This article is taken from our quarterly bulletin, Canadian Overview, published by Canadian member-firms of Moore North America. The articles in our bulletin are a part of our mission to become the ultimate ally in your success by keeping you informed about current events.
For more than a year, businesses and individuals have been dealing with an exceptional situation that has required them to come up with equally exceptional responses. Businesses in particular have faced new challenges during the pandemic that have come with their share of operational and strategic changes. A key response is implementing appropriate organizational controls. Has your company done this?
Some companies have had to reduce their workforce, pivot to new activities and change their processes, policies and working methods. As a result, a number of oversight activities that are essential for proper functioning have fallen by the wayside, exposing businesses to new threats or compounding existing vulnerabilities.
Remote Working
When the pandemic began, many organizations had to quickly implement remote working due to lockdowns. However, they didn’t necessarily have the required structure, equipment and organizational controls in place to support an entire remote working system. For example, companies whose employees use personal devices for work, along with certain cloud-based software, are exposed to risks including loss of control over commercial/professional information and cyber attacks from phishing emails and malware.
- Organizations must arm themselves with policies governing IT use and remote working to outline what is and is not permitted.
- For example, these policies should specify that employees may only use devices supplied by the organization when working remotely and must do so according to established rules to avoid risks associated with personal devices. These risks include not installing security updates, using weak passwords and losing control of sensitive commercial and professional information. For more information on this topic, visit http://cyber.gc.ca.
- Organizations should regularly back up their information and ensure copies of these backups are stored in a secure location.
- In addition to developing policies, it’s essential to train employees, especially about the risks of using personal devices (phones, tablets, etc.) and the minimum security measures that should be put in place, such as creating strong passphrases and passwords. It’s also critical that employees be trained to analyze information received before clicking on any links in emails or opening attachments. Finally, companies must drill into employees the importance of only using secure wireless networks.
Ramping Up Business
With the announcement of new workplace cleaning and disinfecting requirements, organizations have had to look for new cleaning, maintenance and personal protective equipment vendors. This new reality, along with the eagerness to ramp up business, can push companies to quickly turn to new suppliers without going through the standard procurement controls. Bypassing these controls makes organizations more vulnerable to certain types of fraud, like overcharging or providing lower quality products for the same price. Have you carefully selected your suppliers? Some may even provide products or services that turn out to be fake or not approved. Pay careful attention!
At a minimum, organizations should verify new suppliers by ensuring they exist in public supplier databases, reviewing any ongoing litigation they may be involved in, talking with some of the supplier’s known customers to verify the quality of their services and their production and delivery capacities, etc.
Dealing with Layoffs
Several organizations had to lay off employees during the pandemic to cope with a decline in business. They need to remember that these employees may find themselves in difficult financial straits. This situation can create or worsen fraudulent behaviours like embezzling funds or accepting bribes. Some employees have also had their workloads increased and have been assigned new tasks which they don’t necessarily have the skills and/or knowledge to complete well.
- An organization can reduce the pressure on employees by demonstrating an open and understanding attitude, hosting virtual meetings to break social isolation, approving additional hours, being flexible with work schedules, etc.
- Companies should review their control policies to make sure that employees are only being assigned tasks they’re equipped to handle. They should also verify whether certain controls have been eliminated or aren’t being carried out because employees haven’t been trained.
- As an organization, it’s your responsibility to ensure that a lack of resources, time or other factors don’t force people to ignore or speed up certain administrative processes, such as awarding contracts.
What to Keep in Mind
New measures covering remote working, task distribution and employee and business supervision, along with significant layoffs, have created vulnerabilities within organizations that should not be taken lightly. Don’t compromise your work to maintain your business or get it back up and running by neglecting to manage new vulnerabilities and threats.
Ready to develop robust organizational controls?
This article will help you get started.
We’re here to help you proactively detect fraud indicators by examining transactions from past periods. In addition, we can assist you in designing and implementing an anti-fraud program, revising your administrative processes and updating your vulnerability assessment. Contact us today for more details.
Written by Jacqueline Lemay from Demers Beaulne. This document was written for our quarterly bulletin, Canadian Overview, published by Canadian member-firms of Moore North America.