Control during crisis The benefits of ISAE 3402 reports in mitigating risk and overhauling internal systems
The control environment of organizations has been, and continues to be, significantly challenged by the COVID-19 health crisis.
Jérôme Sosnowski - Partner - Risk Advisory - Deloitte
Sophie Binninger - Director - Risk Advisory - Deloitte
Loïc Timma - Manager - Risk Advisory - Deloitte
Published on 22 April 2021
It is official, we are in the second or even the third wave of a health crisis that has lasted for over a year. Economic uncertainty remains. Teleworking, which was initially a temporary measure put in place to ensure the operational continuity of organizations, has become permanently engraved in their DNA.
Therefore, remote working will continue to have a considerable impact on the way we work for months to come. This new situation consequently exposes de facto the organization to rethink its organization, as it is now subject to new risks impacting its internal control environment.
New emerging risks
The health crisis has indeed seen the appearance of widely-used remote working. Organizations are now, more than ever, exposed to new risks that they must identify and mitigate to ensure the efficiency and operational continuity of their activities and consequently, of their existing internal controls. The most significant of these risks are in particular identified at the level of (non-exhaustive list):
- Employees - Unavailability of key personnel due to the health crisis preventing the satisfactory execution and/or documentation of certain controls (e.g. verification/approval of transactions/important documents); - Learning curve in terms of the use of technology by employees, resulting in operational errors; - Inability to carry out essential face-to-face meetings and preventing the execution of certain checks, such as observation tests.
- Information and control documents - Lack of reliable information that could prevent the control owners from carrying out their tasks adequately; - Inability to access reliable information on time; - Extreme volatility of the stock markets, making it more difficult to perform certain controls.
- Transactional processes - Transactions may be slowed down and not completed on time.
- Service providers (outsourced activities) - Service providers playing a key role in the organization's control environment are also affected. The ability to perform their activities and the related controls on which the organization relies has been accordingly challenged during these tough times.
Impact on information systems
This situation inevitably implies an increased use of communication tools as well as remote working and therefore, an increased importance of the robustness of the IT infrastructure. Among the emerging risks likely to happen which have a material impact on the operational efficiency of control activities, are the following:
- Incapacity of IT servers to support the high flow of remote connections;
- Access to various servers, networks, files, and applications are inappropriately allocated due to massive and urgent access allocation to a large number of employees;
- Increased cyber-crime risk;
- Potential absences of key IT personnel, thus preventing IT issues from being resolved or internal IT controls being carried out (e.g. non-approval of changes (applications/databases/code), monitoring of ‘automated interfaces’, important software updates).
Impact on change management
In light of this ‘new age’, some companies will have to face major changes in the sense that controls will become more and more virtual and this, to the particular detriment of the first among the three following categories:
- Physical manual controls: proof of review directly materialized on the control documents by initials or hand-written signature made;
- Electronic manual controls: evidence of the review materialized using a computer tool (e.g. electronic signature, electronic initials);
- Automatic controls: no manual intervention, the information systems fully execute the control.
Electronic manual controls will become more and more commonplace, eventually becoming dominant within the organization. For an organization with mainly manual and physical processes, the changes to implement will be radical and will consequently require adequate management and monitoring. The adaptation of the internal control environment should pay particular attention to the followings risks:
Removal of key controls
By redefining policies and procedures, the organization will be exposed to the risk that certain key controls under the ‘old method’ will be removed and not replaced by new equivalent controls;
During the migration to new controls, a transition period during which the controls cannot be carried out (because the organization will be busy putting in place the new policies and procedures), therefore, it will be necessary to ensure that parallel controls takes place for a certain period;
Segregation of duties
A new distribution of responsibilities may turn out to be inappropriate and generate conflict of interest situations.
Management must face this unprecedented situation with the main objective of mitigating the risk factors to an acceptable level, thus making it possible to preserve a control environment favorable to operational efficiency. In order to mitigate the risk factors discussed, management should implement the following key elements:
1. Ensure that the key controls are indeed in place and are sufficiently robust to cover all risks: update the Risk Control Matrix (RCM), thus making it possible to identify and assess all risks. During this exercise, management will validate the new allocation of tasks and pay particular attention to those responsible for the associated controls in order to avoid any risk of conflicts of interest; 2. Establish and/or update policies and procedures: document the impact of remote work on organization procedures and notify all employees clearly and quickly. If the changes made are not permanent, then it will be important to indicate the exact period over which they will be applied; 3. Adjust the design of internal controls: updating policies and procedures also involves updating the design of controls (e.g. use of electronic control documents instead of existing manual control documents, electronic signatures with certificate, and remote controls); 4. Increase communication with ‘customers’: the organization and users of reports issued in accordance with the ISAE 3402 international standards should be in permanent contact in order to clarify management's responses to the health crisis; 5. Update the IT infrastructure: teleworking involves a large number of employees working remotely. The organization's servers and all IT infrastructure will therefore need to be able to support the organization's remote operations for all employees; 6. Ensure data and document integrity: the organization will need to ensure that data and documents are available at all times and remain accessible to the right teams; 7. Strengthen the monitoring of outsourced services in order to avoid any risk from third parties.
How can management assure proper functionality of the organization?
If we think about internal control then we think about "Service Organization Control reports" or even "SOC reports" (reports on controls and in particular reports issued according to the international standard ISAE 3402). The ISAE 3402 reports are reports that present the internal control environment implemented within an organization whose services relating to the transactional processes of its clients are related to the preparation of their financial statements. The purpose of this type of report is to allow users of outsourced services to obtain assurance with regards to the reliability of the internal control system for these services for which they pay. Whether an ISAE 3402 report exists or is in the process of being implemented, it represents a real opportunity for a service provider to reassure internal stakeholders (e.g. management, Board of Directors, among others) as well as external stakeholders (e.g. customers, prospects, regulators), on the reliability of the control environment and thus support management in its approach to respond to the various risks arising from this unprecedented health crisis situation in terms of depth, duration, and impact.
Through the exercise of reviewing the quality of procedures and controls, an ISAE 3402 approach will not only strengthen the trust essential to maintaining good relationships between the service provider and its customers, but will also demonstrate the reliability of its control environment to key players, such as the external auditors or the regulators, and moreover, what the resilience and reliability of an organization will represent in times of crisis. The operational teams and the service provider's management will thus benefit from supervision, support, and advice during the ISAE 3402 reviews, which will enable them to make their transition to a new control environment that is mostly digitalized in a more structured way. The various advantages traditionally provided by issuing an ISAE 3402 report, issued according to an internationally recognized standard, are even more important in a crisis such as, for example, securing a competitive advantage at a time when the competition is getting more intense, minimizing the interventions of the external auditors when time (and budget) is (are) limited, strengthen the discipline in terms of controls, and reassure the management bodies through an independent evaluation of the control environment at a time of profound change due to virtualization.
Leading organizations understand that risk is a source of competitive advantage. By managing risk more effectively these organizations unleash their full potential, creating and protecting value for all of their stakeholders.