COVID-19 has been testing the resilience and agility of entities as they tackle looking after their people and managing sustainable operations. The health crisis also impacts many entities’ internal control environments and financial results.
This blog talks about risks to the broader internal control environment. For more information on detailed controls, please see our blog on Operational controls impacted by new working arrangements. We have also published a blog on How to electronically approve documents and expenditure, which has become increasingly important as entities continue to work remotely. We are preparing a blog on financial reporting considerations.
Risk to the internal control environment
Many public sector entities continue to work from home to support social distancing rules—resulting in increased reliance on technology. This may increase exposure to cyber security risks and make access to information systems support challenging in some circumstances.
While Commonwealth and state governments talk about easing restrictions, entities can’t relax their approaches to risk management and entity level controls.
Tone at the top
Strategic oversight and support from an organisation’s leaders, including executive officers and board members, are crucial as management continues to focus on responding to the effects of COVID-19. Some considerations are continuing to:
- set visible examples of desired attitudes and behaviours aligned with your entity’s values
- review your risk appetite and risk tolerance statements, and ensure management and the broader organisation understand and work within these
- communicate clearly and regularly to ensure management and staff receive timely information
- transparently communicate with stakeholders on developments within your entity to guide decision-making, maintain trust and uphold your entity’s reputation
- identify and manage contractual commitments, agreements and other obligations from a legal and practical business perspective.
Management response
During this time, there will be instances when entities move away from established policies, procedures and practices to keep operations running. This may have already occurred for you. While controls need to be effective, it is essential for entities to identify new risks, reassess known risks and—as needed—modify processes and controls to cope with circumstances at times. Appropriate levels of management should critically review changes and consider what are acceptable risks.
Where management has approved a change in process during COVID-19, this should be documented, approved by an appropriate delegate, and clearly communicated so that staff know what the approved changes in process are. If your entity hasn’t followed this approval path, it should revisit it now. Documenting approved process changes will make it easier for entities to validate what is happening in practice. It will also help to avoid staff coming up with their own unapproved work arounds that may inadvertently expose the entity to unnecessary risk.
Here are a few items for managers to think about.
Remember to talk to your audit team about changes to your entity’s risk assessments and control environment.
Further resources
Reports to parliament:
- Managing cyber security risks (Report 3: 2019–20)
Blog posts:
- How we’re working with our clients during COVID-19
- Observations on ASIC report—Oversight of non-financial risk
- Are your ‘everyday’ internal controls strong enough to prevent a fraud attempt?
- Cyber security tips
- Access controls for information technology systems
- Beware fraudulent emails
- How to electronically approve documents and expenditure
Better practice guide: