The COVID-19 pandemic brought the prevalence of remote work and electronic teamwork to a new level. When changes of this magnitude occur, organizations must update their internal controls to reflect the new environment.

There are five components to an internal control system –

Control Environment

Management dictates the control environment in an organization. With more workers working remotely than ever, it can be more challenging to feel connected to your team, especially when you may never even meet an employee in person. There are many different ways to reach out to employees in an electronic environment and scheduling these interactions can be extremely helpful. Weekly check-ins or virtual happy hours can be a great way to include new staff and allow them to understand who they are working with and build trust within the organization.

Risk Assessment

Risks are forever changing and can come from both internal and external factors. After such a drastic change as transitioning staff to a remote work environment or moving a team back into the office for a hybrid approach, this would be a great time to reassess the risks to your organization. What has changed? Which risks require less attention now, or what areas should you focus on in this new environment? Engaging your team in these risk assessment meetings is crucial to maintaining your internal control system.

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out. With electronic systems and staff working from home, how can these be adapted, so they still work correctly? For example, think of the bank reconciliation process. There should be separate people entering data into the accounting system, preparing the bank reconciliations, and reviewing them. Maybe the reconciliations were previously prepared on paper but are now being prepared in QuickBooks. How can management sign off that they have reviewed and approved with an electronic document? Utilizing separate user logins, using digital signatures on PDF documents, or even setting up a monthly email stating approval are different ways this control can be adapted in a remote/electronic environment and still work correctly. Control activities are the day-to-day activities that make up most of an employee’s time, so there needs to be a significant focus on this area.

Information and Communication

The information and communication component consists of identifying and capturing relevant information and communicating it in a format and timeframe necessary for employees to carry out their respective responsibilities. These days, organizations have had to quickly adapt to a remote work environment, which can open the door to fraud and other security risks. Information still needs to be presented promptly, but at what cost? Access to servers should be limited, VPNs and passwords for those working from home must be prioritized, and vacant offices must be monitored. Even if the new process or procedure works, security needs to be analyzed and verified to keep the system safe.


When an organization has made changes and attempted to put new controls in place to adjust to its new work environment, it’s time to verify those new controls are working correctly and as expected. In the Monitoring stage, check in with your teams, assess what is going right and what may not be working, and adjust processes as necessary and promptly. The quicker mistakes are caught, the less devastating the results will be if errors are present.

The changes that have come about in the last two and a half years have been significant. Adapting your business to these changes will be the main priority. However, your organization’s internal control environment will also need to be modernized. It may seem like a challenge, but updating your internal controls today will have a long-lasting impact on your organization in the years to come.

By Elyse McMillen, CPA