Keeping Solid Internal Controls in a Remote Environment
By now I am sure you have either already completed, are in the middle of, or are preparing for your interim audit fieldwork. Auditors’ use this time to assess and often times test your internal controls over financial reporting, checking levels of review and approval, safeguards over financial assets and embedded controls and user access within your accounting system. This fiscal year, things are likely business as usual, right? But what about Internal Controls in a Remote Environment?
Now that we are in the midst of an unexpected pandemic, and a significant portion of agencies, if not all, are now being to forced into a version of a remote environment, many local governments have had to make adjustments to normal processes and practices in order to carry out essential duties. Now more than ever we need to make sure controls are put in place to ensure nothing gets missed or overlooked amidst all the chaos. Vendors and employees still need to be paid, cash still needs to be deposited and bank accounts need to be reconciled, but it is critical to ensure proper, and likely new, safeguards are put in place. Let’s take a look at some of the key areas and factors to consider.
Receiving Cash and Daily Deposits
With many agencies closed to the public, there is likely minimal cash and checks being collected in person, but still may be items coming in the mail that need to get recorded and deposited. Now may be a good time to encourage and even incentivize customers to pay electronically to reduce the amount of money being collected through the mail that requires the deposit. Some ideas to incentivize customers to pay electronically may be to temporally cease any convenience fees that are associated with e-payments, or similarly, if your agency uses a third-party vendor to process credit/debit card payments, consider paying the vendor directly for the administrative fees that often may be passed on to the customers.
For those payments still coming in the mail, it is key to ensure that the deposits being made still involve at least two people when being done to ensure everything that comes in is being applied to the proper accounts, and reconciled and deposited timely and accurately.
Accounts Payable & Disbursements
If you currently have a largely manual process for approving invoices for payment, this is likely the area that will be most impacted. Hard copy signatures or stamps of approval will be a challenge at best while a number of people are remote. The likely default is to resort to approving invoices via email, but this can be risky. Email approvals can often be easily modified or even used for approving multiple invoices that were not part of the initial approval request.
Now that you have had to resort to electronic approvals, consider using things like Adobe to lock documents being approved. Adobe gives you the capability to e-sign a document and instantly lock the document after it has been signed electronically. That locked document then can be passed on through an email, with the receiver being able to easily verify that it has been properly approved, as it will be locked with a time stamp and name of who approved and when. If you do not have access to Adobe, consider services, many of which are free, such as DocuSign that have similar capabilities to keep documents secure and not able to be modified.
If you are forced to simply rely on email approvals, make sure those approvals include easily identifiable information such as invoice numbers, dates, amounts, vendor names, etc. that can be tied to the invoice being submitted for payment.
Involved in this process, also consider what your typical process is to set up new vendors in the system. Letting guards down and loosening up controls, could make it easier for a fictitious vendor to be set up in the system and with our current situation, make it more likely to create fake invoices for services or products not actually provided, but that cannot be verified in person for now. Make sure it requires two people to set up a vendor in your AP system to avoid anything out of the ordinary occurring.
When processing payroll, some items of risk to consider are proper review the payroll edit listing prior to processing, how time cards will be approved and how manual checks will be handled. Although everyone may be apart, it is still key that departments heads or management are reviewing payroll edit listings for accuracy prior to being processed. Not only will this ensure things are running as intended, but also ensure that those employees who now may need a paycheck more than ever get it timely.
For those departments that still have manual time cards that may require supervisor approval, evaluate each individual department situation and identify ways you can make the process more digital without easing up the approval process or holding up payroll checks. Even simple measures and taking pictures of time cards that are sent for approval should be considered. Work with you payroll admin and human resource to consider what may work best of your agency.
Lastly, if you still process manual checks for payroll, now may finally give you the opportunity to require employees to have direct deposit information, and eliminate those manual checks all together. If you are still printing manual checks, make sure more than one person is involved in the process of preparing and distributing those checks.
IT & Cyber Security
Cyber criminals have not been resting and are using the current environment in their attempts to gain access to your systems and information. Ensure you are keeping your employees abreast to security awareness and the latest trends. Also ensure key controls are not being compromised including multi-factor authentication and mandatory password changes.
This unfortunate situation has really put us all in unchartered territory, creating stress, panic, discomfort and even fear. Instead of this being a time to throw all the rules out of the window, it can be a an opportunity to strengthen your organization even more by employing new technologies, moving to a more remote environment, creating even stronger controls and setting yourself up on the quickest road to recovery to be even better in the future once we get past all of this.
Keeping Solid Internal Controls in a Remote Environment