As businesses fight to maintain viability in the face of COVID-19, their initial focus has been – quite rightly – on external threats.
Yet with change occurring at breakneck speed, losing control of what’s happening internally will greatly increase risk in three critical areas: fraud, regulatory compliance, and business performance and reporting.
Having the mechanisms in place to control these risks will be key to protecting enterprise and operational resilience.
Change is the underlying factor that’s intensifying fraud, compliance and performance and reporting risks. It is happening in three ways:
- Business change – major operational decisions are being made as organisations try to deal with unpredictability, cope with disruption and remain viable.
- Resource change – the shape of the workforce is rapidly evolving, due to sickness, self-isolation, furloughing, redeployment, changing job profiles, resource augmentation and remote working.
- Technology change – agile technological reconfiguration and emergency system changes are needed in response to business and resource change, to enable the organisation to operate in new and secure ways.
And all this is going on at lightning pace. As result, important governance processes and internal controls may be neglected, or relaxed to enable agile decision-making.
Such controls include:
- Segregation of duties
- Systems access
- Physical protection of assets
- Management monitoring of exceptions and outliers
- Authorisation levels
- Four-eyes checks
- Recording and tracking inventory
Let’s take a look in turn at why relaxing these controls means greater fraud, compliance and performance and reporting risk.
To sustain enterprise resilience, management is preoccupied with making business, resource and technological change happen. With their focus on day-to-day survival, there’s an increased likelihood of:
- Deviation from checks and controls on key processes
- Less rigorous monitoring of control framework breaches
- Reduced control over assets such as inventory, equipment, software and data
- Untrained or unqualified people executing key controls
This weakens an organisation’s defences against fraud and theft. Meanwhile, significant financial pressures on organisations and individuals may lead to:
- Misconduct by employees for personal financial gain
- Manipulation of financial results to comply with covenants or obtain government support
- Bypassing of trade and transaction controls, or forging of the necessary approvals
- Non-execution of approved transactions for personal or professional gain
- Processing of fraudulent claims for personal gain, or to benefit a known party
In this context, it’s important to investigate any suspected fraudulent activity, rather than pushing it down the priority list under the pressure to focus on the day to day.
Key questions to ask:
- Are we clear on our key controls over primary processes (such as payroll and order to cash), and on whether these are covered?
- What additional controls should be considered in order to reduce fraud risk?
- How is the performance of checks and controls being monitored while employees work from home?
- Are employees aware of the fraudulent tactics criminals are likely to use?
- Are we monitoring any significant deviations from our budgets and forecasts as a means to spot potential fraud?
2. Regulatory compliance
In the current climate, some regulators are relaxing reporting requirements and deadlines - but not the obligations they impose on organisations. Now is not the time to loosen your grip on compliance.
Businesses’ fundamental responsibilities won’t change. They’ll still be expected to obey the rules, behave ethically, and implement robust control systems and compliance mechanisms.
In other words, they’ll still need to:
- Treat customers fairly
- Show a duty of care to employees
- Protect individuals’ data
- Communicate honestly and accurately
- Promote and enforce the regulations to be followed
And of course, sector-specific regulations will still need to be observed.
You’ll therefore need to maintain robust levels of internal control over key aspects of compliance. Knowing your critical obligations, and adhering to them as changes are made to the business, will be vital when everybody’s focus is elsewhere.
You must also understand the implications of changes to the regulations affecting your business, and put measures in place to comply with them. Don’t assume everything has altered; make sure you know what has, and what hasn’t. As always with compliance, the devil will be in the detail.
At the same time, reminding people how and when to report regulatory issues, challenges and near-misses internally will be imperative. And making this easy for employees has to be a priority.
Compliance will be especially important if your company is seeking government support. Understanding the terms of this support, and having the controls in place to abide by them, could prove critical.
Key questions to ask:
- What are the critical compliance obligations that the organisation must live by?
- What controls will we need to ensure compliance, and what resources will they require?
- What controls can we temporarily remove, so as to focus on the critical ones?
- Do employees know what to do if there is a regulatory breach – i.e. how to report it, who to and within what timeframe?
- Who’s responsible for deciding whether to disclose activity to the regulator or market?
- What changes have been made to the rules in our sector, and how will we comply with them?
- Are we continuing to treat customers fairly – vulnerable customers in particular?
- What is our justification for any price changes? How will it be viewed by our customers and regulators?
- Are we continuing to provide a safe and healthy working environment – including for staff working from home?
- Is the information we are publishing true, accurate and not misleading?
3. Performance and reporting
When grappling with far-reaching change, it is easy to assume the basics can be paused. Yet monitoring, measuring and reporting on the financial and operational health of the organisation will be crucial not just during the crisis, but also as we emerge from it.
Management will still be expected to manage and report on the underlying performance of the business. Investors, lenders, regulators and customers won’t forgive you for lapses in your fundamental controls.
It will therefore be more important than ever to maintain accurate, complete and valid records of areas such as:
- Revenues, liquidity and cash-flow
- Incoming and outgoing orders, invoices issued, Direct Debit payments received, product despatched and cash collected
- Inventory received, what can and can’t be sold in the current climate, the obsolesce implications, and the impact on your financial position
- Contractual obligations with customers and suppliers
- Failures to notify relevant stakeholders of investment guideline breaches
- Employees’ responses to compliance attestations
Without understanding these, you can’t assess their effects on your operational and financial performance now or in the future. And if you don’t know that, you won’t be able to report on it further down the line.
Key questions to ask:
- Are we accurately recording invoices, orders, inventory, revenue, cash received, settled trades, etc.? Are the controls in place and working? If not, what should we put in place to improve them – e.g. data, technology, processes, people, etc.?
- Do we need alternative controls following any changes to resources and technologies?
- What controls can we temporarily remove, so as to focus on the critical ones?
- Are we carrying out the basic – but critical – activities? E.g. how is inventory being monitored and protected from theft? Who’s responsible for monitoring stock levels, matching and authorising POs, GRNs etc., and maintaining segregation of duties on the system?
- Who will step in if those responsible for these tasks go absent? Do they have the skills and time to do the job effectively?
- Is there leeway in your contracts to minimise the performance impact of COVID-19 disruption?
- How will we source these items from other suppliers if needed – while maintaining constructive relationships across the supply chain?
- Are employees responding to compliance attestations? Are these being followed up if not?
A considered approach
In times of crisis, management must emphasise the importance of prioritising key control activities. They must task the relevant functions with ensuring that internal control arrangements, resources and management systems are fit for current demands.
Following this five-step process will enable you to stay in control of rapid and fundamental business change:
- Define and prioritise the critical controls required to reduce fraud, compliance, and performance and reporting risks
- Check these controls are in place, and implement them as necessary.
- Establish an assurance framework to monitor critical controls, and ensure that they’re operating effectively
- Identify who has responsibility for monitoring critical controls in each of the three risk areas
- Put contingency plans in place for the absence of those responsible for monitoring critical controls
The ideal control environment will of course be different in each sector, and for each organisation. But the essential elements will generally include:
- Segregation of duties. As far as possible, the authorisation, handling, recording and review of transactions are organised as separate activities. Compensating controls are in place where complete segregation isn’t realistic.
- Organisation. The company structure supports clear delegation, division of responsibilities and reporting lines.
- Authorisation. Transactions can only proceed once appropriate authorisation rules are met (e.g. independent approval, data quality, etc.).
- Security. Suitable measures protect the confidentiality, integrity and availability of data from internal and external threats. Assets such as data, equipment, software and premises are protected against physical and cyber-theft.
- Supervision. Skilled individuals in positions of responsibility oversee employees’ work. They ensure that staff perform the tasks required to the standard expected.
- Personnel. HR processes enable the right people to be put in the right roles, and equipped with the right capabilities.
- Governance. The board monitors performance against the business’s objectives, and highlights priorities and issues to divisional managers.
As well as preventative controls such as these, firms should enable the early detection of issues – with measures like exception reporting, and maintaining logs to support analysis. Use of data and analytics techniques should be enhanced and fast-tracked. The benefits to effective monitoring of critical controls will be substantial.
Changing risk profiles will drive a need to revise your internal audit plan. This will mean making quick, tactical adjustments in the first instance; followed by more strategic actions as life returns to normal.
We’ve underlined the need for greater vigilance around fraud risk, regulatory compliance and performance and reporting capabilities. Other areas for close consideration will include:
- Cash forecasting and management
- Programme assurance for new change initiatives
- Contract management
- Business resilience
- Key security controls
A health-check of these activities will assess whether they’re still operating as they should, or being significantly disrupted. It will highlight vulnerabilities in real time, and help you to develop viable solutions.
As conditions stabilise, you’ll need to develop a plan for the transition to more sustainable operations. This should be built around three pillars:
1. The impact of change on internal control
Review the changes made to the business during the heat of the pandemic. Were any important priorities neglected in the race to maintain viability? Have you strayed from your regulatory obligations? If so, where and how far?
2. What you can learn from the crisis
Don’t just return to the previous status quo. Identify the changes that will continue to make your business more resilient in the future, and embed them into your internal control environment.
3. The risks emerging in the aftermath
Consider the threats to enterprise resilience as economic activity resumes. How quickly will demand bounce back? How will you restore your supply chain to meet changing demand patterns? How accurately can you forecast cash flow?
Ultimately, your aim should be to understand your new risk backdrop; assess whether your internal controls are suited to it; make the right adjustments; and monitor the situation as it evolves.
That’s how to protect your business today, and prepare to meet the challenges and opportunities of the future.
Find out more about protecting your business from the disruption caused by COVID-19.