Operational controls impacted by new working arrangements
Most entities have recently made changes to their internal controls in response to COVID-19, including expanding work from home arrangements to sup
COVID-19 has been testing the resilience and agility of entities as they tackle looking after their people and managing sustainable operations. The health crisis also impacts many entities’ internal control environments and financial results.
This blog talks about risks to the broader internal control environment. For more information on detailed controls, please see our blog on Operational controls impacted by new working arrangements. We have also published a blog on How to electronically approve documents and expenditure, which has become increasingly important as entities continue to work remotely. We are preparing a blog on financial reporting considerations.
Many public sector entities continue to work from home to support social distancing rules—resulting in increased reliance on technology. This may increase exposure to cyber security risks and make access to information systems support challenging in some circumstances.
While Commonwealth and state governments talk about easing restrictions, entities can’t relax their approaches to risk management and entity level controls.
Strategic oversight and support from an organisation’s leaders, including executive officers and board members, are crucial as management continues to focus on responding to the effects of COVID-19. Some considerations are continuing to:
During this time, there will be instances when entities move away from established policies, procedures and practices to keep operations running. This may have already occurred for you. While controls need to be effective, it is essential for entities to identify new risks, reassess known risks and—as needed—modify processes and controls to cope with circumstances at times. Appropriate levels of management should critically review changes and consider what are acceptable risks.
Where management has approved a change in process during COVID-19, this should be documented, approved by an appropriate delegate, and clearly communicated so that staff know what the approved changes in process are. If your entity hasn’t followed this approval path, it should revisit it now. Documenting approved process changes will make it easier for entities to validate what is happening in practice. It will also help to avoid staff coming up with their own unapproved work arounds that may inadvertently expose the entity to unnecessary risk.
Here are a few items for managers to think about.
Remember to talk to your audit team about changes to your entity’s risk assessments and control environment.