Managing the Risks of Remote Accounting Work

Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Gallagher Affinity provides this column for your review. For more information about liability issues, contact Irene Walton at irene_walton@ajg.com.

When managing a virtual workforce, building a remote-work policy is crucial. This document must spell out the objectives of virtual work teams and define which employees are eligible and the conditions under which they should work. After that, according to Gallagher risk experts, managers need to address operational concerns:

• Set clear expectations – Make sure your teams are clear on project deadlines. They must also understand the expectations concerning working hours.
• Treat remote employees as local – Because your remote employees won’t have a chance to see you in the office, respond to their communications as soon as possible. Make sure all team members are included in meetings to which they would have been invited if in the office.
• Build rapport – You hopefully had a chance to build strong relationships before your team began working at home. If not, you’ll have to play catch-up. Check in to see how they’re doing and how their families are faring. Rapport doesn’t come from collaborating on work projects; it develops slowly as you come to know and trust your staff and vice versa.
• Devise a communications strategy – Decide how many check-ins you’ll want to have with employees, and determine a procedure for raising project-related issues between formal check-ins. This assures timely resolution of problems.
• Reinforce mission and purpose – Unprecedented pandemic challenges don’t mean your firm’s mission and purpose are no longer relevant. If anything, they’re more important. So, during check-ins, tie employee accomplishments back to the firm’s mission and purpose. This will keep people motivated and productive.
• Be open about challenges and problems – Don’t whitewash obstacles. Communicate openly with remote employees about anything that hinders work. Then provide them with the tools and support needed to push through those barriers.
• Make time for small talk – When connecting with your team, consider starting virtual staff meetings with watercooler banter, but avoid anything controversial or divisive. Just give team members a chance to talk about what’s going on in their remote work lives, including what’s working and what needs improvement. Then move on to normal discussions of projects and deadlines.
• Provide training – Don’t assume everyone knows how to work remotely. Some will face a steep learning curve, especially regarding effective time management. If needed, arrange for training to help those in need resolve process or technology hang-ups.
• Don’t postpone development – During the pandemic, employees have been unable to attend in-person professional development opportunities. Don’t wait for the pandemic to be over to resume training. Touch base to see if they might benefit from more training, then recommend relevant, safe opportunities.

Building a policy and addressing the above concerns will lay the foundation for effective remote work. However, you also must address the risks of working from home. Two big risks are cyberliability and data breaches as well as remotely performing high-quality audits.

Cybersecurity Implications

In the initial months of the pandemic, there was a rush to move employees offsite with, perhaps, a loosening of strict cybersecurity standards. The result was easy to predict: there was a 300% increase1 in accounting-firm cyberattacks, according to Black Talon Security LLC. CPA firms have learned a hard lesson: hackers can penetrate their systems, lock them out, and steal their data despite firewalls and antivirus software being in place.

“Firewalls and antivirus software are no longer enough to protect your network,” says Gary Salman, CEO of Black Talon. “You need additional steps, such as vulnerability scans, penetration testing, and cybersecurity awareness (staff) training to prevent ... disastrous attacks from occurring.”

The good news is that many firms’ tech-security teams have beefed up protocols and focused on helping remote staff adhere to best practices. The goal is to address the risks of unsecure networks, phishing attacks, computer sharing (and personal use), and mobile devices containing work product. Here are some guideposts to help ensure optimal remote security:

• Increase virtual private network (VPN) capacity – Most CPA firm VPN structures had anticipated only a minority of employees using the system. When most of the firm hops on board, that can be problematic. While a firm works to expand VPN capacity, it may need to allocate use in shifts until VPN capability becomes more robust.
• Make sure all devices and apps are current – Require all staff to run patch updates so their devices run the latest firmware and security versions.
• Increase staff security training – One can’t overstate the need to promote computing hygiene. With so many incidents of social-engineering scams that target naive or sloppy workers, it is essential that CPA firms make security training a high priority for employees working from home or other nonfirm locations.
• Give clear guidance on approved practices – IT departments must aggressively communicate acceptable computing practices and discourage unacceptable ones. For example, companies should make it clear that logging on to company resources from public networks is unacceptable. The same should hold true for using prohibited applications or other risky tools.
• Encourage use of cloud solutions for file management – With services such as Google Drive and Dropbox, there’s no longer any reason to use risky storage media, such as USB flash drives.

Risks of Remote Auditing

Normally, CPAs have close contact with client staff to facilitate the information sharing needed for an audit. With CPAs now largely working remotely, the already challenging task of preparing financial statements has become even harder.
Part of the problem is the emergence of “black swan” issues that may have reshaped a client’s business during the pandemic. These include loss of revenue, supply chain disruption, and weakened internal controls. With so many fundamental changes, auditors must think critically about the quality of client-supplied data. Plus, if clients had to use different analytical methods during the pandemic, start questioning the ability to make “apples-to-apples” historical comparisons.

When the people who handle financial transactions and reporting at the client can’t work in their offices – and must do work-arounds – auditors must secure additional evidence that controls are working to prevent material misstatements in the financial statements.

Furthermore, certain accounting issues suddenly became much more relevant during this period:

• Impairment of tangible and intangible assets
• Investment valuation
• Financial and credit instrument losses
• Contingent liability
• Revenue recognition

Auditors must assess whether their clients have the capacity to continue as a going concern under GAAP and whether or not financial statement adjustments (or further disclosures) will be needed due to the pandemic.

CPAs must continue to be uncompromising regarding remote audit standards. “We can’t just cave on our commitment to quality, adherence to our standards, and our level of service to our clients,” says Jodi Malis, CPA, CGMA, of Hancock Askew & Co. LLP in Atlanta. Speaking to the Journal of Accountancy,2 she said, “We can’t make excuses. We need to think through how we are executing our remote audits... what’s a different way we can perform our procedures while offering a personal touch.”

Not only will CPA firms have to work harder at complying with audit documentation standards, Malis notes, but they must also carefully manage audit team virtual interactions and those with clients.

As with every other way they’ve responded to the pandemic, CPA firms understand the benefits of flexibility, creativity, and a sustained focus on audit quality. No one knows exactly what happens next, but the lessons learned will be powerful assets going forward.

1 Gary Salman, “The Rise of Cybercrime in the Accounting Profession Continues,” Accounting Today. https://www.accountingtoday.com/opinion/the-rise-of-cybercrime-in-the-accounting-profession-continues

2 Ken Tysiac, “Remote Auditing Comes to Forefront during Pandemic,” Journal of Accountancy. https://www.journalofaccountancy.com/news/2020/mar/remote-auditing-during-coronavirus-pandemic.html

Irene M. Walton is vice president for the Greater Philadelphia area at Gallagher Affinity. She can be reached at irene_walton@ajg.com.