Tips for Mitigating Fraud Risks in a Remote Work World
In connection with local, U.S. and world governments mandating temporary work stoppage and imposed limitations on travel and size/duration of group meetings to curtail the spread of the global pandemic, COVID-19, many workplaces have been forced to implement remote work environments in a less than ideal situation. As these limitations are lifted and businesses are facing an unpredictable future, many are continuing to offer employees flexible options and have found a new normal using remote technologies and services in everyday life. These changes to the routine work environment require businesses to take a second look at their current control processes and re-evaluate their effectiveness on the deterrence and prevention of fraud.
The inherent nature of remote work allows for enhanced access to company systems and files, while increasing the exposure of company data to susceptible theft. Breaches of data or proprietary information could have detrimental impacts on business activities and result in financial repercussions, lost customers, reputation damage and even legal issues. Even if devices and files are password protected, fraudsters might gain access to them. Businesses that now limit employee interactions and replaced verbal or formal written approvals with email or telephone calls, may be especially vulnerable to impersonation and phishing activity. Phishing attacks are widely recognized as the top cause of data breaches. Fraudsters can easily send seemingly legitimate, fraudulent emails with malicious links, attachments or instructions which appear to be from executives or even your own IT department. Businesses should evaluate their IT policies and procedures, general systems and controls with a strong focus on what access is needed by employees and how to secure those connections with remote workers to ensure data and networks are not at risk. It is essential that employers review their wire and disbursement policies to ensure there is no room for unauthorized transactions. System access and permission should be based on roles and job responsibilities, including limiting administrator credentials on company hardware. While it may be more costly up front to provide company computers, increase firewalls and system security and offer secure networks options for remote employees, it can provide greater protection in the long run which can be invaluable.
Another concern when transitioning to remote employees is the risk of time and payroll fraud. A certain amount of trust needs to be placed on remote employees to accurately record their time and while most employees are honest, some may take advantage of the lack of oversight. Time theft can decrease employee productivity, which in turn can lead to actual financial losses for your company. Remote work also makes monitoring payroll processing controls more challenging. The key control of segregation of duties around the disbursement cycle – such as writing and signing checks – is tricky to implement when employees are not in the same location. Current controls and processes as well as actual processes that were implemented during this time should be reevaluated to ensure proper measures are in place to mitigate and prevent the risk of fraud. Supervisors should check in with remote employees throughout the day and be required to provide formal approval of records, especially timesheets and overtime. Other key controls to review and implement during remote work include frequent reconciliations of balance sheet accounts, rotating tasks within departments and restricting access to records based on roles and responsibilities.
With the potential for future restrictions on group settings and increased remote work flexibility going forward, it is important to take this time to review your current internal controls and remote policies and procedures to determine whether there are any potential vulnerabilities. Re-assess your company’s security needs and continue to encourage employees to follow cybersecurity best practices and to be on even higher alert for suspicious calls, emails, links and more.