The remote work environment many of us find ourselves in due to COVID-19 is a radical change for many organizations. There’s productivity, morale, human resource issues and a host of other considerations to be mindful of and proactively manage as a business leader.
One of those key considerations that should be at the forefront for every management team is the heightened risk of fraud. Computer hackers see a significant opportunity to take advantage of the current remote situation, finding new ways to infiltrate company systems. Is your organization doing everything it can to protect against fraud? Start by answering the following two questions.
As a result of going remote:
- What new or increased fraud risks exist? Did you create an entirely new process or expand on something you were already doing, such as expanding remote access to your network, and did you maintain proper protocols?
- What can go wrong? Perform a fraud risk assessment, evaluating incentives, opportunity and rationalization. Are you doing everything you can to mitigate these risks?
While organizations of all shapes and sizes should be performing some level of fraud risk assessment regularly, if you are not, now is the time to start. If you are, it’s time to reevaluate.
3 Key Areas for Any Internal Control Model
There are a few things that will be the most impactful when creating and enforcing internal controls throughout your organization:
- Tone at the top. Is the message coming from ownership or top management , reminding personnel of proper business practices and the additional need for quality and high standards? Is the message coming frequently enough, particularly now when we aren’t seeing each other face to face?
- Communication and information activities. Do people have the information they need to maintain quality, while insuring business information and assets remain secure? Do they have appropriate and frequent cyber awareness training?
- Monitoring activities. These become even more vital in our current environment. Review, at least monthly, who has access to your system and who is actively accessing it. Check your permissions. Who is allowed to access what? Going remote may mean some have permissions they no longer need, and shouldn’t have. For example, make sure the proper authorizations are set up for credit cards and expense report reviews, and wires and ACH payments. Also consider intrusion detection systems (IDS) and intrusion prevention systems (IPS) as additional forms of protection. Your own IT department or a third-party can give you more information on these important systems.
Read “Real-life Testing of Your Business Continuity Plan During the COVID-19 Pandemic”
Review Significant Transaction Classes and Needed Changes to Processes and Controls
Consider if certain procedures have changed in key areas, such as processing cash receipts, how you are issuing credit memos, and how cash is being posted and disbursed. Below are important procedural areas to evaluate and consider whether or not changes are necessary:
Revenue and Cash Receipts
- Mail vs. lockbox vs. credit card vs. ACH/wire transfers
- Issuing credit memos
- Posting receipts to the AR aging and management review
Accounts Payable and Cash Disbursements
- Creating new vendors
- Credit card usage and management review
- Expense reports and management review
- Authorization over disbursements (checks and wire approvals)
- Increased ACH usage
Bank Reconciliations
- Timely preparation and management review
Inventory
- Cycle count process
- Physical security
Payroll
- Adding new hires
- Termination process
- Time logs and approvals
- Wage changes and approvals
- Payroll report review and approval
Financial Reporting
- Journal entry approval
- Timely financial close process and approval
- Upper level management review over key metrics
Reevaluate Your Technology Controls
Using a predominately remote workforce also makes it a critical time to take a second look at your information technology controls, particularly the following areas:
- Does your accounting software provide sufficient functionality to appropriately segregate duties?
- Do any accounting software end users have the ability to modify the overall functionality that could significantly impact financials?
- Are the accounting software’s password parameters and lockout policies appropriately configured?
- Are spreadsheets located in shared drives appropriately secured?
- Are backups being periodically performed, actively monitored for completion and appropriately restricted to authorized personnel?
- Are employees educated regarding cybersecurity risks? Should your company implement a cybersecurity training program?
- Is system access appropriately restricted and regularly monitored and reviewed?
Remote life has its rewards and challenges, and it’s highly likely that working remotely will become more of a mainstay even after the pandemic is over. Evaluate your company’s internal controls not only during the COVID-19 crisis, but also on an ongoing basis to protect yourself now and in the future.
Contact Steve Guarini at sguarini@cohencpa.com or a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.