Upholding Internal Controls in a Remote Work Environment

Internal Controls

Written by Jared Ystad

January 21, 2021

Not-for-profit entities have a responsibility to donors and stakeholders to maintain strong internal controls to help prevent and detect fraud. With an increasing amount of staff working remotely because of the pandemic, controls that were previously put in place may no longer be operating as intended or as effectively as before. When you are in a physical office setting, it is easier to have physical security measures than when you have an employee working from home. Staff reductions or staff taking on new roles due to remote work may cause control gaps that could increase the risk of fraud or misstatement. Now is a good time to reevaluate the risks and the effectiveness of your control environment.

The following are some key points to consider:

Tone at the Top

Ensuring that the tone at the top remains focused on effective internal controls is critical. A key responsibility of the board is to ensure the organization maintains an adequate approach to risk management. A unified approach, involving both the board and management, when implementing process change is needed to ensure effective controls remain in place and will be more positively received by staff.

Communication is key to maintaining the tone at the top, and with a remote work environment that can become more difficult. Conversations that once happened naturally in the workplace via the breakroom or a quick passing in a hallway are no longer present. Even if not entirely work-related, those short daily conversations between management and staff helped to set an expectation and mindset of tone at the top. With remote work becoming the new normal, those communications now need to be more deliberate. Consider sending out weekly emails or scheduling one-on-one video conferences and phone calls with your staff. Opening up deliberate lines of communication allows management to continue to lead by example and engage employees in a remote work environment.

Assessing Risk

Management should periodically be assessing the risk of fraud and misstatement as environments are always changing. Whether the changes are normal or unplanned and unprecedented, such as COVID-19, internal controls can be designed to remain effective with changes in environments.

If you have incorporated remote work into your environment, take a look at how your processes and internal controls are working.

Key internal control areas that may have been affected by the introduction of remote work are:

  • Segregation of Duties: Duties are divided among different employees to reduce the risk of error or inappropriate actions. With a remote work environment, do you still have separation or has one person become responsible for multiple duties out of convenience?
  • Authorization and Approval: Transactions should be authorized and approved by someone other than the individual responsible for daily financial reporting to help ensure the activity is consistent with organizational policies and objectives. If you formerly had a manual review process and wet signatures were applied, how does this need to change in a remote environment?
  • Reconciliation and Review: Reviews of specific functions or activities involving cross-checking transactions or records are essential to ensure information is reported accurately. Can the review process be done in a remote working environment?
  • Physical Security: Now in a remote working environment, how are checks printed? Where is the check stock located?
  • Accounting System Access Controls: Controlling electronic access to keep unauthorized users out is a must. Do you have proper IT and cybersecurity measures in place now that users may be accessing systems from networks outside of the organization?

Different organizations will have different risks or needs for control changes depending on the operations. For organizations that were already operating in a digital environment, the change in risk assessment and internal control processes may not be as great as an organization that relies heavily on manual processes.

Like what you are reading? Get nonprofit accounting insights directly to your inbox. Subscribe today!

Sign Up

Update Controls for the Risks Identified

Once you have evaluated your risk assessment and noted areas where controls need revision in order to remain effective, make a plan to address those areas. The objective should be to perform the same procedures with the same mitigation of risk of fraud and misstatement as if everyone were still working physically in the office.

Using the same key control areas we addressed in our risk assessment, let’s look at some examples of what these controls may look like in a remote work environment.

Segregation of Duties

Keeping duties for custody, record keeping, reconciliation, and authorization segregated for functions such as cash receipts, cash disbursements, and payroll can be a struggle for non-profits as they often have limited staff in a physical work environment, not to mention in a remote environment. Oftentimes not-for-profits will even utilize volunteers to help keep duties segregated. So what do you do when your office may be closed and everyone is working from home? Adding a third-party service provider to any of these functions can help to mitigate risk and add layers of segregation.

Examples of third-party service providers: For cash receipts, you may consider using your bank’s lockbox services or using web-based donor management software with an ACH payment processing function. For payroll, you may consider using a third-party payroll provider such as ADP or Hawkins Ash CPAs. For accounts payable, you can set up automatic payments if available or consider using a bill pay service. Consider checking with your bank for services they may offer.

Authorization and Approval along with Reconciliation and Review

These two controls really go hand in hand. Oftentimes the authorization and approval process for transactions is given once the transaction is reconciled and reviewed and is completed by the same person(s) such as the Executive Director or a member of the Board such as the Chairman of the Finance Committee. For example, the Executive Director may approve payroll after reviewing the payroll prepared by accounting staff, or the Chairman of the Finance Committee may approve journal entries and bank reconciliations after review.

For items needing Board approval and review, even in times of lockdown or social distancing, make sure the Board and Finance Committee are still meeting regularly. Using Zoom or GoToMeeting are great ways for the Board to still operate and carry out fiduciary oversight.

You may also consider completing review and approval processes through email or using digital signatures for approval. When using digital signatures, make sure the signature requires an individual to enter credentials prior to signing. DocuSign and Adobe are some options to consider. Many financial accounting systems have the ability to attach supporting documents for a specific transaction and will allow for an electronic review and approval process. Contact your system provider to see what your options are for an electronic paperless environment. This may even improve your efficiencies on a long-term permanent basis.

Physical Security

You may think with everyone working from home, the office locked up, and the alarm set that physical security would not be an issue. Think again. Even with remote work, staff may need to access the physical office from time to time and a vacant or nearly vacant office lends a greater opportunity for fraud.

Cash can easily be secured by using a bank lockbox or donor management program as addressed in Segregation of Duties. However, if you keep a petty cash drawer you may want to consider depositing the funds. If the office is closed to the public, has limited hours, or is empty because of remote work, there is no need to keep cash on hand, no matter how insignificant the amount.

Check stock controls can also be enhanced by the methods addressed in Segregation of Duties by utilizing automatic payments. If you do have to print and use physical checks, consider having the accounting staff perform limited check runs from the office. If you previously performed check runs weekly, consider performing them bi-weekly. By no means permit staff to take check stock home to print checks remotely. You may also request your bank allow read-only on-line access to a member of the board finance committee so he/she may assist in monitoring bank activity and help prevent any out of sequence checks or unusual transactions.

File cabinets should be securely locked and any documents containing confidential or proprietary information should be filed away. Desks and work areas should also be clear of clutter and paper files. This will help prevent wandering eyes from accessing confidential information.

File servers and server rooms need to be monitored and managed. Working remotely means working more digitally. Processes and controls for electronic file storage and back-ups have never been more crucial. Evaluate policies and controls for access and authorizations. Make sure users only have access to the software they need to perform their duties. Remote access to company servers and resources should be established via secure connections. Consider using a virtual private network (“VPN”) or providing staff with MiFi mobile connections.

The physical security issues of laptops and other electronic peripherals that staff members take home also needs to be addressed. Make sure you communicate your processes, policies, and controls to staff about using devices owned by the organization. Consider setting an automatic locking of devices after a period of inactivity to prevent access without re-entering credentials. Also consider issuing privacy screen protectors, installing web blockers, and using two-factor authentication for log-ins.

Case Study: Your Donor Relations Coordinator is currently working remotely and uses a home office. She always uses a secure network through the MiFi provided by the organization and memorizes her login credentials rather than writing them down. However, one night when working from home she walked away from her laptop to make dinner and her son opened the laptop to search for video games. Leaving her laptop unlocked, even in her own home, exposed the company to risk. Any browsing that leads to sites unrelated to business could potentially lead to a security threat for the entire network.

Accounting System Controls

If your work environment has changed due to staff working remotely, have any duties been reassigned? As you addressed segregation of duties, have some steps in your processes been changed or eliminated? As your processes change, be sure to update accounting system controls as well. Access to specific areas such as accounts payable, cash receipts, bank reconciliations, journal entries and payroll should be limited only to the staff that performs those functions. Restricting access can decrease opportunities for fraud and misstatement and allows for segregation of duties within a remote environment similar to a physical environment.

Additionally, most financial software packages leave an audit trail or access log. Audit and access logs or other similar reports can help determine who has completed what tasks and when. This can be an effective tool for monitoring unusual activity and should be reviewed by management periodically.

As you decide on what changes will be necessary for your organization in order to maintain proper internal controls be sure to:

  • Clearly define and document the adjusted processes and internal controls
  • Identify any changes to roles and responsibilities needed to maintain internal controls
  • Communicate the modified processes and any role changes to all relevant parties
  • Keep accurate documentation for evidence that internal controls are performing as they should, even though it may be different than the evidence you maintained in the past

The above are just a few suggestions and a few items to consider. As your organization evolves and adapts to the changing world around us, you will need to continue to evaluate your level of risk. You may even be able to find efficiencies and benefits from a remote work environment. So take this time to evaluate your processes and internal controls so that you can make an impact on your organization that will last far beyond the COVID-19 pandemic. As always we are here to help. Do not hesitate to contact us.

Share This Article
Jared Ystad
I joined Hawkins Ash CPAs in 2017. As a Senior Associate, my main responsibilities include preparing and reviewing individual tax returns, preparing business year-ends for s-corps, c-corps, partnerships, 990s and trust returns.

I also prepare and review 1095 Health Insurance Forms. I also work on Employee Benefit Plan Audits and Assist with payrolls, payroll reports and bookkeeping.

GET connected. STAY connected.

Read More Like This

Getting a New Business Off the Ground

Getting a New Business Off the Ground

New businesses are launched every day, as evidenced by the number of Employer Identification Numbers requested, according to the U.S. Census Bureau. In the aftermath of the COVID-19 pandemic, there...