Category: Audit, Advisory and Assurance
As the world of work continues to evolve post-pandemic, many businesses and organizations have found that working remotely, either full or part-time, is not only possible but preferred by many team members. Regardless of whether your employees are working in the office, from home, or a hybrid model, having strong accounting internal controls is critical. That’s why it’s important to look at those processes that may have been implemented quickly during the early days of the pandemic to see if changes are required to prevent and detect fraud, maintaining strong internal control.
Here are several primary areas of internal control that may be impacted by alternative work environments and tips on how you can address these areas in your business or organization.
Segregation of Duties
When it comes to the segregation of duties for functions like payroll, cash receipts, and cash disbursements, the general rule is that no one person should have control over an entire process. Responsibilities for custody, record keeping, reconciliation, and authorization should be shared. Without segregation of duties in your main processes, fraud and error risks are far less controllable.
But this can become challenging if you are operating with a reduced staff or if employees are working remotely under alternative work schedules. Some nonprofits have incorporated volunteers to help keep duties segregated. For businesses, you may need to get creative and ask employees who may not have been previously involved in the process to take on new roles.
Another option for mitigating risk and adding layers of segregation is to incorporate the services of a third-party provider. For payroll, this could be a payroll service provider. Cash receipts can be handled through your bank’s lockbox service or through a web-based solution with an ACH payment processing function. Accounts payable can be streamlined through automatic payments or a bill pay service.
Authorizations and Approvals
Processes that occurred naturally in an in-person office environment became more challenging when team members became segregated in-home offices. In a “normal” office scenario, an invoice to be paid has a person sign-off to authorize payment, then go to accounts payable, and finally to another team to cut the check. But in a remote office environment, this process becomes virtual, with digital approval through a service like DocuSign or Adobe Acrobat, or even through a chain of emails. Whatever the process is, what’s most important is to have documentation maintained through the entire approval process. Another alternative is to incorporate a service such as Bill.com that routes you through the entire process digitally and eases the burden of tracking documentation with an automated audit trail.
Another consideration when it comes to authorizations and approvals is the timely review of bank statements. It’s crucial that someone in the operation (whether that’s the CEO, treasurer, or even a board member) takes the time to review these statements to ensure nothing unusual has occurred. These statements should be mailed directly to the authorized person, unopened, and in a timely manner. Don’t let 4-5 months go by and don’t let the fact that nothing unusual has been identified in the past prevent you from thoroughly reviewing these bank statements. You can also grant online access to monitor bank activity for an additional layer of protection to help quickly identify any unusual transactions or out of sequence checks.
Physical and IT Security
While the physical office sits empty, the opportunity for fraud with infrequent visits by employees may increase. Any cash that has been kept on-site should be deposited or kept in a bank lockbox, regardless of the amount. In cases where automatic payments cannot be implemented and physical checks must be run, employees should be required to perform these runs from the office on a limited basis rather than taking check stock home to print remotely. File cabinets should be appropriately locked and any sensitive information should be cleared from desks to prevent confidential information from being accessed.
Equally important is your digital workspace, and this includes proper maintenance and management of your file servers and back-ups. Take the time to evaluate your current policies and controls for access and authorizations to ensure users only have access to the software needed to perform their duties. In a remote work setting, company servers should only be accessible through secure connections like virtual private networks (VPN), and the passwords used should be changed routinely, for example, every 90 days. Finally, when it comes to computer policies when working from home, ensure that devices are set to auto-lock after a certain period of activity to keep the computer from being compromised by a child, family member or another visitor to the household when unattended.
By addressing these areas of internal control and evaluating your processes on a regular basis, you can help minimize risk, regardless of whether your team is back in the office or continuing to work remotely. Regardless of location, maintaining open communication, conveying company values, and fostering a sense of mutual trust is critical to keeping your team connected and committed to the business. You may not have a formal ethics policy, but you can convey to your employees that ethical behavior is core to the organization’s culture and reinforce these values through regular communication with your people, whether remote or in-person. Establishing this sense of trust sets the foundation for creating internal controls that will serve your organization well into the future of work, regardless of what that may look like.
ABOUT THE AUTHOR
Samantha Phillips, CPA is a manager in the audit and assurance division at Kerkering Barberio. Mrs. Phillips has experience in nonprofits (including Governmental Single Audits under the Uniform Guidance) and commercial audits. She can be reached at (941) 365-4617 or by email at .