johnson-lambert
Left: Raina Tripp, Right: Kathryn Gifford, Johnson Lambert
21 August 2020Law & regulation

Working from home: internal control considerations and the COVID-19 pandemic


The COVID-19 pandemic swept the world by storm, causing many unforeseen challenges for captives parents or sponsors and their service providers, such as captives managers, managing general agents (MGAs), managing general underwriters (MGUs), and third party administrators (TPAs).

Although many organisations were prepared to make the switch from being office-based to a remote working environment, others were not.

“Schedule regular calls with service providers to ensure the evolving needs of the parent/sponsor are relayed in a timely fashion.”

Some organisations had protocols in place for remote working that allowed them to respond to the COVID-19 pandemic with only minor adjustments to their existing remote working environments. Others had to develop remote working capabilities from scratch.

Either way, the design and operating effectiveness of internal controls needs to be reviewed to ensure these arrangements remain fit for purpose.

Things to consider

Consider the following as they apply to your captive and its management team:

  • If a service provider quickly shifted to a fully remote workforce, were they equipped to make the transition and was it successful?
  • Does the parent/sponsor have controls in place to monitor the impact to the captive of policy and procedure changes at the service provider, specifically if your MGA, MGU, and/or TPA doesn’t have a system and organisation controls (SOC) report.
  • If the captive entered into new transactions subsequent to the onset of the pandemic, such as dividends, premium refunds or promissory notes, are there internal controls in place to ensure such transactions are recorded correctly?
  • Have communications between the captive and its service providers remained open and clear?
  • Are internal controls still designed and operating effectively in the remote environment at the captive and its service providers?
  • Are captive managers, MGAs, MGUs, TPAs and individuals involved at the parent/sponsor, able to perform key control functions in the remote work environment?

If you answered no to any of the above questions, an evaluation of the design and operating effectiveness of the captive’s current internal controls may be necessary. Internal controls that are effectively designed and operating are vital in preventing and detecting errors and fraudulent activities.

The fraud triangle

In these unprecedented times, it is important to consider whether fraud may exist at your captive or service provider. Pressure, rationalisation, and opportunity are the three corners of the fraud triangle.

The downturn of the economy and stock market may put added pressure on captives, their parents or sponsors, and service providers, including the employees of these organisations.

Weak internal controls provide an opportunity for fraud to occur, and when combined with pressure and rationalisation for participating in a fraudulent activity, the trifecta of the fraud triangle is completed (Figure 1).

Figure 1: The fraud triangle

There are four areas of internal controls a captive should consider when completing its objective review: communication, segregation of duties, financial statement review, and the overarching involvement of information technology (IT).

Each of these areas should be evaluated to ensure that controls are designed and operating effectively.

Additionally, the review should be retrospective, dating back to the time remote working was implemented, to assess any transactions recorded incorrectly and identify any fraudulent activity during that time. The analysis should consider current preventative and detective controls and whether any new controls should be implemented.

Preventive controls

Preventive controls include segregation of duties, proper authorisation, adequate documentation, and physical control over assets. Preventive controls also include assessing whether personnel are adequately trained and equipped to take on new responsibilities and ensuring new service providers, software, or process changes such as digital authorisation are fully vetted prior to implementation.

Detective controls

Detective controls look back to find errors or issues and include reviews, analyses, reconciliations, and audits. Detective controls are key in identifying errors or fraud that have occurred.

Communication and IT

Communication and dissemination of information can take a different form in a remote work environment and may be less frequent and/or use different media than in a traditional office environment.

As all organisations are grappling with the changes caused by the pandemic and employees’ personal and work responsibilities are shifting, it’s possible an unintentional breakdown in communication may occur.

Recommendations

  • Increase the frequency of communication between the board and management to address the rapidly changing environment and to align the strategic direction of the captive with current or revised goals. This can occur during company-wide or team meetings, or one-on-one discussions.
  • Schedule regular calls with service providers to ensure the evolving needs of the parent/sponsor are relayed in a timely fashion, particularly new or unusual transactions such as dividends, premium refunds, new promissory notes, revisions to policy terms or coverage, etc.
  • Discuss any changes at the service providers and understand their implementation plans.
  • Evaluate which communication method is best suited to the information to be shared: phone call, video conference, or email. Each method has pros and cons, so consider how the audience will best receive the information.
  • Make sure employees have the necessary IT equipment and support to successfully perform their job responsibilities.
  • For captive managers, schedule regular meetings with your teams to relay new and changing information, including regulatory requirements and best practices. 

Segregation of duties and IT

The pandemic modified many employees’ work schedules as they are faced with balancing personal responsibilities such as child or elder care with work responsibilities.

Whether temporary or permanent, these shifts in availability may require changes to the personnel designated to perform certain tasks, which may inadvertently lead to a lack of segregation of duties.

Electronic approvals and/or signatures can ensure the internal control over approvals and sign-offs is upheld. However, certain IT controls must be in place to verify the correct person is providing authorisation as intended. A typed signature is not sufficient as it does not ensure the correct individual authorised the transaction.

Recommendations

  • Implement dual authentication to ensure access to file-sharing sites or documents is restricted to authorised personnel.
  • Require a unique user ID for each employee.
  • Have IT establish and periodically test electronic approvals.
  • Periodically review authorised individuals and verify electronic approvals are updated for changes in name, title or contact information.
  • Review the current workflow and perform a retrospective review dating back to the time remote work was implemented. Identify who performed each task and whether a lack of segregation of duties is occurring or has occurred. When limited staffing is available, implement an overall review from a separate party to ensure reasonableness.
  • Perform additional reviews when segregation of duties is impaired. Re-review invoices when the same employee requested, authorised and issued cheques, and re-reconcile the related bank accounts.
  • Implement a contingency plan to ensure internal controls are upheld if employees are unable to perform their job responsibilities. 

Financial statement review

Strong internal controls include a thorough financial statement review to ensure financial statements are not misleading or misstated. New risk factors have emerged as a result of the pandemic and older risk factors may have resurged given changes in the business environment and economy.

The captive may have had controls in place to address these risks, but are not actively using these “sleeper” controls, which should be revisited and reactivated.

Recommendations

  • Ensure adequate reviews take place to detect investment holdings that may be other than temporarily impaired due to market declines.
  • Determine whether market declines have caused the investment portfolio to no longer conform to the captive’s investment policy.
  • Revise pro forma income projections in light of current economic conditions and determine whether existing net operating losses are expected to be utilised in the future.
  • Evaluate whether receipt of premiums is a concern and update the allowance for doubtful accounts accordingly.
  • Review regulatory requirements, such as capital and surplus or solvency requirements, to ensure compliance.
  • Evaluate whether there are going concern issues that need to be analysed and disclosed in the financial statements.
  • Request and review current SOC reports from service providers and enquire of any changes to controls since the report date, and understand the impact the pandemic had on their ability to provide services.
  • If your MGA, MGU, and/or TPA does not have a SOC report, understand whether any changes were made to IT systems or equipment that impacted the processing of the captive’s transactions and whether modifications to internal controls have occurred. Ensure that the captive has controls in place to detect errors and fraud in the reports by these service providers. 

The COVID-19 pandemic has upended many aspects of our personal lives and our businesses. To minimise the potentially negative effects of internal controls not functioning properly, a captive must continuously assess its internal control environment.

Reviewing current internal controls, changes that have occurred, and changes that may need to occur to maintain effectiveness, is more important than ever. It is essential that captives owners, parent companies or sponsors and service providers make an assessment of their processes to identify internal control weaknesses and develop prompt and adequate responses.

Kathryn Gifford is a senior manager at Johnson Lambert. She can be contacted at: kgifford@johnsonlambert.com

Raina Tripp is an audit manager at Johnson Lambert. She can be contacted at: rtripp@johnsonlambert.com