Changing your processes and controls? Remember these tips to minimize risk
The coronavirus pandemic likely is forcing you to change how you do your work, such as processing payroll or paying your bills. For example, you might have fewer staff members working to do the same tasks. Teleworking adds another component, often requiring a change to how you process and approve transactions. We understand that local governments need to get the work done, but we'd like to share a few important things.
Changes can create risk
As you change your processes, you might create risks and opportunities for fraud to occur. For example, if your payroll clerk is working from home and processing payroll without any oversight or review, additional payroll payments could be made that are inappropriate. You might be tempted to trust your employees implicitly in these challenging times, but you'll actually be protecting your entity and your staff by considering the risks and making sure safeguards are in place.
Examples of changes that could increase risk
- Broader system access is granted to staff, so that they have more options and flexibility in how to complete their work.
- Transactions are processed and paid without the same level of oversight or review as before
- More work is conducted over email. It can be risky to assume all emails are legitimate. For example, cyber criminals might intervene and send fraudulent emails hoping to extort money.
- Duties might change, and some of these might be incompatible for staff given their current responsibilities.
- Employees might take over tasks for which they have little training or experience
- Managers might assume approval authority for systems or transactions they don't have experience with and are not sure of what to look for to spot issues.
- Staff might fall behind in performing important controls, such as the bank reconciliation.
- Teleworking might require moving from a manual process to an electronic process quickly.
Steps you can take
We understand you might have to make some changes that increase your risk. But keep in mind a few things you could do:
- Use caution when making changes, and change only what you need to. You don't want to open yourself up to any more risk than necessary. Also, as you make changes, consider what risks you might be taking on.
- Plan for oversight over key financial processes. Make sure someone is authorizing or reviewing financial transactions to ensure they are appropriate. If you are a small entity, the ability to remotely monitor your bank account can be key. If you can't review 100 percent of an activity, make sure you are at least periodically checking.
- Remind staff to be cautious about relying on emails, and to call and talk with managers for confirmation — especially when given direction to make a payment or execute a financial transaction.
- Plan on extra oversight when staff are new to a process, such as payroll. You might even be able to solicit help from another government that has expertise.
- Make sure the most important controls remain in place and are completed promptly, such as the bank reconciliation.
- If you can, maintain segregation of duties to reduce your risk (separate duties for those that have custody of assets, authorize transactions, record activity, and perform reconciliations). However, if you lack staffing needed to segregate duties, as always, make sure to build in extra oversight and monitoring to address the risks.
- Build in back up plans, such as backup approvers for transactions, and prepare to share and transfer knowledge early.
- If you have started doing electronic approvals, make sure that you can reliably determine who is doing the approval and what is being approved. It's important that no one can change the item after approval is given. Encourage your employees to call and confirm directly with management anything that seems unusual.
As important as addressing potential risks is documenting your thought process and consideration of risk as you modify your processes to address your new unexpected and challenging telework environment. Make records that show what changes you implement, and why.
Resources that might help you
Remember, we are here to help. We have financial management specialists at the Center available to talk through the changes you are making and give you our thoughts about your financial processes and options for additional controls. For assistance, reach out to the Center@sao.wa.gov.
- Segregation of duties guide: https://portal.sao.wa.gov/PerformanceCenter/#/address?mid=6&rid=18538
- Cyber advice for any employee: https://portal.sao.wa.gov/PerformanceCenter/#/address?mid=6&rid=18539