Sustaining Healthy Internal Controls During the COVID-19 Crisis
COVID-19 triggered the activation of business continuity, disaster recovery and crisis management plans all around the world. For years, many businesses have identified business continuity, disaster recovery and crisis management as significant business risks. These risks can be described as a variety of disruptive events, including those related to weather, power loss, illness or cyber threat, potentially rendering a business’ building, systems, or people partially or fully unavailable for a period of time. Such events could require a full or partial implementation of these plans in order to maintain core business operations.
As with all known business risks, risk mitigation actions need to be identified and implemented. For the risks of business continuity, disaster recovery and crisis management, risk mitigation actions include regular plan updates and testing, among others. It takes strong diligence to ensure consistent updating and live testing of these plans on a regularly scheduled basis as part of your enterprise risk management strategy. Oftentimes, plan testing succumbs to competing business priorities and limited resources; however, those entities that perform these regular updates and tests of their plans were likely in a better position once their plans were activated due to the pandemic.
Once businesses activated their response plans, and sent their employees home to work remotely, it quickly became apparent which processes would and would not work remotely. During this time of rapid change, it could have been easy to forego the internal controls in place; however, there can be severe consequences in doing this. These internal controls are in place to protect the assets of the company, the integrity of the business’ reputation, and to support the continued operations of the organization. Simply foregoing controls will have dire consequences. Let me repeat that, simply foregoing controls will have dire consequences. Instead, it is likely that businesses will have to make adjustments to their internal controls to react to changing business processes and availability of personnel.
Additionally, by rapidly changing operations from in house to all employees working remotely, the threat actors (the bad people) are waiting to exploit vulnerabilities. Maintaining healthy and strong information systems controls while working remotely is imperative, including controls around the protection of sensitive or private information. Because the protection of sensitive data is a significant risk to any business, with internal controls built around the process, these cannot be lax during the crisis response period. Threat actors are hungry and working hard to exploit any shortcuts. Don’t feed them. Maintain your controls, and add additional controls to changed processes where appropriate.
This pandemic has created forced automation everywhere. Operational procedures have been changed, automated, and made more efficient. Processes that used to include paper routing and wet signatures are no longer viable. We’ve experienced this at Beacon. In response to all of our employees working remotely, we’ve found new automated processes for items such as contract approvals, processing of accounts payable invoices, and employee reimbursements. As these processes have been automated, it has been vitally important to ensure that the controls around the process (audit trail of approvals) have been maintained, or updated to reflect the new environment. This is something that we have discussed doing in the past but we have now been forced into these changes. And, guess what? We are better, stronger and more efficient for it now. This new process will stay in place once “normal” operations resume – whatever the new normal looks like.
Once we embark on restarting the economy, companies should maintain their streamlined, automated means of transacting business. It is unlikely that we will resume operations as we previously knew them, and the return to office operations will be different for everyone. Management should be mindful of additional changes to processes, or even reverting to the pre-pandemic processes, once office operations resume, and ensure the internal controls remain appropriate.
Also, just as it was important to have a business continuity, disaster recovery, and a crisis management plan in place before the pandemic, it will be just as important to have a plan to resume operations for the health and safety of employees, customers and anyone else that visits your workplace. For us at Beacon, the diligence and focus on updating and testing of our plans before the pandemic provided for successful plan activation and positive remote work operations, allowing us to be in a position to be conservative and methodical in our approach to returning to office operations.