Re-Evaluating Internal Controls in a Remote Environment

Are your internal controls still working as intended in a remote environment?

As remote work continues to redefine the workplace, it is imperative for organizations to place emphasis on the robustness and effectiveness of their internal controls. Businesses operating in a remote or hybrid work environment need to ensure the consistency of processes across decentralized teams. Leaders face the critical task of adapting internal controls to address these dynamics, ensuring they align with modern technologies and remote work strategies.

When evaluating internal controls, a framework that is widely used to design and implement internal control systems is the COSO Internal Control – Integrated Framework®. The Framework is made up of five components that include:

• Control Environment –the standards, processes, and structures of a company – an organization’s “tone at the top”
• Risk Assessment – the process of identifying and assessing risks to achieve a company’s objectives
• Control Activities – the actions established through policies and procedures that help ensure management directives are carried out
• Information and Communication – the process of identifying and capturing information and communicating in a form and timeframe that is necessary for individuals to carry out their responsibilities
• Monitoring – the process of evaluating over time whether the system of internal controls is functioning properly

Control environments

In today’s remote/hybrid environments, having a strong “tone at the top” is of the upmost importance. Companies that focus on creating a strong Control Environments have implemented standards, processes, and structures such as a Code of Ethics Policy that employees are required to read and sign, knowledgeable and independent Board of Directors, a Whistleblower Policy, organization charts that are communicated via the company intranet, and annual performance reviews to name a few.

Risk assessment and control activities

For many companies, the Risk Assessment that is performed is informal and focused on the specific risks related to its Control Activities, including the risks of fraud. These companies design their accounting processes and controls to mitigate these process-level risks. Example controls activities include approving invoices/payments, independently reviewing bank reconciliations, and segregating incompatible duties. We find most companies struggle with segregating incompatible accounting responsibilities because of limited staffing and the need to have backups for employee absences/vacations.

Information and communication

Many companies have transitioned from paper-based and in-person reviews to Information and Communication that is electronic, electronically transmitted, and reviewed remotely. Using electronic signature features within contracts, PDF documents such as invoices, and sharing Excel spreadsheets is commonplace. With the switch to electronic evidence of approvals comes new risks that companies need to ensure are properly mitigated.

Monitoring

The job of Monitoring controls often falls to the internal audit group. However, many small to mid-sized companies do not have an internal audit function. For these companies, performing periodic internal control reviews can be a cost-effective solution. Internal control reviews are targeted evaluations of specific processes often higher-risk areas such as cash disbursements and cash receipts. An internal control review will:

• Identify internal control gaps, including segregation of duties concerns
• Identify process inefficiencies
• Benchmark company processes against industry best practices
• Provide cost effective recommendations to improve controls or process efficiencies.

The key to a good internal control review is to develop recommendations that consider the company’s size, complexities, risks, and resources. In certain cases, a company might not be able to segregate responsibilities. Thus, instead of recommending adding headcount, a good control reviewer helps to identify other more cost-effective mitigating controls.

While there continues to be a push to have workers return to the office, the remote/hybrid work environment is here to stay. As a result, companies are having to make technology investments and think creatively to keep employees fully-engaged, maintain a strong corporate culture, and ultimately provide for strong internal control environments. making the investment of having an internal control review performed to ensure that controls have been properly modified to reflect the remote environment.

Business leaders that prioritize strong internal controls will be better situated to protect company assets while fostering trust and transparency across remote teams. Companies can adapt to the ever-changing remote work environment and sustain organizational resilience by regularly assessing and refining these systems.

Keiter’s Risk Advisory Services team can provide your management team valuable insights on opportunities for enhancing internal controls and processes in a remote/hybrid environment and thereby create efficiencies while simultaneously reducing risks. Contact us for more information.