ll want to assemble a cross-functional committee to develop one. Your team should be considering “What else should we be thinking about?” A focused risk assessment process may churn up significant risks that would have otherwise gone unnoticed.
The three risk categories to focus on are:
- Disruption
- Revenues – customer order fulfillment
- Supply Chain – inventory requirements
- Technology – remote workforce
- Infrastructure – social distancing constraints
- Processes
- Remote Workforce Impact
- Highly Manual
- Paper-Based
- Onsite Dependent
- Treasury
- Money Movement – cash inflows and outflows
MONITORING
As you evaluate your risk assessment, consider what changes are necessary to existing monitoring controls. For instance, in this current remote working environment, your personnel may not have the same access to facilities to observe something taking place on the premises. A remote workforce could be prone to distractions resulting in a monitoring activity not being performed at all or not under the same scrutiny as being onsite. Once existing monitoring controls are assessed, new monitoring controls may be necessary to bolster the control environment or to compensate for a preexisting control that is not as effective in a remote working environment.
Many companies have utilized a checklist to stay current with monitoring activities. We advise companies to continue using this practice and expand where necessary to curb organizational impact from distractions and other pitfalls from working remotely.
REVIEW
Multiple layers of review are tried and tested detective control deployed by businesses to detect errors, omissions or other financial irregularities. Many of these reviews compare financial information to budget, forecast, prior month, prior year, etc., to the extent the information the reviewer is looking at is within an analytical threshold the reviewer typically approves.
Effectiveness. How effective is that same review when those projections have been thrown out to the wayside due to organizational disruption? When that expense line item went down 5% due to cost reductions, it makes sense at the surface, but should it be a 10% reduction? Or maybe it should go up because of a restructuring accrual? For a review to be effective, the reviewer needs to be well informed and inquisitive during the review process.
Thoroughness. The manner and environment in which the review takes place may also vary. Maybe that review compares multiple systems across different computer screens coupled with a paper-based report to be effective. Are you confident that a precision-level review can be replicated remotely?
Response Time. Perhaps there are questions during the review. What is ensuring those questions are being responded to appropriately? In an onsite environment, the reviewer may have been able to simply lean over their desk to ask quick questions and look at something together. Or perhaps the question had something to do with production or inventory. The reviewer could verify the inventory by finding it on the shelf or confirming the overrun with the shop floor.
Multi-layered management review controls are more important than ever. We encourage our clients to think about all their key management review controls then put yourselves in the shoes of the reviewer. Determine which controls may no longer be effective and determine the best way to augment or implement a new control to compensate.
TREASURY MANAGEMENT
As they say, ‘Cash is King’ and it’s up to your organization’s treasury controls will ensure the ‘King’ is well protected. We recommend that your organization take a detailed look at its cash disbursement and cash receipt processes with an emphasis on the cash entry and exit points.
A remote workforce has not only changed the way you do business, it has impacted your customers and vendors as well.
Vendors. Have you noticed an increase in vendors requesting payment via electronic methods to minimize paper and contact? Do you have a control or written policy to processes vendor payment change requests? What processes are in place to ensure the request was initiated by a fraudster?
Customers. Have you recently started emailing invoices to your customers? Are they aware these are being emailed and have you pre-authorized distribution of invoices electronically? Best practice is to call your customer and confirm the appropriate email address before distributing any emails. This verifies your identity and also ensures your invoice makes it to the correct destination for timely payment.
As your company adapts to this increased paperless disbursement environment, it is important to consider controls around electronic payments. Several organizations continue to predominantly pay their vendors via paper checks with a very well controlled process incorporating redundant controls and levels or review. Electronic payments tend to be the immaterial ‘one-offs’. As your disbursement process moves to electronic payments, it’s important to ensure the same control objectives are accomplished as your paper check writing process.
IT USER ACCESS
In a remote environment, software access may have been expanded to allow additional personnel to accomplish their duties from home or to compensate for a decrease in the workforce. It’s possible the expanded access has created logical segregation of duties conflict (i.e., a user can create and pay a vendor). These conflicts may cause unintended consequences by significantly increasing the risk of fraud across your organization. Additionally, when users are working offsite combined with expanded access, curiosity may lead them to tinker in applications to explore the expanded access and test their limits. If you determine expanded access is required regardless of the conflict, these strong compensating monitoring controls in this article be implemented to help you oversee that no wrongdoings are taking place.
Unquestionably, COVID-19 has changed how companies do business – now and in the future. The amount of change due the pandemic has presented many challenges which have permeated across all aspects of a company. By evaluating controls and processes early, you can minimize business risks presented under this “new normal.”
Our advisors are available to provide you support and insight to assess your business risks and internal controls to ensure your business stays protected.
Visit our COVID-19 Resource Center for information and resources for you and your business.
Eric D. German?>
CPA, MAcc
About the Authors
Subscribe
Stay up-to-date with the latest news and information delivered to your inbox.