The recent outbreak of the COVID-19 virus has created a scenario that has required most local governments to instruct many of their employees to work remotely. This is unchartered territory in an environment that is evolving daily, and most established policies, procedures, and controls were not designed to operate in this scenario. With many members of the accounting team and other key associates now working remotely and following unfamiliar protocols with indirect oversight, this could become a recipe for a breakdown in financial controls and increases the risk that fraud could occur. This article provides guidance on local governmental financial controls that should be considered throughout this crisis.
Governments are currently experiencing extensive disruption, and it is necessary for the finance function to continuously operate so that critical functions remain intact. Payroll, purchasing, accounts payable, and other necessary functions need to remain operating while also ensuring that taxpayer dollars continue to be safeguarded. Below are some key steps which governments should be performing right away to support the financial control system:
- Determine which processes are the most critical to remain operational and put alternative processes in place. It is typically the case that receipt and disbursement processing, as well as purchasing (including P-Cards) and payroll are the first processes to address. Communicate to all parties involved in these alternative processes to provide adequate guidance and ensure consistency.
- Ensure that employees can securely gain access to the electronic data they need to perform their functions. It will be crucial to involve IT personnel in these considerations to evaluate the impact of system firewalls and security systems.
- Ensure that employees understand what remote-work practices are secure and allowed and which are not. This may include ensuring the team knows under what circumstances they can use unsecured networks. For individuals with access to sensitive data, they must be reminded of any additional security procedures which they must follow now that they are working in a different environment.
- It is crucial that all changes made to approval levels, access rights, procedures, or responsibilities are tracked and documented in detail. Sudden changes to a process are likely to be a point of weakness; therefore, tracking the changes enables for more precise on-going and after-the-fact monitoring.
After the initial disruption has been addressed, it will be necessary for many governments to operate for an extended period in a remote-work environment. During this time, we recommend the following:
- Many processes will transition from being paper-based to electronic. Remember that approval sign-offs can be done electronically, provided they are unique and identifiable to a specific individual with the appropriate approval authority. It is important that no-one can falsely apply someone else’s electronic signature, which is preventable by implementing unique password-protected user accounts.
- During this period, governments will be more reliant on detective (after-the-fact) controls as the disruption increases the risk of failures in the preventative (up-front) controls. Governments should make certain that monthly reconciliations continue to be performed and reviewed (such as bank reconciliations, accounts payable reconciliation and reviews, and accounts receivable reconciliations) and may want to increase the level of review over these reconciliations.
- During this period, new vendors may be selected for services that were previously not needed or due to the unavailability of current vendors. However, new vendors bring additional risk; therefore, governments should ensure they have robust controls in place for vetting new vendors promptly and subsequently monitoring activity.
Once employees and management become familiar with the new processes (or possibly as they start to be able to return to the former processes) there are some follow-up steps which we would recommend:
- Using the process-change tracking documentation referred to in the “short-term” section above, management should analyze whether any of the changes can now be reversed and ensure those reversals take place as necessary.
- Management, with the help of the internal audit department, should perform spot-checks of the new processes to ensure compliance and that the proper approvals and adequate documentation are maintained.
- Management should evaluate their Business Continuity and Disaster Recovery (BCDR) plan to determine how well it worked, what has been learned, and to make any identified improvements to the BCDR plan.
Governmental Financial Controls Conclusion
In short, the disruption, sudden process changes, and remote-work environment increase the risk of a breakdown in governmental financial controls. Therefore, during this period, it is crucial that management make any necessary system modifications to enable activities to continue, and monitor transactions and processes closely to ensure they are being executed correctly and to identify potential long-term improvements for processes or the BCDR plan. Check out CRI’s Remote Work Toolbox for tips on maintaining a successful remote workforce, and contact your local CRI advisor for additional guidance.