Respond, Recover, Thrive -Mission Essential Internal ControlsInsights for Federal Finance and Internal Control Leaders

Respond, Recover, Thrive - Mission Essential Internal ControlsInsights for Federal Finance and Internal Control Leaders

What are your mission essential functions (MEFs) and controls? Identify, document, and evaluate MEFs and related controls to determine if they are operating effectively.

Do you understand the impact of changing regulations to your organization?Understand changing regulations, as these will impact your agency’s response to the crisis and your ability to efficiently adapt can help prioritize resources.

Do you have the tools and technologies to effectively monitor emerging risks during the pandemic?Leverage technologies to track emerging risks and monitor and maintain an effective control environment during this time. Examples include technologies that can easily aggregate data, automate monitoring, facilitate data visualization and dashboarding

What processes and procedures are reliant on an “on-site” presence and does your team have appropriate access to execute MEFs? Identify and document controls requiring on-site presence or information. Determine whether there are risks to not performing these tasks or performing them in an alternate manner. Identify mission essential systems and assess whether appropriate individuals have access.

What is missing in your current internal controls framework?Document day-to-day disruptions experienced as a result of COVID-19 to help mitigate them on a go-forward basis.

What is the impact to your stakeholders?Identify internal and external stakeholders to your agency, including those charged with governance, oversight bodies and third-party service providers. Determine how each are impacted by the crisis.

What have you communicated to your stakeholders?Clear and frequent communication to stakeholders about expectations, potential impacts and issues is key. Inquire and document the needs of your stakeholders to help inform your communications.

Are policies and procedures in place and adaptable to the current environment?Make policies and procedures readily available to your employees and be clear on workaround protocols. Identify and document updates required to policies and procedures.

COVID-19 has brought significant disruption to agencies and impacted their normal course of business, including operation of their internal controls. Agencies need to continue to provide an annual assessment of internal control over external financial reporting in accordance with OMB A-123.

Have you seen a change to your internal controls as a result of your pandemic response? Agencies should take this opportunity to evaluate and improve their internal control framework to be better equipped to handle a crisis and reemerge as a stronger organization.

In the midst of a crisis, focus on your people and their safety, however know there continues to be a need to assess agency’s internal control over external financial reporting. Answers to the following questions can help you evaluate your existing control environment and identify the relevant impact:

RESPOND– What Can You Do Now?

You have an opportunity to refresh your organization’s internal control framework after encountering such a “black swan” event. Incorporate lessons learned from the COVID-19 pandemic into your internal control framework now before they become an afterthought. Those charged with governance have a vested interest in understanding how the pandemic affects the control environment and whether the internal controls are operating effectively during the crisis. Below is a framework to consider for incorporating risks and controls arising from black swan events into your internal control framework.

RECOVER– A Refreshed Internal Control Framework

Risk Category Factors to Consider Examples of response to manage risk

PeopleRisks

• Are you allocating resources to appropriate control activities?• Are backup personnel needed to support control activities?• Do employees have access to critical systems to support control performance?• Does the event create new incentives or opportunities for committing fraud?

• Align resources to mission essential processes and controls • Provide training, onboarding, and access to policies and procedures • Make new or alternate control performers are aware of responsibilities• Review segregation of duties are still in place• Update delegation of authority policies as appropriate

Operational & Supply-Chain

Risks

• Do highly manual processes require workarounds? • Is appropriate evidence of control operation available? • Will the increased focus on pandemic response alter control oversight?• Can controls be remotely tested for operating effectiveness?• How does the crisis impact your organization’s supply chain network?

• Leverage certifications process to understand changes to processes and controls• Confirm control processes and narratives are current• Identify compensating and monitoring controls to mitigate risks arising from

control deficiencies• Consider whether operating effectiveness testing can be tested through automated

tools, batch jobs, or other non-manual testing methods• Determine whether changes to supply chain processes warrant additional controls

TechnologyRisks

• Will network disruption impact performance of control activities?• Are change management and logical access controls still able to operate effectively?• Are there information technology controls that are more susceptible to failure? • Is there an increased opportunity for cyber breaches and threats?

• Enhance monitoring of corporate network due to remote user’s insecure home networks• Increase monitoring of exception reports and reconciliations • Increase monitoring of user access and requests for system access• Increase intrusion monitoring and cybersecurity awareness/training

Internal Control Framework

Plan and Scope Documentation

• Identify mission essential focused risks • Incorporate pandemic response and post pandemic environment into your risk

assessment• Update your identified fraud risks and incorporate emerging risks as a result of the

pandemic environment• Determine the likelihood and severity of these risks• Categorize, prioritize, and rank risks based on impacts to the mission

• Identify and develop mitigation strategies and controls to address risks• Identify gaps to existing controls to address mission essential risks• Update your narratives and/or process flows to address mission essential risks and

controls• Incorporate procedures and controls that were performed in the response to

this pandemic

Key

Cons

ider

atio

ns

Factors to Consider continued Examples of response to manage risk continued

Third-PartyRisks

• Are third-party service providers still operational?• If third-party service providers’ services are interrupted, are alternate oversight

procedures in place?• Is there appropriate third-party security against cyberattacks?

• Evaluate the impact to third-party operations, including sub-service providers• Assess changes made to their control environment and if additional oversight is required• Inquire about third-party and sub-service providers’ cybersecurity processes

GovernanceRisks

• Is the board able to perform its responsibilities? • Is the required financial reporting timeline impacted?• Can the organization still meet the applicable regulatory reporting

requirements?• Are there new regulatory requirements?

• Increase communication to the board to facilitate pandemic-related decision making• Update risk assessment for key controls to operate in the appropriate time period• Assess compliance with regulatory compliance and identify if new controls are required

Plan and Scope Documentation

THRIVE– Monitoring the Refreshed Internal Control Framework A refreshed internal control framework incorporating mission essential risks and lessons learned from the COVID-19 pandemic can provide a substantial advantage to preparedness in a future crisis. Periodically challenge and re-evaluate your risk assessment based on new factors, new information, and the ever-changing global environment in the post-pandemic world.

Internal Control Framework continued

• Communicate results of assessment to those charged with governance

• Consider the future cadence of operating effectiveness testing of mission essential controls

• Consider incorporating live streaming dashboards to report testing results

Key

Cons

ider

atio

ns

Conclude and ReportTesting

• Test whether mission essential controls are operating effectively to address the identified risks

• Test attributes should focus on items that are key to continuing the mission

• Consider implementing Deloitte’s Digital Testing and Controls Automation (DCTA) framework so testing can occur remotely, while saving time and resources

Remediate

• Codify and document updated processes and controls so that lessons learned aren’t lost after the crisis is over

• For identified deficiencies, develop and monitor a remediation plan

• Consider implementing technologies such as Robotic Process Automation (RPA) to achieve greater efficiency and cost savings

Additional Resources

For Deloitte insights on COVID-19, information on new guidance, and resources available to you, please visit:

Deloitte COVID-19 homepage:www.deloitte.com/covid-19

Deloitte’s Resilient Podcast Series:https://www2.deloitte.com/us/en/pages/risk/topics/resilient-podcast.html

Deloitte Risk Advisory homepage:https://www2.deloitte.com/global/en/pages/risk/topics/risk-advisory.html?icid=top_risk-advisory

Deloitte Government and Public Services homepage: https://www2.deloitte.com/global/en/industries/government-public-services.html?icid=top_government-public-services

Thoughts, questions or comments, please reach out;

Eunji HongSenior ManagerDeloitte & Touche LLPehong@deloitte.com

Jennifer HansenSenior ManagerDeloitte & Touche LLPjlhansen@deloitte.com

Sofyan YusufiPrincipalDeloitte & Touche LLPsyusufi@deloitte.com

Ezekiel McMillanPartnerDeloitte & Touche LLPemcmillan@deloitte.com

David McCuePartnerDeloitte & Touche LLPdmccue@deloitte.com

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2020 Deloitte Development LLC. All rights reserved