User Access Controls
In view of work from home, flexible working arrangements and individuals requiring greater access to systems to help cover for people who are off, user access controls may be compromised and conflicts of interest may arise.
· Monitoring controls in place – whilst it may be necessary to remove segregation of duties rules in place, it is critical for organisations to maintain an audit trail that can be referred to at a later date.
· The detection of fraud risks and management overrides.
Issues to consider:
· Understanding working capital requirements against scenario planning assumptions and assessing cash flow forecasts.
· Has the organisation done all it can to access government provided fiscal support and does it understand the longer term implications of that support (for example repayment of loans)?
· Challenging the completeness of management’s accounting and reporting impact analysis, particularly in the context of finalising March 2020 year- end financial statements and meeting the extended tax deadlines.
Internal Audit function should understand the changes, both temporary and permanent, being made to the organisation’s internal control environment, with a specific focus on the following:
· Management review controls;
· Accounting judgment controls (bad debt provision, inventory provision, impairment of goodwill and intangible assets, fair value of financial and non- financial assets);
· Transaction processing controls;
· Resilience and remote working.
· Cash payments controls;
· Automated business controls;
· Outsource service providers;
· Associate or joint venture accounting controls;
· Key person dependency/Super User access; and
As the number of remote working environments and the use of third-party software to improve the effectiveness of remote working increases, individuals may inadvertently compromise business security.
Areas to consider:
· Are remote access controls proper and commensurate to size of organisation?
· How is the organisation monitoring the increased use of collaboration tools and other, often unapproved applications, are tools being approved after proper vetting and due process?
· How are organisations raising awareness and preparing for threat detection and response to identification of malicious activity?
· Does the organisation have sufficient and appropriate licenses in place to cover greater use of tools, technology, and software to support remote working?
· Are hand-held devices being used more as people work remotely and, if so, are they secure and controlled?
· How are organisations tracking third party security plans to prioritise access availability of services?
· How is the organisation monitoring malicious or inadvertent insider threat risk caused by disgruntled or displaced employees and contractors?
· With increase in work from home offices, are there increased exposures in insurance liabilities?
· Are health and safety regulations still being complied with?
· Does the organisation have on-going processes in place to continue to meet all of its regulatory responsibilities?
· Does the risk assessment process need to become more agile and adopt more dynamic risk assessment methodologies?
· Helping organisations understand any single points of failure e.g. processes, employees and technologies.
· Developing and/or testing appropriate scenarios, plans or measures, including war-gaming, to restore business operations (disaster recovery plans).
· Validating and challenging key assumptions and estimates used by management to make decisions on mission-critical activity and challenging and benchmarking management’s assumptions regarding the nature, extent, and duration of the situation;
· Challenging management’s forecasts of business impact (e.g. going concern, pension scheme accounting, goodwill and intangibles, expected credit losses) noting that Q1 reporting deadlines are approaching and that many organisations have made public promises regarding customer concessions – are these being delivered and is the financial impact estimated appropriately?
· Considering management’s assessment, monitoring, and contingency plans of key outsource service providers.
· Assessing whether sufficient resources, including third parties, are in place to maintain critical activities at sufficient levels.
· Determining how organisations understand and prepare for changes in demand and balancing the availability of both stock and resources accordingly.
· How best to provide assurance over joint ventures, whose owners may have different priorities.
· Has the organisation adopted a clear communication plan for its customers, including those customers who are particularly vulnerable?
· Has the organisation identified, or does Internal Auditor have access to assist in identifying, key contractual clauses which may offer relief during this time, such as:
o Force Majeure;
o Termination Rights;
o Notice Provisions;
o Liquidated Damages;
o Governing Law and Jurisdiction;
o Disaster Recovery and Business Continuity Provisions;
o Limitation of Liability;
o Supplier/Subcontractor location and supply chain path;
o Other applicable clauses.
· The adequacy of plans being put in place by organisations to maintain the health and well-being of their workforce, including the implications for impact on mental health of remote working.
· Ensuring that any ‘work arounds’ used during lockdown period are regularised and appropriately controlled.
· Is there guidance available and complied with on the appropriate use of social media in this crisis period?
· Has the impact been considered on business as usual HR processes such as annual performance assessments potentially being suspended?