Is the dust settling on new processes and procedures companies developed at the beginning of the COVID-19 pandemic? Before we enter another winter and calendar reporting period, it would be wise to look at ways the control environment has changed to ensure risks have been addressed.
Ironically, the pandemic came at an opportune time in terms of available technology solutions and an already existing desire for digital transformation of procedures. However, it revealed risks associated with technology solutions in practice and increased instances of technology attacks on companies’ information assets. Tech in practice: for example, some companies were previously using virtual communication platforms like Teams, Zoom, GoogleChat/Hangouts. A flight to these platforms in the spring of 2020 revealed the need to monitor both the security of these methods (e.g. passwords on meetings) and bandwidth (i.e. increased connection speeds necessary with video streaming). Tech attacks: for example, while phishing attacks have been on the rise for the past several years, they reached an all time high during the pandemic with messages about COVID relief, new state or federal restrictions/guidelines, vendors changing processes, etc. Of the companies without robust employee training, many have turned to third party providers to train employees on phishing. Other enhanced cyber controls have garnered additional attention, including multi-factor authentication, usage of secure networks, such as VPN, and prevention of exposure of company data via email through training or secure send methods.
With many workers forced to move to remote work status, processes that were completely or partly paper based were forced to move to electronic processes (e-processes). Some key questions need to be asked or a brief self-assessment performed to verify nothing was lost in the transformation: Did initial work arounds require post-implementation review or are there still loopholes to work around established controls? Did the control aspects covered by paper controls translate well to an e-process? Have physical inspection type controls (inventory counts, e.g.) been adequately replaced?
Risks due to employee fraud usually fall into one of three categories, often referred to as the “fraud triangle.” It is helpful to use these categories to consider changes to fraud risk during the pandemic and in the post-pandemic world.
Certain conditions increase opportunities for fraud to occur, including:
- Controls are missing in new e-process
- Controls are not operating as intended
- Employee turnover leads to less qualified employees performing entry level work or supervising work
Certain conditions increase pressure to commit fraud including:
- Company is attempting to secure financing
- Company has experienced cash flow shortages
- Remaining workforce is shouldering workload of sick employees
Employees may justify taking company assets due to:
- “Highly unusual” or “one off” circumstances
- Employees loyal throughout pandemic changes may feel they “deserve” a reward
- Employees experiencing a temporary financial hardship may feel they will “pay it back later”
Companies can directly address the changes to technology risks, process bypass, and fraud risks through monitoring (such as employee performance reviews) or such changes should be considered with professional skepticism when performing regular company risk assessments.
For more assistance assessing risk in your company, contact your Larson advisor today.