Maintaining Strong Internal Controls in a Virtual Environment By Dennis Maschke, CWDL Audit Partner While hope is on the horizon with the national rollout of the COVID-19 vaccine, most organizations started the new year under the same conditions as they ended the last – remote working arrangements, reduced personnel and a reliance on virtual interactions. As a result of all of these workplace changes, internal controls over financial reporting may have been unintentionally relaxed, and controls that were once effective no longer suit the current environment. If you haven’t already, now is the time to examine your existing internal controls over operations and financial reporting to determine if your framework is effectively mitigating risk. To help you get started, here is a list of best practices for maintaining strong internal controls during this uncertain time: 1. Identify New Risks Remember that it is management’s responsibility to identify new risks that arise when there are changes to your existing system or environment. Has a reduction in personnel or a shift in responsibilities resulted in a failure to segregate duties? Has the work-from-home environment caused you to implement digital approvals and, if so, has IT performed an analysis of passwords and other system safeguards to determine the reliability of those approvals? 2. Modify Your Controls as Needed Existing internal controls should be reassessed to determine if they address any new risks you have identified. Consider that with any changes to controls, financial policies and procedures will likely need to be modified, and formal roles and responsibilities may need to be altered. Page 9 6. Communicate with Your IT Department Remote work means that many of your new controls will take digital form. Management should work closely with the IT department to design and implement effective electronic controls for this new environment. Because virtual work elevates the risk of cybercrime, your IT department should have practices in place to actively monitor and test the organization for phishing and other forms of internal and external threats. 7. Communicate with Your Auditor Your audit is likely to be remote, so you need to coordinate closely with your auditor to plan accordingly. Functionally, the audit will likely require innovative means of conducting interviews, communicating status updates and sharing documents securely. Even (continued on page 22) “Stronger Together!” 3. Document Changes Changes or additions made to your controls need to be documented and maintained, not only for audit purposes, but also for departmental integrity. Documenting the reasons for the changes, not just the changes themselves, is important, too, as well as when these changes were implemented. 4. Monitor New Controls As always, new and existing controls should be tested to ensure they are operating as intended. 5. Communicate with Your Staff Your staff needs to have a full understanding of changes in controls. Make sure you are communicating clearly with your team, addressing questions and monitoring changes to roles and responsibilities to ensure implementation.
10 Publizr Home