The economic effects of the crisis are enormous. Short-time work is announced in many places. Even in auditing. However, this neglects one aspect: in this exceptional situation, companies are now exposed to very special risks - in contrast to "normal" times. And the audit department is taking a "break". How does it fit together? It doesn’t! We have asked around and put together eight risks worth mentioning. Have a look at these eights risks and how they may apply to your company.
During these times, a lot of distributed working is required, working from home for example. Business trips are out of question anyway. This means that familiar and prescribed work processes can no longer be carried out as usual. Therefore, there is a latent process risk, which can also (negatively) influence the "output" of the business processes.
We have initially formulated three phenomena concerning the influence on the organization of work in times of a state of emergency. Why don't you judge for yourself how you assess these phenomena in the context of your company?
How do you assess the following phenomena in your company?
Let us now turn our attention to the increased risks in companies. We have asked around to find out about relevant risks. During this process, we identified eight risks in company processes that could be of increased significance during the crisis.
At this point, I would like to point out that you can analyze the majority of the risks described below without any problems using zap Audit. To support you in these times, we offer you a zap Audit Professional license free of charge (offer has ended).
Risk 1: Increased use of one-time accounts (Conto-pro-Diverse or CPD) in accounts payable
During a crisis, different things must be procured quickly, which might not have been procured in the past. For new vendors, a vendor master record including bank master data must usually be created first. Everyone working from home, as there is no one there to ask questions, quickly takes the shortcut and skips the creation of the vendor master record for the time being and instead processes the liability via a one-time collective account. However, one-time transactions are often not transparent because a collective account combines many different business transactions.
Risk 2: Bypassing the accounts payable process (direct posting of expense to bank)
Procurements can also be carried out completely without vendor liabilities and open items. If you need to make a quick payment, pay cash or lay out the money and then post the expense directly to the bank. This procedure is likely to “leave out” the procurement process almost completely as well as all internal controls of the procurement system.
Risk 3: Circumvention of approval processes for procurements
This risk exists at the beginning of the procurement process. People who have been released are not available due to short-time work, have holiday due to overtime or similar, but business must continue. Approvals are given but not checked fully as they would be normally, due to time constraints.
Risk 4: Increased fake invoices
Many professionals are currently up to their necks. Who knows what will happen if the business partners are driven by necessity. Liquidity is the order of the day. Some suppliers may send fake invoices and nobody will notice in times of emergency.
Risk 5: Manipulation of vendor bank master data
Even employees quickly notice that economic impacts are approaching. This could "loosen up" morale and, in the sense of the fraud triangle, provide a motive to squeeze a little liquidity out of them and let them pay themselves like a supplier. In the chaos of the crisis, there will also be an opportunity for this.
Risk 6: CEO fraud (quickly pay a large amount of money by ad-hoc instruction)
CEO-Fraud is the big brother of the Grandparent scam. But CEO Fraud is about much larger amounts. Suddenly something must be paid, because there is a pressing need in the crisis: liquidity is everything. The CEO writes an email to their accountant with an urgent request to transfer the money to a reputable law firm, for example. Normal payment processes and controls are rushed through. Unfortunately, it was not the CEO who asked, although the email looked very authentic. In any case, the money is now gone.
Risk 7: Cyber-attacks (especially phishing and password theft)
Everyone is working from home and needs to access the systems remotely. Communication with colleagues is done via email and no longer in person. It is easy to fall for emails that ask you to change your password for a particular system. This means a hacker now has your password, potentially a malicious hacker.
Risk 8: Theft of current assets
All those who can, must work from home. But emergency staff are needed on site. With almost no colleagues present, the situation goes unobserved. That can be a problem, as nobody will notice if things happen…
Now it's once again your turn: are there any risks we should have mentioned?
We would love to hear your opinions on this subject, so feel free to comment below. We will come back to you with an evaluation in one of the next blog posts.
About the author:
Prof. Dr. Nick Gehrke is a member of the board of the Artificial Intelligence Centre Hamburg, and a professor and course leader at the Nordakademie Hamburg, and Co-Founder and Data Scientist at zapliance. He started zapliance after meeting Alexander Rühle at PWC and set their eyes on the same goal: Changing the way business professionals of the future work with data.