Five Internal Control Modifications Needed in Response to the ‘New Normal’

Some organizations’ internal control frameworks and operational processes did not skip a beat when faced with the disruptions caused by COVID-19. Especially those who had already implemented cloud-based systems and remote-enabled processes. Others were forced to “change the tire while driving.”

During this pandemic, organizations have been challenged by processes executed with fewer people and less access to offices and normal systems.

AAFCPAs’ Business Process & IT Consulting practice has provided five best-practice recommendations to help clients effectively achieve control maintenance and acceptable processes for assurance of data integrity:

Segregation of duties.

Then and now, a fundamental element of internal control is the segregation of certain key duties. However, and for example, a simple yet key internal control challenge that arose early in pandemic quarantine was the issue of mail collection. As we know, the person getting the mail should not be the same person in charge of documentation or approvals. As we were hurled into the disruption of COVID-19, business processes had to change on the fly to achieve a reasonable new flow of information collection and approval. To ensure fraud risk is mitigated, AAFCPAs advises clients to reassess employee responsibilities as they relate to processes that affect internal control over financial reporting. In many cases, this may easily be addressed by modifying role permissions in your software. Most modern cloud systems allow for restricting access to some users to maintain a separation of duties.

Paperless AP.

There has never been a better time for finance departments to transform from paper to paperless accounts payable processes. Most vendors offer digital billing, and many may even offer incentives to go paperless. Additionally, online bill pay may be achieved remotely, and cut the costs of paper checks, envelopes, postage, and production time.

This transformation requires a reconfiguration of your controls that had once been designed around paper process. Depending on the vendor and your system, bills may be emailed to a central AP email, and the electronic invoice (PDF) can then be entered into an electronic approval routing. Most systems permit custom workflows that allow for the appropriate segregation of duties, all achievable by a remote workforce. You may then easily pay each bill through electronic checks or EFTs without having to manually sign, fold, or stamp anything. Systems may be configured to require approvals prior to dispatch, again to provide the appropriate level of internal control.

Documentation trails.

When adjusting your workflow for remote processes, AAFCPAs advises clients to ensure you have detailed documentation of transactional activity during this period, showing exactly who does what and when, from invoice received to month close. Additionally, while efficiency remains a priority, we advise clients to design and implement the most conservative controls to control risks.  AAFCPAs advises clients to keep more documentation than you think may be necessary to err on the side of caution. Your auditor will appreciate your diligence in documenting what changed, as well as new data sources and approvals.  If you have any questions about a change in process and the appropriate controls, feel free to reach out to your AAFCPAs Partner for assistance.

Detective controls.

Typically, organizations have two types of controls: preventative and detective.  In the “old normal,” most organizations emphasized preventative controls designed to avoid errors or fraud in transactions before they occur. Now, in the “new normal,” organizations are challenged to do more with less resources. While resources are constrained, AAFCPAs advises clients to look at adding detective controls to identify errors or fraud after they have occurred. For instance, if you lack staff to ensure the appropriate segregation of duties, run reports often to review what has transpired across all business lines.  Perform more frequent bank reconciliations to monitor account activity. Additionally, ensure there is employee awareness about detective controls, which itself is a deterrent of fraud.


AAFCPAs advises clients to analyze, anticipate, and close gaps on your controls and systems so you are better prepared for the unexpected, like the novel Coronavirus. Evaluate what your challenges were this time: Which systems needed to change?  What information could be transacted electronically?  How were your operations, processes, and resource allocations altered, and are there benefits that warrant permanent change? Many clients have realized that remote working has significant benefits, so make sure your controls are adequate to support this permanent change.

Inarguably, these past few months have been a challenge, but they have also pushed us to rethink the way we work. This has been a learning experience for us all, and the challenges posed by COVID-19 have led many organizations to achieve process and system improvements that add to long-term efficiency and sustainability.

If you have any questions, please contact Robyn Leet, Manager, Business Process & IT Consulting, at 774.512.4010,, or your AAFCPAs Partner. AAFCPAs’ Business Process & IT Consulting practice advises clients on implementing pragmatic changes that have immediate impact.

About the Author

Robyn Leet
Robyn brings over 20 years of continuous business process improvement and internal controls experience to AAFCPAs’ diverse clients. From her beginnings as an auditor in public accounting, she learned the fundamentals of business requirements and frameworks. This knowledge was applied to further her impact in her roles as Controller in private, closely-held businesses. These opportunities have bolstered her broad exposure to businesses in multiple stages of growth and with varying levels of needs to validate her insight into the inner workings and requirements of business operations and functions, always looking at the big picture and keeping the client in scope.