Have your internal controls adapted with the rest of your entity throughout the last two years? Are you relying on manual controls that may no longer be relevant as your workforce has become increasingly mobile? COVID-19 has pushed many companies to adopt a hybrid or remote workforce. As more employees work from home, it’s important for their employers to update policies and procedures and ensure that adequate internal controls are in place, both in and out of the office.
A solid first step in revisiting your system of internal controls is conducting thorough evaluation of your greatest risks to your entity and its financial reporting. Consider new technologies, new outsourced service providers, and increased utilization of web-based software during this evaluation. Cyber security risks have skyrocketed along with an increasingly mobilized workforce and greater reliance on technology. Increased remote sharing, use of personal devices, and use of unprotected or under-protected home networks are all contributing factors to enhanced risks. As the cyber risks intensify, so too should the internal controls your company employs to combat them.
Here are examples of controls that may be more relevant today than ever:
- Only allow company equipment (laptops, keyboards, printers, USB sticks, etc.) to connect to the company’s systems and servers. This preventative control not only lowers security risks but also makes IT support less complex.
- Secure cloud-based applications by requiring multifactor authentication (MFA). This control reduces password risks, increases access controls, and helps secure data.
- Require frequent security training to increase awareness for all employees. Consider whether your training practices are comprehensive enough to foster a culture with strong security practices.
- Install new patch updates for firmware and software in a timely manner. Vendors typically release patches to address known security issues or emerging vulnerabilities, so installation of such patches is critical.
- Ensure that no one person controls an entire IT process from start to finish. Maintaining segregation of duties is critical to reduce opportunities for employee theft and misuse of funds.
Outsourcing of tasks or entire function centers is becoming more commonplace as companies struggle with labor shortages or look to cut costs. Prior to entering a new relationship, make sure you perform adequate due diligence on service providers. Additionally, make sure you continually monitor providers whose services or technology could have a significant impact on your business.
For example, the payroll function is often outsourced to service organizations such as ADP, Paychex, Paylocity, etc. It is typical practice within the payroll industry that these organizations have System and Organization Controls (SOC) audits performed. In a SOC audit, the vendor asserts to whether the service provider’s internal controls are designed and operating effectively and a CPA expresses an opinion on whether they agree with management’s assertion based on testing conducted by the CPA. If your company uses services organizations, obtaining and reviewing SOC 1 reports can be an effective monitoring procedure. A qualified report indicates that one or more controls were ineffective. While a qualified report may not be reason to immediately switch service providers, it’s certainly worthy of further consideration as to how the service organization’s shortcomings could impact your organization.
Even the best system of internal controls must be modified as the business evolves and the workplace changes. Monitoring the quality of your own internal control system and those of critical outsourced service providers and updating for ever-changing conditions on a timely basis is a process that shouldn’t be overlooked.