While hope is on the horizon with the national rollout of the COVID-19 vaccine, most organizations started the new year under the same conditions as they ended the last – remote working arrangements, reduced personnel and a reliance on virtual interactions. As a result of all of these workplace changes, internal controls over financial reporting may have been unintentionally relaxed, and controls that were once effective no longer suit the current environment. If you haven’t already, now is the time to examine your existing internal controls over operations and financial reporting to determine if your framework is effectively mitigating risk.
To help you get started, here is a list of best practices for maintaining strong internal controls during this uncertain time:
- Identify New Risks
- Modify Your Controls as Needed
- Document Changes
- Monitor New Controls
- Communicate with Your Staff
- Communicate with Your IT Department
- Communicate with Your Auditor
Remember that it is management’s responsibility to identify new risks that arise when there are changes to your existing system or environment. Has a reduction in personnel or a shift in responsibilities resulted in a failure to segregate duties? Has the work-from-home environment caused you to implement digital approvals and, if so, has IT performed an analysis of passwords and other system safeguards to determine the reliability of those approvals?
Existing internal controls should be reassessed to determine if they address any new risks you have identified. Consider that with any changes to controls, financial policies and procedures will likely need to be modified, and formal roles and responsibilities may need to be altered.
Changes or additions made to your controls need to be documented and maintained, not only for audit purposes, but also for departmental integrity. Documenting the reasons for the changes, not just the changes themselves, is important, too, as well as when these changes were implemented.
As always, new and existing controls should be tested to ensure they are operating as intended.
Your staff needs to have a full understanding of changes in controls. Make sure you are communicating clearly with your team, addressing questions and monitoring changes to roles and responsibilities to ensure implementation.
Remote work means that many of your new controls will take digital form. Management should work closely with the IT department to design and implement effective electronic controls for this new environment. Because virtual work elevates the risk of cybercrime, your IT department should have practices in place to actively monitor and test the organization for phishing and other forms of internal and external threats.
Your audit is likely to be remote, so you need to coordinate closely with your auditor to plan accordingly. Functionally, the audit will likely require innovative means of conducting interviews, communicating status updates and sharing documents securely. Even more importantly, your auditor has the opportunity to see how other Districts are handling similar challenges and can be an outstanding resource.
While the pandemic created sudden and significant challenges in the workplace, it’s possible to maintain a robust internal controls framework that adapts to the changing environment with strategic planning, adjustment of your controls and open communication with your stakeholders. At CWDL, we believe that an important part of an auditor’s role is serving as a valued client partner to assist with implementation of best practices and continual District improvement on the whole. Contact us to discuss any of these points or more specific challenges that your District is facing during these unprecedented times.