How to adapt compliance frameworks to the 'new normal'
Travel restrictions and remote working brought about by Covid-19 coupled with the economic downturn create ripe opportunities for new compliance risks to form. With no end in sight for the pandemic, it appears that these risks and challenges could prevail for some time yet. Keith Williamson, Head of Disputes & Investigations at Alvarez & Marsal in Asia, reflects on the need for an adapted approach.
A key risk of remote working and travel restrictions is a weakening of existing compliance controls and hindrance to forensic investigations. With the prevention of in-person site visits, interviews and access to original documentation, internal audits and investigations are facing major challenges and delays.
To stay in control, companies are advised to put in place a ‘Compliance Continuity Plan’ and adapt existing compliance frameworks and policies. Eight practical steps to take:
1. Ensure compliance, audit and investigation activities are conducted remotely and effectively
In order to achieve this, compliance teams must arrange to have remote access to accounting and transactional data. Access to such data is always essential in performing investigations and not all organisations may be prepared for remote connectivity of such a scale. IT teams may have to improve existing IT frameworks to meet this aim.
2. Consider postponing in-person interviews or training and partnering with local resources remotely
Where experienced audit and investigation teams cannot travel to conduct on-site investigations and in-person interviews, remote interviews via tele-conferencing may be the next best thing. This may suffice for interviews that are not key to investigations (for example, informational interviews to understand processes and controls). However, with key interviews aiming to establish knowledge of key individuals or facts and challenge any contradictions, remote interviews can pose major hindrances.
Challenging questions could be met by interviewees with connectivity excuses in order to buy time, and body language is more difficult to assess. Careful consideration therefore needs to be given to whether to postpone until in-person interviews are possible. Otherwise, pressing ahead with remote interviews or partnering with local resources to conduct interviews are the next best alternatives.
3. Remote scrutiny of transactions to ensure segregation of duties
Prior to the pandemic, companies with limited local operations have been able to ensure segregation of duties and adequate oversight by senior management who travel across regions and multiple offices. The pandemic has put a stop to all this travel and companies must reconsider how they can continue to perform these functions remotely where they have limited resources to adequately segregate key requisitioning, ordering and payment processes locally.
Remote scrutiny and approval by knowledgeable senior resources is essential to ensure compliance continuity.
4. Obtain additional independent corroboration when examining scanned or copied documentation to ensure authenticity
During investigations, original documentation enables better assessment of authenticity compared to copied or scanned documents. To work around this, additional independent corroboration should be obtained by seeking independent third-party evidence wherever possible.
5. Increase the use of technology to augment compliance frameworks
Cyber security and data protection risks increase significantly when employees work remotely and may use personal electronic devices to connect. Compliance frameworks need to be equipped to safeguard against emerging cyber risks. This means investing in trusted and secure software that is regularly tested in order to protect company data and communications. Any vague or absent provisions regarding company access to data stored on employees’ personal devices need to be urgently addressed.
6. Establish trusted and effective whistle-blower channels
The Certified Fraud Examiners’ 2020 Report continues to highlight how most frauds come to light through tip-offs from whistle-blowers. With the second highest channel, Internal Audit, possibly being hamstrung by the inability to travel and conduct effective audits, the whistle-blower channels become more important.
However, still a third of whistle-blowers do not trust established reporting channels, preferring to report directly to their supervisors instead. Since remote working could impede such direct reporting, companies must ensure that the whistle-blower channel is effective and trusted by employees by addressing concerns of anonymity and confidentiality.
7. Roll-out training and communication for “new normal”
Instilling a ‘culture of compliance’ has always been at the heart of a Compliance Framework, but with teams working remotely in a fragmented fashion, a vacuum in the compliance culture may appear. To combat this, companies should ensure training remains effective and engaging if done remotely, and employees are trained to handle new risks resulting from the pandemic’s “new normal”.
8. Enhance case assessment and triage or prioritise according to level of risk
Finally, with potential delays impeding investigations, compliance teams will need to better prioritise fraud alerts through case assessment and triage. This will involve weighing risks up and categorising them according to levels of threat to the organisation, and allocating resources appropriately.
In conclusion, compliance risks are inevitable in the current pandemic and global economic environment. Given the significant challenges in mitigating these risks, it is now more important than ever that companies revamp their compliance frameworks to adapt to this “new normal”.