Behind the scenes: how Covid-19 shapes internal controls

in Industry Insights, 02.06.2020

Considerations for service providers

How is the lockdown impacting the internal controls environment? Is it really business as usual?

After weeks of home confinement, we’re starting to get comfortable with the uncomfortable situation created by Covid-19. We all know that the pandemic has brought significant business disruptions and that its impact will be measured and felt long after it’s over. In this challenging period, leadership teams within service organizations are constantly forced to shift their focus between employee well-being and quality client services. How is business as usual maintained in these unusual circumstances and how are service organizations considering the implications of Covid-19 in their internal controls?

In times like these, companies might prioritize business continuity and neglect internal controls. “We need to keep things moving,” or “Skipping this control step will not affect our process,” – this is the mindset of some companies as they attempt to continue “business as usual” with reduced internal controls.

In reality, this failure to maintain a strong internal control system could translate into severe consequences, such as financial losses due to error or fraud.

For example, for paper-based controls the control owners may not have access to scanners or printers, resulting in some of the controls not being performed at all. The unavailability of key personnel due to illness or extraordinary parental leave could affect the segregation of duties. Extraordinary authorizations given to employees to perform certain tasks might lead to errors; unauthorized, non-compliant transactions; or fraudulent transactions.

Managing business as usual in unusual times

When managing their internal controls, service organizations should consider the following:

  • Assess changes in the control environment: This may include extraordinary legal requirements, teleworking and the inherent risk of controls not being executed as designed.
  • Review existing controls: Identify alternatives to mitigate gaps in control activities to respond to current working conditions.
  • Review the frequency of controls: Reduce the frequency of low-risk controls and increase the frequency of the controls that are most exposed to high risk due to changes in the economic situation.
  • Reevaluate and reassess operating effectiveness of existing and newly established controls.
  • Reevaluate remote access controls: As most employees are teleworking, companies may want to evaluate the strength of controls related to remote access. Most organizations are using a Virtual Private Network (VPN) connection, while others opt for Virtual Desktop Infrastructure (VDI). Learn more about the differences between these two options and which one might better suit your organization’s needs.
  • Revisit cybersecurity controls: The current Covid-19 pandemic has expanded opportunities for cybercriminals. Service organizations may want to consider additional security awareness trainings and increase focus on anomalous security events identified through incident monitoring systems. some recommendations on how to reduce the risk to your organization and your employees in these exceptional times.
  • Draft incident disclosures: In the event of an incident that prevents service commitments or system requirements from being met, the service organization’s management may need to disclose the nature, timing, extent and effect of the incident and its disposition in their Type 2 (SOC 2) reports. The same applies for Type 1 (SOC 1) in the event of noncompliance, fraud or uncorrected errors. In these events, service organizations are required to disclose those incidents to their service auditors.

After the Covid-19 pandemic has passed, management should make further considerations:

  • Review lessons learned and decide whether internal controls can be enhanced based on experience gained during the pandemic.
  • Reevaluate risk assessments: This may include modifying the mid-year risks associated with the impact of Covid-19 and revising the annual risk, mitigation aspects and newly required controls to compensate for those risks.
  • Any controls or control frequencies that might have been reduced should be returned to normal.
  • Any exceptional authorizations or access permissions granted during the pandemic should be revised or removed as applicable.

Throughout history, we may not have always learned much from past mistakes, but one thing we have learned is that crises are remarkable catalysts for change, improvement and adaptation. If used effectively, the changes that service organizations are now forced to implement could result in more efficient, robust internal control environments better prepared for complex or unforeseen situations.

Next steps

To find out more about internal controls, download this factsheet.