The economic effects of the crisis are enormous. Short-time work is announced in many places. Even in auditing. However, this neglects one aspect: in this exceptional situation, companies are now exposed to very special risks – in contrast to “normal” times. And the audit department is taking a “break”. How does it fit together? It doesn’t! We have asked around and put together eight risks worth mentioning. Have a look at these eights risks and how they may apply to your company.
During these times, a lot of distributed working is required, working from home for example. Business trips are out of question anyway. This means that familiar and prescribed work processes can no longer be carried out as usual. Therefore, there is a latent process risk, which can also (negatively) influence the “output” of the business processes.
We have initially formulated three phenomena concerning the influence on the organization of work in times of a state of emergency. Why don’t you judge for yourself how you assess these phenomena in the context of your company?
How do you assess the following phenomena in your company? Employees no longer see each other face-to-face to reassure each other that facts are correct.*
- No problem at all
- Could potentially be a problem
- Is a problem for us
Employees do not work efficiently when working from home, technically and/or process-wise, because it is unfamiliar.*
- No problem at all
- Could potentially be a problem
- Is a problem for us
Employees seize the opportunity for opportunistic behavior (neglect working hours, unobserved moments in the company, etc.)*
- No problem at all
- Could potentially be a problem
- Is a problem for us
Let us now turn our attention to the increased risks in companies. We have asked around to find out about relevant risks. During this process, we identified eight risks in company processes that could be of increased significance during the crisis.
At this point, I would like to point out that you can analyze the majority of the risks described below without any problems using zap Audit. To support you in these times, we offer you a zap Audit Professional license free of charge (offer has ended).
Risk 1: Increased use of one-time accounts (Conto-pro-Diverse or CPD) in accounts payable
During a crisis, different things must be procured quickly, which might not have been procured in the past. For new vendors, a vendor master record including bank master data must usually be created first. Everyone working from home, as there is no one there to ask questions, quickly takes the shortcut and skips the creation of the vendor master record for the time being and instead processes the liability via a one-time collective account. However, one-time transactions are often not transparent because a collective account combines many different business transactions. How do you assess the risk of increased use of CPD accounts payable accounts in your company?
- No higher than usual
- Increased risk
- Strongly increased risk
Risk 2: Bypassing the accounts payable process (direct posting of expense to bank)
Procurements can also be carried out completely without vendor liabilities and open items. If you need to make a quick payment, pay cash or lay out the money and then post the expense directly to the bank. This procedure is likely to “leave out” the procurement process almost completely as well as all internal controls of the procurement system. How do you assess the risk of bypassing the accounts payable process in your company?
- No higher than usual
- Increased risk
- Strongly increased risk
Risk 3: Circumvention of approval processes for procurements
This risk exists at the beginning of the procurement process. People who have been released are not available due to short-time work, have holiday due to overtime or similar, but business must continue. Approvals are given but not checked fully as they would be normally, due to time constraints. How do you assess the risk of circumvention of approval processes for procurement in your company?
- No higher than usual
- Increased risk
- Strongly increased risk
Risk 4: Increased fake invoices
Many professionals are currently up to their necks. Who knows what will happen if the business partners are driven by necessity. Liquidity is the order of the day. Some suppliers may send fake invoices and nobody will notice in times of emergency. How do you assess the risk of increased fake invoices in your company?
- No higher than usual
- Increased risk
- Strongly increasedd risk
Risk 5: Manipulation of vendor bank master data
Even employees quickly notice that economic impacts are approaching. This could “loosen up” morale and, in the sense of the fraud triangle, provide a motive to squeeze a little liquidity out of them and let them pay themselves like a supplier. In the chaos of the crisis, there will also be an opportunity for this. How do you assess the risk of manipulation of vendor bank master data your company?
- No higher than usual
- Increased risk
- Strongly increased risk
Risk 6: CEO fraud (quickly pay a large amount of money by ad-hoc instruction)
CEO-Fraud is the big brother of the Grandparent scam. But CEO Fraud is about much larger amounts. Suddenly something must be paid, because there is a pressing need in the crisis: liquidity is everything. The CEO writes an email to their accountant with an urgent request to transfer the money to a reputable law firm, for example. Normal payment processes and controls are rushed through. Unfortunately, it was not the CEO who asked, although the email looked very authentic. In any case, the money is now gone. How do you assess the risk of CEO fraud in your company?
- No higher than usual
- Increased risk
- Strongly increased risk
Risk 7: Cyber-attacks (especially phishing and password theft)
Everyone is working from home and needs to access the systems remotely. Communication with colleagues is done via email and no longer in person. It is easy to fall for emails that ask you to change your password for a particular system. This means a hacker now has your password, potentially a malicious hacker. How do you assess the risk of cyber-attacks in your company?
- No higher than usual
- Increased risk
- Strongly increased risk
Risk 8: Theft of current assets
All those who can, must work from home. But emergency staff are needed on site. With almost no colleagues present, the situation goes unobserved. That can be a problem, as nobody will notice if things happen… How do you assess the risk of theft of assets in your company?
- No higher than usual
- Increased risk
- Strongly increased risk
Now it’s once again your turn: are there any risks we should have mentioned? Do you see any other special risks? Let us know!
We would love to hear your opinions on this subject, so feel free to comment below. We will come back to you with an evaluation in one of the next blog posts.
Stay healthy!
Nick Gehrke
