As stay-at-home orders and social distancing have shifted the workforce in many ways, companies are left with many changes to their accounting and financial reporting environments. Many of these changes were expected, but some changes may have unintended consequences. Pre-pandemic policies were designed to set up effective and efficient controls. However, the controls that were designed may not be effective, or even applicable in the current environment. These changes present the perfect opportunity for management to reevaluate their control environment, begin assessing and updating the risks that lie within that environment, and redesign their policies and procedures.
How to Assess Your Internal Controls
The first and most important step in the process will be assessing where risk lies within the accounting and financial reporting systems. Management should consider where and how fraud or misstatements could occur. Once management knows where the potential risks are, management can insert the needed controls to deter and reduce those risks.
Segregation of Duties
One of the strongest ways to reduce risk is to achieve segregation of duties. This separates the physical custody of assets, record-keeping of the transactions, and authorization of transactions. Under the new normal, segregation of duties may have some barriers that need to be overcome. There are many resources that are available to help achieve better segregation of duties. One example would be using a lock-box to accept deposits. Once the receipt is entered into the lock-box, the accounting department can record the deposit, without having physical custody of any cash or checks. On the cash disbursement side, there are tools such as Bill.com or positive pay to ensure the vendors you want to pay are actually paid.
Strengthen Review Process
Another key control in the internal control environment is review. This can range from the review of KPIs, review of check support, review of bank reconciliations, or financial statement review. However, the review process is only as good as the reviewer. Too often, someone is going through the motions of the review, mainly as they are not exactly sure what they should be looking for. It is key that the reviewer has proper expertise or training. For example, while reviewing the bank reconciliation, they should review the list of payments, outstanding checks and other reconciling items and any other transactions that hit the cash account and reconciliation. The person tasked with the review should be familiar with the company’s vendors so they would recognize any irregular payments.
Electronic Approval
For many companies, some degree of remote work may be permanent. The amount of physical paperwork that circulates through the office may be significantly reduced, thus the approval process will look differently. Where old procedures would require formal written sign offs, such as initials on the bank reconciliation or signature on the support for cash disbursements, there may not be hard copies of these items to sign with a formal sign off. This is where electronic approval may replace old, hard copy approvals. It is important to note in the electronic approval what was reviewed and what is approved. This can take the form of an email approval to the appropriate personnel, or utilization within various softwares, such as DocuSign.
The workforce will continue to evolve over the next year, and each evolution should bring new considerations to the control environment. As mentioned above, the first important step is to assess the risk environment. This will be a continual process that management can implement into their daily processes. As each day brings about new changes, it is important to document and apply changes to the environment as they occur.
Our advisors are closely following COVID-19 relief efforts and will continue to publish insights to keep you informed about potential business impacts and benefits. Visit our COVID-19 Resource Center for more insights or contact Anders below to discuss how we can help you adjust your internal controls.