The spring of 2020 is marked by the unprecedented level of disruption to our normal lives and day-to-day processes as a result of the novel coronavirus. Between the sudden transition to remote work, the significant impact on our workforce, and a diverted focus to customer and employee safety, commercial viability and the possibility of a global recession, organizations face immediate risks impacting their control environment or compliance with Sarbanes-Oxley (SOX) requirements.
As organizations revisit their priorities during these uncertain times, be mindful that SOX compliance and an appropriate internal control environment are not areas to ignore or defer to a later time.
While the COVID-19 situation remains fluid and questions persist, there are a number of important items to consider in regards to your SOX program. In this unique situation, being proactive is critical to your organization’s control environment and early action will minimize future cost and control implications.
Reminder: What is the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act of 2002 (SOX) established the Public Company Accounting Oversight Board (PCAOB) to oversee the accounting industry and bolster the fight against corporate fraud. Effectively, the legislation bans company loans to executives, provides protection for corporate whistleblowers, holds CEOs personally responsible for errors in accounting audits, and strengthens the independence and financial literacy of corporate boards.
Section 404 of the Sarbanes-Oxley Act requires corporate executives to personally certify the accuracy of financial statements. It also makes managers maintain “adequate internal control structure and procedures for financial reporting.” Companies’ auditors had to “attest” to these controls and disclose material weaknesses.
As part of SOX compliance, public corporations must hire an independent auditor to review their accounting practices.
What questions should management consider under the current circumstances?
Some of the questions that you should consider as you evaluate the impact of COVID-19 on your internal control environment include:
- Were there any changes to how the controls operate?
- Has the level of risk changed?
- Has the frequency of the controls changed?
- Has the control owner or person responsible changed?
- Has decision-making changed in regards to operations and organizational objectives?
- Is it necessary to review and revise policies and procedures to reflect any changes?
- Do we have a contingency plan in place should someone become unavailable to execute controls?
How has COVID-19 heightened certain risks areas? And what can we do?
In the context of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) “Internal Control – Integrated Framework,” some risk areas requiring particular attention include:
1. Control environment
- Remote work arrangements may significantly alter how you execute internal controls
- Remote work arrangements may reduce oversight and communication across the organization
- Lack of continued education and training sessions may lead to miscommunication on how to consistently execute internal controls or apply organizational policies
- Absence of contingency plans for key personnel who execute internal controls
- Noncompliance with organizational policies or applicable accounting standards, laws and regulations
- Engage with team members (virtually, of course) to discuss changes in business operations and potential changes to all risk areas
- Deploy training to ensure all employees understand how to operate securely in a remote environment
- Enhance existing tools, technology, and IT infrastructure to support remote execution (and evaluation) of controls in a virtual environment
- Create backup support for process and control owners, as well as testing team members who may be impacted by illness or remote working
- Verify new ways of working and continue to provide sufficient evidence of control performance
2. Risk assessment
- Increased pressures to meet organizational goals and targets (heightens the risk of fraud)
- Failure to assess and address the impact of changes in a timely manner
- Inappropriate or rushed changes in processes and controls may occur due to the failure to involve appropriate levels of leadership and stakeholders in the decision-making process
- Inconsistent oversight and communication increases the risk of management override of internal controls
- Review previously performed risk assessments (e.g., enterprise risk assessments, fraud risk assessments, IT risk assessments, etc.), reassess risk rankings and modify mitigation plans
- Repurpose individuals, as necessary, to design and document changed or new controls
3. Control activities
- Failure to adequately protect confidential data (electronic or hard copy)
- Failure to implement new controls or revise existing controls to account for remote workforces (e.g., increased access to systems or applications, etc.)
- Increased user access or changes in employee job responsibilities may result in segregation-of-duties conflicts
- Failure to set policies and procedures or implement necessary corrective actions in a timely fashion may lead to outdated or missing controls
- Establish mechanisms for effective operation of new or critical controls with a focus on impairments, disclosures, revenue recognition, accounting estimates, fair values, fraud and segregation of duties
- Strengthen detective or monitoring controls
- Explore system capabilities and the ability to automate controls (ERP workflows, electronic signatures, etc.)
4. Information and communication
- Significant changes may require disclosure in quarterly or annual financial statements; disclosures may not be accurately reflected or excluded from financial statements due to COVID-19 (risk factors, MD&A, asset impairments, valuation, loss contingencies, going concern, subsequent events)
- Information may be delayed or unavailable due to operations in impacted countries or remote working arrangements
- Financial close or external reporting may be delayed or unable to be completed
- Establish a communication platform and process to keep teams and the organization informed on a timely basis (e.g., daily updates, weekly departmental meetings, etc.)
5. Monitoring activities
- Lack of business continuity or disaster recovery plans could generate major disruptions in processes and controls
- Heightened use of personal or public unsecured WiFi networks increase the dependency of cybersecurity controls including access security, system change control, and data center/network operations
- Increased use of mobile devices or other technological assets outside of the office elevate the importance of monitoring IT general controls
- Remote working arrangements and changes to the overall environment may require changes to the frequency of control performance
- Reflect on current processes, potential opportunities, and lessons learned during these unprecedented times and continue to use them moving forward (updating business continuity and disaster recovery plans, communication protocols, more efficient and streamlined processes/controls, etc.)
Background: What is the COSO internal control framework?
As a reminder, the COSO “Internal Control Integrated Framework” is the internal control framework widely adopted by the United States. Ultimately, it serves as a framework for designing, implementing, and evaluating internal control for organizations. The framework is comprised of five key components:
- Control environment – The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
- Risk assessment – Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.
- Control activities – Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
- Information and communication – Communication is the continual iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated through the organization, flowing up, down, and across the entity.
- Monitoring activities – Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning.
For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.