Maintaining Internal Controls for a Remote EnvironmentBy Hassan Khan | November 23, 2020
Internal control environments are constantly evolving with employee departures, software updates, offered services and programmatic changes. However, given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred.
Remote work presents a unique challenge particularly for controls specific to information security as remote work environments do not usually have the same safeguards as in the office. When employees are at the office, they are working behind layers of preventive security controls. However, when computers leave the perimeter and people work remotely, new risks arise for the organization and additional security policies are essential. Organizations “should assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network,” said the National Institute of Standards and Technology.
Following are some policy guidelines when you or your employees are outside the office; as well as specific areas you should focus on to shore up remote-work security:
Setting up and communicating remote-work security policies.
Addressing authorization and authentication
Communicating with employees about phishing and malware campaigns tailored to the current crisis
Securing communication and collaboration channels.
Providing vigilant IT support.
Avoid public Wi-Fi; if necessary, use personal hotspots or an encrypted web connection. If you need to access the internet from a public Wi-Fi location, you have two essential problems. First, other people have access to that network and, without a firewall between you and them, nefarious personnel can hack away at your computer from across the room. Second, any interested observers on either the current network or any other public networks your data hits between you and your workplace can monitor your traffic.
One good option is to use a personal hotspot from a dedicated device or your phone. Although your web traffic will be unencrypted between the hotspot and its destination, using a hot spot does eliminate getting hacked by people on the same public Wi-Fi. Additionally, for many remote access applications, you should use a VPN. VPNs provide a flexible connection to different services (email, an SQL server, etc.) and can protect your traffic.
Lastly, in some cases, you can also set up encrypted remote connections into a remote desktop or other individual server. Many of these connection types (RDP, HTTPS, SSH) include encryption as part of their service direction and do not require an additional VPN or other encryption service to secure the data in transit.
Keep Work Data on Work Computers. If you work at an organization with an efficient IT team, they may be installing regular updates, running antivirus scans, blocking malicious sites, etc., and these activities may be transparent to you. There is a good chance you have not followed the same protocols with your personal computer. Furthermore, your institution can likely afford higher-end technical controls than you can. Without those running in the background, your personal computer is not safe for work information because it could be compromised by a third party. Essentially, by introducing a personal computer to a work network, even remotely, you have put the organization networks and yourself at risk, accepting the potential liability of extensive corporate damages though violations of policy, practices or both.
Block the Sight Lines. If you are at a coffee shop, pay attention to your sightlines. If someone is behind you, they can see everything you are typing. Furthermore, someone with the right observational skills (like a cybercriminal) could easily watch what you are doing and identify confidential information. And keep your devices with you; in the time it takes you to use a restroom, your device could be quickly compromised by a threat actor with a USB stick that types pre-programmed sequences at 1000 words per minute.
Encrypt Sensitive Data in Emails and on Your Device. Sending emails with sensitive data is always going to be risky. It could be intercepted or seen by a third party. Encrypting the data attached to an email will prevent an unintended recipient from viewing the information. Also, be sure your device is set to have all stored data encrypted in case of theft.
Use a USB Data Blocker When Charging Up at a Public Phone Charging Station. If you need to charge your phone and the only option is an unknown USB port, a wise measure is to protect it with a USB data blocker to prevent data exchange and guard against malware. This type of USB protection allows the device to connect to power without exposing the data pins inside your device; it connects the power leads, but not the data ones.
Furthermore, some internal controls that require employees to be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas and whether there are compensating controls that can be designed to alleviate some of the control risk.
Accounts Payable and Check Signing. The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, are feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.
Segregation of Duties. As mentioned above, it is possible processes have inadvertently changed, making certain internal controls ineffective. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.
Digital Signoffs. You should also consider the way you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a signoff and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.
Timely Review. Given the circumstances, it is not unreasonable that preparation and review may take longer than normal. Even if additional time is granted to prepare and review documents, you should consider the implications this has on the transaction class. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.
Information and Communication. For many organizations that have moved from a paper to a digital environment, sharing information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may be difficult. And those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.
Monitoring. Monitoring your internal control environment is of the utmost importance given these significant changes. You should have frequent conversations with control owners to ensure changes to processes do not render controls ineffective. Gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal controls. This also gives these departments the opportunity to cover any resulting gaps.
Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies of working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let us take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic.
About Hassan Khan
Hassan Khan is a Principal in Marks Paneth’s Technology Services Group. Mr. Khan works collaboratively with clients’ management, audit committees and boards, and provides independent, senior-level expertise that enables executives to drive value from technology and improve business performance. Over the course of his career, he has led and delivered advisory engagements including technology governance, risk and compliance assessments; organizational reviews; board governance; benchmarking and best practices reviews; enterprise risk management (ERM); internal audits; technology... READ MORE +