Maintaining Financial Controls in a Disrupted, Remote-Work Environment

Most nonprofit organizations have policies and controls that were not originally designed to operate in a remote work scenario. When a disaster forces members of key teams, like accounting, to work remotely, there are an increased number of people following unfamiliar protocols with indirect oversight and adapting to the implementation of new technologies. This technology implementation opens up the potential for a break in financial controls and increases the risk that fraud could occur. Be sure to consider the items below during this crisis to ensure that proper financial controls are maintained.

Short-Term

When a nonprofit organization experiences extensive disruption, it is necessary for the finance function to continuously operate in a way that allows critical functions, like financial controls, to remain intact. Payroll, processing of cash receipts, accounts payable, and other necessary functions need to remain operating while also ensuring that all revenue streams, including program grants or contribution dollars, continue to be safeguarded.

The following are some critical steps to perform right away to support the financial control system:

• Determine which processes are the most vital and take steps to develop alternative processes. Tasks like receipt and disbursement processing, as well as purchasing (including credit cards) and payroll, are the first processes to address. Communicate to all parties involved in these kinds of processes to provide adequate guidance and ensure consistency.
• Ensure that employees can securely gain access to the electronic data they need to perform their daily functions. It will be crucial to involve IT personnel in these considerations to evaluate the impact of system firewalls and security systems.
• Ensure that employees understand which remote-work practices are secure and allowed and which are not. This may include ensuring that the team knows under what circumstances they may use unsecured networks. For individuals with access to sensitive data, they must be reminded of any additional security procedures they must follow now that they are working in a different environment.
• It is crucial that all changes made to approval levels, access rights, procedures, or responsibilities are tracked and documented in detail. Sudden changes to a process are more likely to be a point of weakness; therefore, tracking the changes enables more precise ongoing and after-the-fact monitoring.

Medium-Term

After the initial disruption, it may be necessary for the workforce to operate remotely for an extended period of time. During this time, we recommend the following:

• Many processes will transition from being paper-based to electronic. Remember that approval sign-offs can be done electronically, provided they are unique and identifiable to a specific individual with the appropriate approval authority. It is important that no one can falsely apply someone else’s electronic signature, which is preventable by implementing unique password-protected user accounts.
• Determine if there can be alternative delivery channels utilized to continue providing programs and services to members. These delivery channels might include the implementation of technology that will require enhanced security measures to ensure that data is protected.
• Those nonprofit organizations that are cash donation intensive might evaluate additional online platforms to keep contributions flowing. This switch to online platforms will require the implementation of new controls to ensure appropriate access to funds, adherence to restrictions placed on donations, and monitoring for possible fraudulent activity.
• During this period, nonprofit organizations may become more reliant on detective (after-the-fact) controls as the disruption increases the risk of failures in the preventative (up-front) controls. Financial leaders should make certain that monthly reconciliations continue to be performed and reviewed (such as bank reconciliations, accounts payable reconciliations, and accounts receivable reconciliations) and may want to increase the level of review performed over these reconciliations.
• During this period, new vendors may be selected due to the unavailability of current vendors or the addition of services that were previously not needed. New vendors bring additional risk; therefore, leaders should ensure they have robust controls in place for vetting new vendors promptly and subsequently monitoring activity.

Long-Term

As employees and management become familiar with the new processes — or as they begin to be able to return to their former processes — keep these follow-up steps in mind:

• Using the process-change tracking documentation referred to above, management should analyze whether any of the changes can now be reversed and ensure that those reversals take place as necessary.
• Nonprofit organizations might continue to deliver services and programs remotely and also utilize new donation collection methods. Management, with the help of the internal audit department, should perform spot-checks of the new processes to assess compliance and verify that the proper approvals and adequate documentation are maintained.
• Management should evaluate their business continuity plan to determine how well it worked, understand lessons learned, and make improvements.

Disruption, sudden process changes, and working in a remote work environment increase the risk of a breakdown in financial controls. Therefore, during this period, management must make any necessary system modifications that will enable activities to continue, and they must closely monitor transactions and processes to ensure they are being executed correctly. For more information or help strategizing improvement to your business continuity plan, reach out to a CRI advisor.