The pandemic sent many employees home on short notice in March, meaning there was little time for finance and accounting teams to map out how everything would work in this new operating environment. Most departments didn’t have a plan at the ready for working from home, so they figured it out as they went.
One mechanism that may have weakened during this sudden shift is financial controls. But businesses can’t afford (literally) to overlook them, because financial controls serve as a framework that facilitates financial responsibility and shapes how your money is allocated and spent. They prevent fraud, unexpected large withdrawals from your bank account and other problems that can kill a business’s cash flow and harm its immediate and long-term financial health.
For the most part, businesses do not need to dream up new financial controls now that accountants and finance leaders are working from home. Rather, they need to figure out how to make established financial controls work with a dispersed workforce, especially as it becomes clear many employees will be working remotely well into 2021 — and maybe for good.
“Controls are in place to help manage risk,” Jeff Nourie, principal, strategy and business transformation at The Hackett Group(opens in new tab), said. “If you don’t review and adjust them periodically, you're bound to fall out of alignment and open yourself up to whatever the risk is that you're trying to control against.”
A company’s top financial leader — whether a CFO, controller or other — should lead the development of this strategy. They should start simple and embrace technology as a powerful and necessary tool in this transition. And we’re talking about technology that many businesses already have, like accounting software or complementary solutions that certainly don’t require an IT overhaul.
CFOs and their teams should start by conducting a risk assessment, if they haven’t already. This will help them understand any controls that don’t work or are less effective with a dispersed staff, like manual processes that rely on in-person communication and collaboration. The assessment will also pinpoint vulnerabilities that are of greater concern in a remote environment and help the finance team prioritize the financial controls that need to be adjusted right away.
Use a classic risk assessment framework to determine which controls, if any, pose a worrisome risk to your company:
|Low Impact||Medium Impact||High Impact|
|Likely||Medium Risk||High Risk||Very High Risk|
|Unlikely||Low Risk||Medium Risk||High Risk|
|Very Unlikely||Very Low Risk||Low Risk||Medium Risk|
Organizations should think about additional security risks from bad actors outside the organization, as well as new circumstances that could encourage fraud. They should give special attention to segregation of duties, as well as any employee turnover — including layoffs — or a change in responsibilities that could impair or break a key control. If your business had to eliminate positions due to the coronavirus, disgruntled former employees may be more likely to commit fraud or otherwise harm your business.
“With everyone working remotely and accessing more data, there’s more opportunity to manipulate that information,” Patricia Wellmeyer, an accounting professor at the University of California-Irvine’s Paul Merage School of Business(opens in new tab), said.
“This is an opportunity for companies that haven’t looked at which areas of their operations are more prone to error, fraud or theft, and to consider investing in technology that will automate some of their controls, knowing that relying on trust and employees can only take them so far.”
This internal audit will require input from and collaboration among stakeholders across the finance organization, from staff accountants to accounting managers to the controller and CFO.
If your company revises any financial controls, then document them and communicate those changes to the entire staff. As others learn about these new processes, they may point out oversights that will affect their ability to do their jobs, and you can address those problems quickly before they hurt productivity.
We talked to financial executives and other experts to round up a few suggestions for retaining financial controls in a remote world. This guidance should help your business as it completes this risk assessment and brainstorms strategies to keep effective controls in a remote environment.
While the shift to remote work was fraught with challenges for many small businesses, they were much better prepared for it than they would have been a decade or two ago, thanks to technological advancements and the growing popularity of remote work. This is especially true for companies that had finance departments spread across multiple offices or even countries.
Miles Partnership(opens in new tab), a full-service marketing agency for the travel and tourism industry, was one of those companies. Given the nature of its work, employees were often on the road meeting with its client base of visitors’ bureaus, state tourism offices and resorts before the coronavirus halted almost all business travel. Additionally, a few members of the accounting team already worked outside of its offices in Florida and Colorado.
“We have some employees who travel 200 days a year, so even before COVID, we had to have in place really good processes and controls and systems for people who are working remotely,” Miles CFO Dianne Gates said. "Prior to COVID, the FP&A team were working at home pretty consistently at least once a week. So it wasn’t a huge challenge when COVID hit. We just made the transition to work from home pretty seamlessly.”
Gates had already established controls that work in a remote environment by regulating access to the company’s cloud-based financial software. Her team was able to create roles with various permission levels in these systems, then build supporting workflows to manage the necessary approvals before any payments are submitted.
For example, in the accounting system, roles have been defined so that Miles account directors can only see financial results for the markets they’re responsible for, and the senior vice presidents above them can only view information for the markets that roll up to them. This prevents people from charging expenses to the wrong profit center, which would take money from someone else’s budget, or knowing the financial performance of groups for which they’re not responsible.
Additionally, Miles established clear approval workflows within an accounts payable (AP) automation tool that’s integrated with its core financial system. Managers submit invoices from vendors through the AP tool, then the AP team reviews those requests to ensure they have all the required information. The team knows who typically submit bills and for what, so it will flag any bills that seem out of the ordinary. At week’s end, that group compiles a list of invoices to be paid, which Gates reviews, then ultimately decides which invoices to pay.
Vendors will also send invoices straight to the AP department. As another control, the manager responsible for that invoice also needs to submit it through the system as a confirmation. If AP doesn’t receive that confirmation, it reaches out to the manager to make sure it’s a bill that should be paid.
For expenses incurred by employees, Miles has an expense management system that automates much of the process. When an employee submits an expense report, their manager must review and approve it before it’s routed to the AP team. Like with the other systems, managers only see expense reports they need to approve.
“Whenever possible, we try to take advantage of technology,” Gates said. “I think it decreases the data entry [work], the risk of error, and I think that it just continues to get people to … be forward-looking with how we can do things more efficiently, then think through the [steps] necessary to make sure that we have good financial controls in place when we are doing things electronically.”
“Whenever possible, we try to take advantage of technology. I think it gets people to … think through the steps necessary to ensure we have good financial controls when we are doing things electronically.”
—Dianne Gates, CFO, Miles Partnership
Checks often represent another important control for companies. For example, Miles keeps check stock and a signature facsimile stamp in two separate lockboxes, thus requiring two different employees to cut a check.
However, controls that involve physical checks aren’t feasible for everyone who works remotely. Before the pandemic, at least, checks were still a big part of doing business. Corporations with at least $5 million in revenue still write an average of 4.4 checks per day(opens in new tab), and industries like construction still make nearly half of their payments by check, according to a study from Biz2Credit. But without regular access to the company mailbox or check stock, many organizations have turned to digital payments.
Although most of Miles’ transactions were sent through ACH or wire transfers prior to this year, in March it encouraged all suppliers and customers to send paperless bills and payments, respectively.
There are steps your business can take to make digital payments just as secure as putting check stock and signature stamps behind lock and key:
Companies should require not only a unique login but also multi-factor authentication (MFA) for any portal or system that allows employees to approve or process payments. PDFs or other basic electronic documents won’t cut it.
Most people already have experience with MFA, which combines something you know, like a password, with something you have, like a smartphone, for added security with sensitive transactions. For example, to access certain websites, you might use a password, then be asked to enter a code or click a link sent via text or email. So if you start using an e-signature service to get required approvals from the head of finance, for example, make sure you activate MFA for an extra layer of security. If approvals happen in your accounting system, which could have a direct link to your bank accounts, then enable MFA there as well. This feature is built into most products today and should be simple to turn on.
Regardless of the platform used, digital payments should create a clear audit trail that records who approved which payments and when. That way, if accounting spots a fraudulent or questionable charge later, they can easily see how it got through.
As another way to prevent fraud, businesses ask their bank about “positive pay.” Traditionally used to avoid check fraud, positive pay entails a company giving its bank a list of payments to process, including the date, amount, check number and account number for each. If the bank receives a check that doesn’t match the list, it won’t clear it until receiving approval from the company.
Many banks now offer something similar for ACH transactions(opens in new tab). Businesses can provide a list of approved payees, with maximum dollar amounts and transaction volumes for each. As with checks, the bank will flag any request that doesn’t meet those parameters.
With potentially less oversight now, businesses should consider being more selective about who has the authority to make payments. At smaller organizations, in particular, there’s no reason to have more than a few authorized signers.
Miles has about 250 employees, but only three people have the ability to initiate wire transfers. MBO Partners(opens in new tab), a company that links independent professionals with enterprises that need their expertise on a contract basis, has a staff of more than 500 but still allows only three people to sign checks (the CEO, CFO and founder). If the organization is small enough, it may make sense to only give this authority to the owner.
In addition to reducing the number of employees who can send out money, MBO Partners CEO Miles Everson suggested small companies reduce the threshold for checks that need executive approval or two signatures. If any payments of more than $20,000 previously required dual signatures, for instance, the company might consider cutting that threshold to $10,000.
Requiring this approval prevents a large chunk of money coming out of your bank account at an inopportune time and allows for better cash flow management. That’s taken on renewed importance since the pandemic first caused a sharp economic downturn in the spring.
“It’s not just that it’s remote and dispersed — I think equally important is it’s a new control environment,” said Everson, who had an extensive career at PwC and served as the head of its global advisory practice before joining MBO. “I can argue dispersed vs. centralized and the pros and cons, but this is different for people and when you have a different environment that your employee base is not used to working in, you expose yourself to something going wrong. So you just tighten it down with the traditional controls that you have today.”
Companies could make similar adjustments to purchase order approvals. That will prevent an unexpected invoice from landing on the CFO’s desk down the road.
Strong financial controls can help protect your company against various types of cybercrimes, the most common of which are phishing attacks. An eye-catching 88% of businesses were the target of phishing in 2019(opens in new tab), and 65% were the victim of a successful attack, per a report from Verizon. In a typical attack, a bad actor sends an email that appears to come from someone high up in the company, like the CEO or CFO, requesting they process a payment, along with a false justification.
Employees may even be more likely to fall for such a scam when working from home. There’s no coworker in the next cubicle for a quick gut-check, and this request could easily be dismissed as part of the “new, remote normal.”
“With all of these external forces changing underlying operations and how work gets done, it really heightens the need to monitor and control processes,” Nourie said.
Protecting the company from such attacks starts with training employees on what to look for and establishing clear rules before they complete such a request. Everson suggests leaders show their staff actual examples of what a phishing email might look like.
“Training is massive with your employee base,” he said. “You never send anybody money that sends you a random request. It sounds so basic, but it happens every day.”
Spam filters and spam firewalls can quickly prove themselves prudent investments, as well, by never letting such an email get through or flagging it before anyone moves money. Make sure all of the devices that your employees use for work have these tools and any other security applications that protect against malware, like ransomware and trojans. If you purchased computers or other hardware for your employees in the early days of the pandemic that were never programmed by your IT staff, get them updated as soon as possible. The longer you wait, the higher the chance of a successful attack.
Companies can also establish clear rules for employees who find themselves in this situation. After Miles was the target of such a scam a few years ago, it required employees to confirm any such request by calling the individual who requested it. The chances of this scam working also fall if, as suggested earlier, only a few people have the ability to process payments.
Companies should also consider using email encryption as they send more sensitive information — particularly sales or other financial data — electronically. If a malicious actor intercepts an email in transit, encryption prevents them from accessing its content. Only the intended recipient can see the message and any attached documents.
Small businesses may be able to use a free encryption tool(opens in new tab), some of which will plug in to their email client. Companies that need to encrypt a larger volume of emails and have more than a handful of employees sending confidential data should look for a more scalable solution with additional functionality.
However, organizations can avoid the need to encrypt email at all by looking to use tools that encrypt stored data, including web-based cloud business systems that use HTTPS and MFA. The administrator can then simply give users access to these documents and reports as needed. Many data leaks happen when there’s “standing data,” i.e. data stored on employee devices or company servers, according to Everson.
Adopting these controls should give executives tighter reins on their business’s cash flow. That’s critical because, in Everson’s words, “liquidity is king” when the economy is shrinking. Beyond limiting the risk of fraud and theft, financial controls help business owners understand their cash position because they know when significant amounts of money are deposited and withdrawn from corporate bank accounts.
Everson and MBO’s founder now receive daily reports that predict the business’s cash needs for the next quarter in detail. Since the business uses many independent contractors, it sends out paychecks frequently, so this number can fluctuate from one day to the next.
“We have an extremely accurate model of liquidity forecasting right now — I could tell you within [a very small margin] the liquidity I need by day for the next 30 days,” Everson said.
The CEO believes companies need the ability to scale costs up and down quickly in this uncertain environment. As the economy recovers, or if it suffers another setback, organizations must be able to react accordingly — and quickly. Frequent updates on cash flow provide that ability.
In other words, strong financial controls can affect the resilience of your business during trying times.
“It’s financial control, but it’s also control of your ability to either manage liquidity in tight markets but then accelerate out as fast as possible,” Everson said. “I think of that as the big picture of control. You’ve got to be able to do both.”
As with any other change, there will likely we be some internal resistance when you put these remote-cognizant controls in place. At a small business, for example, employees may suggest measures to prevent fraud are unnecessary. But studies show companies with less than 100 employees are actually the most likely to lose money to fraud(opens in new tab).
“In small companies, they’ll say, ‘We don’t need all that stuff, we all know each other, nobody here’s going to do anything. We’re small, we’re under the radar screen,’” Everson said. But, “Lots of small companies lose money from bad people.”
Another common objection from employees is that these controls will simply get in the way of their work — that they’re a needless hassle. Don’t give in to that line of thinking, either.
“The cultural [response] is, ‘That just slows me down. I don’t have time to do multi-factor authentication,’ because they’ve never had to do it,” Everson said. “So it’s the change management of what the new behaviors are vs. what [your team was] doing historically.”
Leaders should not just stress the importance of these measures but also offer real examples of what could happen without these protections, Everson said. Those could be examples of phishing scam emails or statistics illustrating the effects of internal fraud at another company. Prove these are not just theoretical problems — they’re real concerns that have left other businesses with deep and lasting wounds.
The past eight months have pushed accounting teams to modernize their processes and lean more heavily on technology, particularly cloud software they can tap into from anywhere. It’s the only way to keep completing crucial tasks with workers sprinkled across home offices.
“I do think there’s been a lot of advancement in the last seven, eight months during COVID that probably wouldn’t have taken place in seven or eight years if it wasn’t forced to happen,” Gates said. “I think it’s caused a lot of businesses to rethink their business model.”
“I think there’s been a lot of advancement in the last seven or eight months that probably wouldn’t have taken place in seven or eight years.”
—Dianne Gates, CFO, Miles Partnership
Once finance teams find ways to set up their most important controls in a remote environment, they’ll be better prepared for any future events that threaten to derail their usual operations. They’ll know how to flip the switch and continue business-as-usual (albeit from home).
In other words, the work done now could prove valuable beyond this most recent disruption.
“The swine flu was 10 years ago, roughly. It will not be 10 years before we have the next big pandemic — it will be sooner,” Everson said. “So, how do you deal with lights-out operations on a moment’s notice? I think people have learned a lot — not just finance, but companies have, and they’ll be more adept to managing those lights-out situations.”