It is very likely that internal controls may change when employees start working remotely. Businesses that were already operating in a digital environment, may not experience such a great change in risk assessment and internal control processes as an organization that relies heavily on manual processes. It is important to evaluate the processes implemented quickly during the early days of the pandemic to see if changes are required to prevent and detect fraud and error. Companies should consider its current controls and ask the question “what could go wrong” in its various functions within the business.

Impact on the risk assessment process

As workers are decentralised from “the office”, different risks and opportunities may emerge that should be considered in the risk assessment process. Whilst the benefits of remote working may actually have a positive impact on productivity and efficiency due to less office distractions, less stress, higher staff morale and lower operational costs and even impacting the environment positively due to a reduced carbon footprint, hidden risks may emerge that would require strengthened controls. These would include risks around distracted employees, employees that are unable to perform their functions remotely and the risks of malicious attacks from unauthorised users.

The first step in determining on what controls may need adjustment is to determine the additional risks that the entity is facing and designing controls to address these effectively. In this process it is important to:

  • Clearly define and document the risks, adjusted processes and internal controls
  • Identify any changes to roles and responsibilities needed to maintain internal controls
  • Communicate the modified processes and any role changes to all relevant parties
  • Keep accurate documentation as evidence that internal controls are performing as they should.

Impact on communication

A remote working environment will inevitably cause certain communication challenges. Those quick office discussions are no longer happening, and communication must now be deliberately scheduled. Therefore, having regularly scheduled video conference meetings can boost morale and keep productivity high while also emphasizing the need to perform the controls necessary for financial accounting purposes. It will also be useful to schedule one-on-one meetings to check in with employees and to ensure their work needs are being met.

Impact on the internal control environment

The following areas of the internal control environment should be carefully considered:

1) Segregation of Duties

Maintaining segregation of duties is very important and should be constantly assessed. Ask yourself the question: Is there still separation or has one person become responsible for multiple duties out of convenience?

It may be necessary to request employees to perform duties they have not previously performed. In reassigning duties, segregation of duties should be maintained between custody, record-keeping, reconciliation and authorisation.

2) IT Security

IT security is probably the most relevant area to consider. Areas that need careful consideration are:

  • Access and authorisation controls, including password controls
  • Servers – secured through a VPN to prevent malicious attacks
  • Physical and electronic access to servers and server rooms
  • Security, access, and retention of data in clouds
  • Auto-lock of computers in a period of inactivity
  • Use of digital signatures to prevent unauthorised changes, time stamps
  • Cloud-based accounting tools to maintain audit trails
  • Access and review of individual logins and alerts when any changes are made.

3) Review and Monitoring

It is likely that the preparation and review process may take longer than under normal circumstances. The implications of possible lack in communication, performance and the impact on service delivery should be considered.

The internal control environment must be constantly monitored to identify gaps, which must be addressed proactively. Audit and access logs can be effective tools for monitoring unusual activity and should be reviewed regularly.

Prepared by: Inge Theron