Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Home Is Where the Risk Is

Internal audit can help organizations address the wide array of risks posed by the remote work environment.

Comments Views

​Since the COVID-19 pandemic began, millions of people have been working from home. Houses and apartments have become their offices, classrooms, gyms, and more. This situation has created new risks for organizations, whether it is reliance on technologies like Zoom or dealing with cyberattacks in a distracted environment.

The boundary between work and private life is breaking down, as work is being done on kitchen tables and families balance work and child care. Employees are working over home internet connections, using unmanaged routers and printers. In other cases, employees are going to the office to perform key functions or to access applications not accessible remotely, which may put them at greater risk of infection.

Every organization is dealing with this situation differently. Here are four risks organizations and internal audit should be aware of, their impact, and suggestions to mitigate them.

Sensitive Information

An organization’s most sensitive information takes many forms: email, instant messaging, paper documents, video, and phone conversations. Increasingly, business interactions are happening over videoconferencing. This is especially worrisome for people working in public spaces, where confidential conversations are conducted within range of eavesdroppers.

Some employees may be working in a shared living space, where family members and roommates can hear sensitive work conversations. A way to address this risk is to survey staff to verify that such risks exist and mitigate them appropriately, including changing responsibilities, if necessary. Internal audit can incorporate survey findings into audits and inform business units about the risks during such reviews. Also, auditors should increase awa-reness of the consequences through training and staff communications. Organizations also can mitigate the risk of eavesdropping by requiring staff to wear headphones during calls.

Another risk is how employees handle confidential information in printed form within the home. There is a risk that someone outside the organization could confiscate or read confidential or sensitive documents, which could lead to disclosure or loss of critical data. Organizations can mitigate this risk by training staff to identify confidential information and ensure it is handled correctly. Additionally, the organization should set expectations and provide guidance on how to appropriately store and dispose of all hard copy, confidential information that is produced remotely.


Cyberattacks have increased since the beginning of the pandemic. In June, the Internet Crime Complaint Center at the U.S. Federal Bureau of Investigation (FBI) reported that daily digital crime had risen by 75% since the start of stay-at-home restrictions in the U.S. The number of complaints it had received nearly surpassed the total for 2019.

The main cyber risk internal auditors should be on the lookout for is phishing scams. Phishing is the fraudulent attempt to obtain sensitive information, such as usernames, passwords, and credit card information, by posing as a trustworthy entity in an email or other electronic communication. Phishing messages often direct users to enter personal information at a fake website that looks like the legitimate site.

According to an August article in The Economist, COVID-19-related schemes have been the main method of attack during the crisis. “In recent months, emails purporting to be from government and health-care authorities have proliferated, claiming to provide information and offer recommendations about the pandemic,” the article notes.

Successful phishing attacks can result in monetary loss and give criminals access to sensitive information such as bank account details. Phishers may be able to use this information to withdraw money from the account or make online transactions using the victim’s money. The best way to mitigate phishing attempts is to instruct employees to stay vigilant and not click on links within emails, even if they appear to be coming from legitimate sources. Instead, employees should log directly into the application or website.

Company Culture

Culture is an important part of any organization. Often, it’s the informal conversations between meetings that build lasting working relationships. During the pandemic, most of these interactions have occurred over instant messaging.

When all interactions are virtual, employees may feel disengaged from the organization’s culture, leading to reduction of shared values. That separation from the office can result in fragmented cultures developing on separate teams, which may overtake organizational culture.

One way to mitigate this risk is to promote organizationwide cultural norms across teams in different locations. Management should strengthen communications about behavioral standards and the importance of collaboration in a remote work environment. Internal audit should consider reviewing how the organization is fostering culture and collaboration. That audit also could take the pulse of how employees feel about the organization’s culture in a remote environment.

A more difficult-to-assess risk is employees’ emotional health. Employees may feel stress, anxiety, and isolation about work or personal situations. For example, in an audit setting, these feelings can impact judgment and performance, which could raise issues such as mistakes or difficult interactions between auditors and clients, managers, or colleagues. Similarly, conflicts may be blown out of proportion when working from home without peer feedback and discussion.

Internal audit leaders can mitigate this risk among their staff by encouraging audit employees to speak up about stress and anxiety and use resources such as the employee assistance program. Internal audit should review its level of engagement with audit staff and implement ways to foster communication and support networks.

Home Work Environment

Many people have been working in their bedrooms, living rooms, or kitchens, with noise from their partners, family, or roommates. Employees in these settings may experience frequent interruptions from children or other household members, which may increase levels of stress, anxiety, burnout, and turnover. Organizations can mitigate this risk by permitting flexible working arrangements where possible that allow staff to work during times that best suit them without reducing performance.

Another risk to consider is ergonomics, such as consistently working from the kitchen table or an uncomfortable chair. Back pain, aching hips, and tight shoulders are all distracting when a person is trying to get work done. Most office workers spend the majority of their day sitting in an office chair, so it is important that it provides comfort, support, and easy adjustability.

Auditors should consider what the organization’s plan would be if an employee files a workman’s compensation claim while working from home. A way to mitigate this risk is to improve awareness of ergonomic issues and have internal audit perform a remote workplace assessment or survey. For example, auditors could ask employees to check that they have a suitable chair and that their desk is at the right height. Based on the survey results, organizations can provide appropriate equipment, where needed.

Communication Is Key

Working from home has created new challenges and risks for employers and employees, alike. Internal audit should be aware of the risks involved and the ways they can be mitigated. Whether it is sensitive information, phishing attempts, company culture, or unsuitable home work environments, these risks can be remedied. Every organization is dealing with the situation differently, but communication is key to getting through it. 

Joe Byer
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Joe ByerJoe ByerJoe Byer, CIA, is a senior audit analyst at Commerce Bank in Kansas City, Mo.<br>


Comment on this article

comments powered by Disqus
  • AuditBoard-April-2021-Premium-1
  • PwC-April-2021-Premium-2
  • Pulse-of-Internal-Audit-April-2021-Premium-3



Thanks, We Already Know That, We Already Know That
U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar SEC: Environmental, Social, and Governance Risks Better Be on Your Radar
Six Data Privacy Predictions for 2020 Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19 Servants Are Vital to Defeating COVID-19