Are Your Internal Controls Still Effective? – Managing in This Challenging Environment and Beyond
4.14.20 | Client Alert (Updated 2.14.22)
We have all experienced unprecedented changes in our living and business operating conditions. In such an environment it is not only a best practice, but strongly recommended that organizations reassess their accounting, safeguarding of assets, and financial reporting risks.
The world has changed and will continue to change. In such a fluid environment, every organization—large or small, private or public—should perform a risk assessment. The following risks emerged as a result of the “shelter in place” directives, which required most organizations to shift into remote operations.
Risks Exposed by the Pandemic
- The inability of control owners to perform controls due to absences either because they can’t physically perform the controls due to office closures or resulting from employees becoming disabled
- Information Technology gaps because of employees not being capable of operating “legacy control procedures” remotely because they lack training and require supervision and support by other members of their team(s)
- Information Technology limitations exposure. Example: Not having remote access to all “legacy systems”
- Information Technology application performance concerns, including data transmission bandwidth or other performance related issues resulting from operating remotely in VPN or VDI modes
- Lack of information flow from subsidiaries, or other parts of the organization, which may affect management’s ability to effectively operate controls
- Lack of information exchange between the organization and its external sources, such as suppliers, customers, banks, or government sources
- Inability to “close” fiscal periods and “report” financial and management results used in review, analysis, and decision making
- Loss of essential information businesses need for obtaining evidence that their controls are designed and operating effectively
- Increased uncertainty over the security of employees’ home office environments, including both physical and logical access to confidential information and the ability for employees to perform normal operational duties
Where Does Your Organization Stand?
An organization’s next step is to perform a risk assessment by documenting processes and controls and performing a “design effectiveness” analysis. It is important to determine if the organization’s “legacy controls” are still in place. For example, a company’s controls to release vendor payments need to still have the same approvals in place as they did prior to the COVID-19 pandemic. By asking the following questions combined with understanding and documenting each process, an organization can obtain a complete picture of how it processes significant transactions as well as of its risk exposure in the current environment:
- Are control approvals still in place and executed accordingly?
- Does management have the same access and information available to them to exercise their oversight?
Are Controls Operating Effectively?
Once you have concluded that the design of your controls is still effective, the next step is to determine if the controls are operating effectively:
When invoices are approved, does every invoice have the same level of scrutiny or are some elements of the “legacy” oversight slipping through? If so, the controls may be designed appropriately, but not operating effectively.
What Needs Redesigning?
Once the risk assessment is completed, an organization may need to redesign processes and controls with enhanced or alternative processes and controls.
A company may want to modify its payment approval process by requiring that a call be made to a payment requester before wiring funds, sending a check, providing sensitive information, changing direct deposit accounts, or updating system settings.
When redesigning threshold amounts, consider requiring management review as a company’s historical tolerances may need to be revised to meet the challenges of its current control environment.
The risk assessment process does not stop here! Continuous monitoring is required to ensure that redesigned processes and controls are operating effectively. Ideally, a risk assessment process similar to the one described above should be conducted on a periodic basis to ensure controls are both designed and operating effectively.
If you have any questions or need assistance, contact Alexander Moshinsky at 212.331.7448 | email@example.com or reach out to your Berdon advisor to inquire how we can remotely review your processes, risks, and controls and prepare a risk assessment to help your operations in this challenging environment.
Berdon LLP New York Accountants