To identify best practices for strengthening internal controls in a hybrid workplace, it’s important to make the distinction between a process and a control.

A process completes or performs specific functions or procedures, while a control prevents a process from operating improperly or detects when it fails.

Controls minimize errors and ensure that the process runs right. An internal control can be a combination of people, processes, and systems; a deficiency in any area can lead to weaknesses.

In a remote working environment, not-for-profit organizations may need to pivot these processes and controls in some way to maintain their efficacy.

A hybrid workplace is a developing norm that combines in-office and remote work, letting employees manage their own workflow while having opportunities for in-person collaboration. Google, Amazon, and Facebook have adopted policies offering some form of hybrid or remote work to employees.

For a more detailed perspective on the pros and cons of the hybrid workplace model, please read our article.

As a result of the declaration of emergency, many organizations went remote quickly and adapted their current controls and processes for a remote setting. In many cases, they couldn’t revise policies fast enough to adapt.

It’s a good time to review and revise policies and procedures, considering criteria for onsite and remote operations. In many cases, limited human resources constrain organizations regardless of increasing demand in productivity.

Ensuring maintenance of segregation of duties and new software implementation, where feasible, can increase productivity and controls even in these challenging times.

A record number of employees now work remotely or onsite part time, which makes them more reliant on virtual private networks (VPNs). This exposes normally onsite devices outside the workplace environment to the internet’s inherent threats.

The likelihood of a malicious cyberattack during a major disruptive event like the COVID-19 pandemic increased given both recent ransomware and distributed denial-of-service (DDoS) trends and the increased exposure of systems while employees work remotely.

These attacks have greater impact because response and recovery time tends to lag when employees work across multiple locations—and organizations rely more on IT systems.

Many organizations still depended on physical access to fix configuration issues as well, so quarantine or shelter-in-place policies limiting IT teams’ access to servers and network devices further delayed incident response and troubleshooting efforts.

For more information on how to identify potential cyberthreats, please see our article.

Because the nature of every organization differs, this can’t be a panacea.

Management should develop policies and procedures collaboratively, taking into consideration the expectations between hybrid and remote teams and which processes and controls can shift to different staff, while maintaining segregation of duties.

You can create new policies and procedures with the following considerations.

Risk Assessment

First, devise a rating scale from low to high and brainstorm risks to the organization financially and operationally, as both have a significant impact.

Evaluate each risk and decide on controls and processes you could implement to mitigate the risk.

Implement controls and processes as above, and schedule time to review and revise the risk assessment periodically, as risks change.

Segregation of Duties (SOD)

This principle divides responsibilities within a critical process. Many organizations maintain SOD surrounding the cash cycle, as this is easiest to identify.

Segregation of duties should apply anywhere feasible, including but not exclusively:

• Investments
• Contributions
• Payroll
• Net assets
• Financial close and reporting

It’s imperative to review roles and responsibilities within each cycle, including IT. Perform on a periodic basis and revise accordingly.

Automate Security Processes

Security automation underpins prevention, detection, investigation, and remediation of cyberthreats.

According to the IBM Cost of a Data Breach Report 2020, malicious attacks cause 52% of breaches and 80% involve breaches with customer personal identifiable information (PII).

Success rides on containing and resolving issues quickly, especially considering the wealth of confidential donor information organizations maintain.

Disaster Recovery and Business Continuity Planning

Disaster recovery plans ensure that business operations can continue to thrive through a period of disruption. Examples include natural disaster, emergency, or a cyberattack.

Identify key operations, functions, and processes. Determine acceptable downtime for each key function, operation, or process and define a plan.

The plan should detail components and strive for minimal interruption when it’s time to share throughout the organization. Hybrid and remote workplaces can cause additional delays in disaster recovery if an organization isn’t adequately prepared.

After arriving at new policies and procedures to best suit your organization, be certain to implement controls according to design. This step, though last, is just as important as the design of new policies and procedures.

For further guidance, see our article on how IT controls testing can help protect data in a post-COVID-19 workplace.

Though we focused on many of the risks with a hybrid or remote workplace, there are benefits and efficiencies within this environment. Employees can engage more and can work during hours they find more productive.

With less facility needs, operational costs can decrease as a result, and when hiring, in some cases, you have a larger pool of candidates.

You can easily adapt to hybrid workplaces, create flexibility, and enhance work-life balance for employees.