COVID 19 – Evolving Internal Controls Landscape COVID 19 – Evolving Internal Controls Landscape

In the last few weeks, most of us have been working from home and adjusting with the ‘new normal’ whether it is working in a different environment, heavy leverage of technology or operating with remote teams.

Whilst in lockdown, one of things I did, like a lot of people, was to catch a glimpse of my favorite epics Ramayana and Mahabharata. An important lesson that both these epics impart is that, irrespective of the difficult situations one goes through, one should never forget his/ her dharma (Righteousness), whether it is war, loss of loved ones or loss of wealth. The timeless lessons include Acting with Integrity (abiding by the cardinal rules), Raj Dharma (duties of leaders towards people) and, ensuring Good Governance and Commitment (in managing one’s affairs).  Applying these teachings in the current scenario, people in-charge of Corporate Governance, including the Board and Audit Committees, need to abide by their Dharma of ensuring Good Governance and effective control framework. This duty bestowed by virtue of expectations from the Stakeholders and by virtue of the regulations.  Hence, a verse from the age-old scripts, “Dharmo Rakshati Rakhshitaha”, “Uphold Dharma and you shall be upheld”, still stands out as a sermon, which can largely be applied to organisations during these testing times. “Uphold Governance and the Organisation shall be upheld”.

An organisation’s control environment forms the foundation of effective Governance and has a direct impact on financial reporting. Looking at the rapidly developing scenario, Internal control framework will need to evolve to ensure organisations abide by their ‘Dharma’ of ensuring Governance, along with fighting the crisis. The new normal of a remote work environment has led to several new sets of challenges (e.g. Unauthorised or fraudulent transactions, changes in authority matrix, dilution in segregation of  duties, cybercrimes, ineffective review controls, etc.) which require the Management to determine if defined controls are still adequate, operating as designed and addressing all risks, especially given the emerging risk and control environment.

The underlying themes of such controls which have now been impacted include:

• Manual controls – physical sign off / approvals especially for cheque payments, manual filing of documents, requests sent to banks; business critical information which is reviewed & maintained manually
• Controls requiring mandatory physical presence, which are not designed to function in report work environment – physical controls over inventory and assets (including physical verifications), cash controls etc.
• Controls on segregation of duties – most review-based controls for critical functions are typically designed to function manually, they have now become ineffective and redundant
• Governance over data access and data sharing, internally within the organisation and with external stakeholders - has been severely impacted resulting in increased exposure to data breach, phishing & other cybercrimes. These are further aggravated due to sub-par policies around data governance which are essential in remote work culture
• Inadequate visibility on controls over financial reporting resulting in heavy reliance on Management review controls (MRC) – controls such as impairment, log reviews, financial reviews, PPR reviews, etc. may not be operating as designed impacting financial reporting. This shall be especially critical for Governing bodies, i.e., External Auditors, Independent Directors & Audit Committees approving the financial statements. Also, disclosure on the design and effectiveness of the key controls including MRC is required under regulations
• Impact of Business Continuity plan – and whether it includes mitigations on critical internal controls related aspects such as improved governance, revisiting risk assessment etc., given the changed business scenario

It is critical that Organisations introspect on certain fundamental aspects ensuring Governance:

• Is there an integrated approach to ensure effectiveness of internal controls during current times?
• Does the Control framework operate effectively in remote work environment?
• Does the existing risk and control matrix (RCM) address new and emerging risks?
• How do we ensure that oversight controls are effective even during remote operations?
• Is right technology being utilised to manage internal controls?
• Is the Internal controls framework designed to work in a continuous & ongoing manner?

Organisations need to adopt certain critical changes in existing control environment to adjust to the “new normal” of working and to re-assure healthy control environment, across all stakeholders. These include –

• Migrating from detective controls to preventive controls – strengthening & implementing the first and second line of defense. E.g., implementation of ERP-based controls for deviation from defined policy to eliminate the risk of occurrence (customer invoice more than credit limit, deviation in authority matrix etc.)
• Moving towards automation of all key manual controls to reduce dependency on people and physical access to work environment & at the same time enhancing the effectiveness/ accuracy over processing of transactions (For e.g. Verification of Security Gate records with material receipts, Incorporating MRP based monitoring to monitor inventory levels,  release of procurement schedules basis DOA in ERP, removing dependence on people and thereby nullifying/ minimising risks, Automate access management, use of Park and Post, etc.)
• Digitizing document management platforms or Workflow management system to process all manual documents seamlessly and securely and inclusion of approvals process for timely and effective completion, also facilitating real time remote monitoring
• Segregation of duties with consideration of fraud risks and clarity of delegations and changed system access
• Communication and standardisation of all changes in process and controls through revision of SOPs and Policies, where necessary, and for its effective implementation and adoption across the organisation
• Most importantly, supplement all controls and process with increased use of continuous monitoring and detection whilst defining indicators which would suggest controls may not be operating effectively. E.g., exception reports, periodic dashboards highlighting anomalies or deviations, red flag indicators, KPI-driven approach, etc.

Since the dharma to ensure good Governance is inevitable and there are changes across the controls landscape involving different stakeholders including Controllers, SOX / IFC coordinators, Internal Auditors, Risk officers, etc., there is a need for a collaborative approach involving all in-charge of Governance to work towards an “Integrated Assurance”.  Organisations need to reevaluate the effectiveness of Internal controls system, keeping in mind the short term, medium term and long-term impacts of the pandemic and organisation strategy. This needs to be done by implementing enhanced or compensatory controls, updated polices and procedure, effective use of technology and automation in processes.

A very few Corporates have achieved advanced maturity by substantially automating their controls via ERP Enhancement, RPA, Workflow System, DMS with an automated real time process governance monitoring. However, majority of the Companies are still heavily dependent on manual controls. While these advancements have always been on the “Wishlist” of Companies were not implemented due to budget constraints. This, however, has now become one of the essential and non-avoidable priorities for effective Governance.