Keep your distance! – remote working & the control environment

Inevitably against the current Covid-19 backdrop there has been a flurry of marketing activity from organisations looking to exploit the crisis to gain more business.

Some are quite subtle, others less so – like the advert we saw on Facebook yesterday from a Kitchen company proudly announcing ‘Corona Virus Sale – 35% of all Kitchen units’ (ICE doesn’t do kitchens by the way)

Here at ICE the current upheaval has made us reflect on the implications of social distancing and the impact it will have on the variety of physical relationships that currently exist across all three lines of defence within the organisation and with external audit out with of the organisation.

Jim DeLoach, managing director at Protiviti recently had an interesting article published in Forbes about the impact of Covid-19 on Financial Reporting.

Amongst other areas, a key focus was on internal control considerations, two of which are of particular relevance in terms of impact: –

• Assessing operating effectiveness: all organisations assess the operating effectiveness of their internal control and usually internal and/or external audit issue an opinion on this. If remote work arrangements and site closures result in an inability to carry out this assessment, management may have to conclude that one or more material weaknesses in internal controls exist.
• Supporting evidence: A key determinant of the above, is supplying both internal and external auditors with sufficient evidence that controls are being performed as intended. In the current environment, this could be challenging. People working remotely may not have access to printers and scanners making it difficult to evidence control performance. Control owners may be redeployed, distracted or completely unavailable, resulting in controls not being performed on time or at all.

Many organisations still rely on ‘tactical’ approaches to support and facilitate their internal control and compliance processes. These consist of a myriad of fragmented and disparate spreadsheets, word documents, access databases, SharePoint sites etc.

Slightly more advanced are the web based solutions that provide documentation functionality, risk registers, audit planning tools and so on…

While these approaches cover the ‘bare minimum’ and may well be all that is required for organisations of a certain size and complexity, where they fail spectacularly at is the ability to facilitate remote co-operation between all three lines of defence and, in turn, between these 3LOD collectively and external audit.

Was a control performed on the day it was meant to be? If not, why not? If so, were there any issues encountered? What were those issues? Were those issues resolved or not? Was the performance of the control signed off by the appropriate people with appropriate oversight? What evidence do we have to support all of this? Is this evidence securely stored somewhere? What controls were not performed or signed off today? Who is responsible for them? Who has contacted them to chase them up?

So many questions. And that’s just for one control or one day. Replicate this over time and throughout the organisation and the types of tactical solutions outlined above just don’t cut it.

Imagine a different world – one where 1^st line of defence use a solution that lets them know what needs done, when, by whom and why. That pushes information to them about all this and lets them know if they’ve missed anything. A solution they then use to log information about what they do, upload evidence into, log any problems or issues in.

Now imagine a world where 2^nd line of defence use that same solution, where they can be monitoring on a day to day basis what is going on, what’s being done, what’s not being done, what problems are arising or developing. Where they can see in real time and from a distance what is going on in the areas that they provide internal governance and support for. Where they can take proactive rather than reactive measures to remediate issues, preventing the build-up of problems throughout the year.

In this same world, imagine if 3^rd line of defence also used this same solution. To plan what testing they will do in the period, what will be tested, how it will be tested, when it will be tested and by whom. Then during that testing, being able to call up within the solution, information about the actual performance of that control for any day or period – who done it, when did they do it, were there any issues, what were those issues, where they resolved or not and being able to examine evidence to support the performance. Imagine doing all this without leaving your desk (whether that be at home or in the office). Imagine not having to physically travel to countless locations and sites, hunting down evidence for things that may or may not exist from people who may or may not even work there anymore. Imagine how much time, energy and money would be saved all round by this. Imagine external auditors being able to do similar.

Just imagine?

The good news is that you don’t just have to imagine this. You can start using such a solution now. Right now. Of course, there will be some upheaval as such a solution is implemented and bedded down. As is the case with any implementation. But nothing like the kind of upheaval we are going through at the moment. And this is positive upheaval. Building bridges and breaking down barriers between all three lines of defence. Creating new and efficient ways to engage with external audit. In a time of physical separation, bringing people and functions closer together than they have ever been before. Reducing cost and complexity while improving quality. What’s not to like?

To learn more, visit www.ice-control.co.uk