Many people worked from home on a full-time basis due to the COVID-19 pandemic, and are now able to start returning to their workplaces. However, these workplaces are not the same environments they left. All entities need to ensure their workplaces are safe and are referring to SafeWork Australia’s guidelines in planning and controlling their return to offices.
Social distancing requirements mean that your office’s capacity is probably not the same as it was before the pandemic. It is unclear if it ever will be. Entities are adjusting to these requirements by either rostering staff to work from the office on certain days or bringing back certain teams to the office on a full-time basis.
Does this affect my control environment?
Over the past few months, we provided some advice and guidance to entities about reconsidering their controls and governance. Now, the changing patterns of working from the office probably will affect your control environment again.
Entities need to ensure their controls are robust while their staff are agile. The recent outbreaks in Melbourne show how quickly a stable situation could unravel and result in large portions of the workforce returning to working from home.
Our blog on Operational controls impacted by the new working arrangements highlights several topics that entities need to reconsider in their return to office plans:
- Monitoring of manual controls—did controls change when staff worked from home, and are they changing again?
- Record keeping—while it always needs to be done well, in a changing environment key records could be lost or not documented clearly. In our blog Maintaining controls amidst a global pandemic we outlined why it’s so important to document changing policies, procedures and practices.
- Changes to staff roles and responsibilities—are staff who were redeployed to respond to COVID-19 and are now returning their substantives roles briefed and ready to resume their substantive roles?
- Supervision of roles performed remotely—dual workplaces present risks of fraud and error, just as working from home did.
- Risk of external attacks—the continued changes in how we work heighten the risk of external attacks.
Entities must also ensure they document any changes in process that management approves and clearly communicate these with staff. Doing so will validate what is happening in practice, and help entities avoid having their staff develop unapproved processes that may inadvertently expose the entity to unnecessary risk. If your entity hasn’t followed this approval and communication path, it should revisit it now.
Tone at the top
We raised several points about tone at the top in our blog Maintaining controls amidst a global pandemic, which entities should revisit.
Strategic oversight and support from an entity’s leaders are crucial during this time of change. They should set visible examples, clearly communicate with staff and transparently communicate with stakeholders. Returning to workplaces may create stress for staff and strong leadership goes a long way to effectively managing staff concerns.
Impacts on financial reporting
Don’t forget to talk to your audit team about changes in risk assessments and control environments. What is happening to your entity now is still relevant to your audit even if your return to the office was after 30 June 2020. Our blog on Assessing COVID-19 events after the reporting date and why auditors are required to review this explains why.
Build operational agility into your business through the right information technology investment for your entity.
- Maintaining controls amidst a global pandemic
- Operational controls impacted by new working arrangements
Reports to parliament:
- Managing cyber security risks (Report 3: 2019–20)
Other blog posts
- Assessing COVID-19 events after the reporting date and why auditors are required to review this
- How we’re working with our clients during COVID-19
- Are your ‘everyday’ internal controls strong enough to prevent a fraud attempt?
- How to electronically approve documents and expenditure
- Access controls for information technology systems
- Beware fraudulent emails
- Cyber security tips