Remote work options have become an emerging benefit for CPA firms to attract and retain new talent.
This is no surprise, given the growing number of people who desire this opportunity. According to Gallup’s State of the American Workplace report, 43 percent of Americans said they spent at least some time working remotely in 2017, up from 39 percent in 2012.
The problem, from a risk management standpoint, is less control. Given that the majority of data security breaches are due to employee error, remote work adds another layer of risk to the CPA firm’s security and reputation.
Every CPA firm should have a remote work policy in place, even if it or working at home is still an infrequent occurrence. Knowing where key employees are working if a data breach or fraudulent activity occurs is important when investigating a professional liability claim. It also matters how the policy is written and if it was followed.
Here are some key areas to update in your remote work policy and review with any professionals who have the option to work from home, even occasionally.
1. Device Management
If the employee is using firm equipment, ranging from laptops to smartphones or other devices like tablets, make sure business insurance policies cover equipment housed offsite or — if applicable — traveling between the office and the telecommuter’s remote location. The remote work policy should offer guidelines for use, storage and transport of firm-owned or leased equipment.
If the employee uses his or her own equipment, research and include language about required insurance protection. Make sure that the equipment has adequate malware, anti-virus and security processes installed, such as a strong password that is changed regularly.
The remote policy should stipulate the types of software to be installed and require that it is kept updated and functioning properly and that adequate password protection is in place.
Review language in the remote work policy that clarifies rights and use of the equipment. Make sure that the remote worker understands and agrees that business equipment is to be used exclusively for work and that they should deny access to non-employees (e.g. family members).