How to Flatten the Risk Curve with Stronger Internal Controls

It’s time to adopt an enhanced risk and controls mindset. As businesses move to respond to today’s economic shocks, risk and compliance leaders should consider reassessing internal audit priorities and controls to ensure that employees stay within boundaries and reduce exposure to risk. As the Institute of Internal Auditors (IIA) reported in a pandemic update, the audit team should focus on “possible breakdowns in controls of processes as business functions operate from a remote or alternate location, or even from home.”

Protect Critical Business Systems and Information

Information security should be part of any business continuity plan. But COVID-19 has created risk and compliance challenges that few of us could have imagined even a few months ago. Businesses that have seen their revenue evaporate virtually overnight have been forced to reassign, furlough or even lay off employees. Others are rapidly adding new employees to handle increasing demand.

Both scenarios change the game for IT security and the measures you must take to enable secure remote access to critical business systems. Below are key questions to consider as well as insights to help you flatten today’s business risk curve—and keep it flat into the future.

Keep in mind the ‘least privilege’ principle, allowing employees only enough access to perform their job.

Is your remote workforce still able to securely access the information they need to do their jobs? Most organizations have technology such as VPN in place to enable employees to stay connected while working from home. But you should still keep in mind the “least privilege” principle, allowing employees only enough access to perform their required job.

Has segregation of duties (SOD) been compromised? Ordinarily, your internal controls mitigate risk by clearly defining which individuals or roles are allowed to perform certain duties. But workforce changes or reductions—not to mention possible employee health issues—can create ambiguity around these guardrails. After analyzing your organization’s SOD, you might discover that you need to add controls to compensate for these uncertainties. If you don’t have time to do an SOD analysis, err on the side of caution, especially if fraud risk is high.

Have you recently terminated or reassigned resources? If you’ve had workforce reassignments or reductions, have you appropriately modified or removed access to corporate networks and confidential information? Timely removal of terminated employees can be a challenge even in the best of times; now it’s critical to ensure this is done right.

Safely Respond to Changes in Demand

Drastic changes in daily life around the globe have disrupted typical patterns of supply and demand. Uncertain times call for uncertain measures. However, you should consider your risk appetite and how much your organization is willing to “bend the rules” to minimize the disruption caused by COVID-19.

Assess where you can flex with minimal risk vs. where you can’t.

Has a rapid change in demand increased pressure to process a high volume of transactions? In the absence of formal processes and procedures, there’s an increased risk that employees will skip existing controls. For example, in the rush to respond to sudden demand fluctuations, they might take shortcuts on customer acceptance or credit checks. Or, there could be workarounds on new business profitability analyses or revenue recognition that’s not GAAP-compliant. Assess where you can flex with minimal risk (operational internal policies and procedures) vs. where you can’t (GAAP and other regulatory requirements).

Along similar lines, has a surge in demand put pressure on your supply chains? Rapid increases in sourcing requirements might lead to lax vendor due diligence as well as bypassing procure-to-pay processes. Assess where you can afford to be flexible on proper bidding procedures in the interest of time vs. what’s unacceptable—such as unauthorized or abusive spending.

Reinforce Lines of Defense

The temporary halt to business-as-usual could have weakened your usual lines of defense as normal roles and responsibilities shift and processes adapt.

How is responsibility for risk management being impacted? Redeployment, reduction or reallocation of human resources has undoubtedly increased your exposure to new risks and control gaps. It’s essential to anticipate these changing risk dynamics so that you can respond appropriately.

Consider a RACI chart to document changes in transaction authorizations and risk monitoring.

For a decentralized organization, this could be an unknown. Consider a RACI chart—showing who’s Responsible, Accountable, Consulted and Informed—to document key changes in transaction authorizations and risk monitoring and identify the gaps.

Amplify Internal Audit Capabilities

These are just a few of the scenarios where an enhanced risk and controls mindset will enable you to respond to the current crisis while maintaining vital internal controls. Technology can provide even greater assurance that you’re addressing risks that temporarily exceed your organization’s risk tolerance and identify gaps that warrant immediate control remediation.

• Data analytics: Software can strengthen your overall risk assessment process by helping you fine-tune the specific audit focus and audit task prioritization.
• Robotic process automation (RPA): Bots can be deployed to save time and increase efficiency of internal controls assurance activities by automating access to ERP systems, pulling data samples for testing, and automatically executing test scripts.
• Remote work platforms: Technology that enables video conferencing, document sharing, remote data access and virtual collaboration and communication have become essential tools for business continuity. As a recent IIA Knowledge Brief noted, the COVID-19 crisis has intensified efforts to find alternatives to traditional face-to-face auditing.

If you need extra support, whether COVID-related or not, please reach out. Our experienced Risk & Compliance experts can provide remote support so that internal audit and compliance issues don’t have to take a back seat while you’re waiting to get back to the office.