COVID-19 and internal controls over financial reporting


Challenges and considerations


Related content


On March 11, 2020, the World Health Organization declared the Coronavirus COVID-19 outbreak a global pandemic, in recognition of its rapid spread across the globe. In response, many governments have reacted by taking stringent steps in an attempt to contain the virus, including requiring self- isolation/quarantine by those potentially affected, closing borders, "locking down" regions or even countries, and forcing the closure of businesses deemed to be non- essential. 

Consequently, these measures have had a significant impact on the way in which many organizations are conducting business, and companies need to consider the potential implications on regulatory compliance, reporting and disclosure, and internal control over financial reporting (ICFR). 

Challenges and considerations to effective ICFR

Barriers to obtaining information

Companies with operations in regions experiencing significant effects from the outbreak could face challenges or delays with obtaining relevant financial data for consolidated financial reporting. It is critical for organizations to understand and anticipate where this has the potential to occur, and proactively put measures or additional oversights in place.

Roles and responsibilities

Control owners may not be able to perform their controls due to illness, working remotely or a reduced workforce. Companies will need to examine the existing control structure, and determine whether a re-alignment of roles and responsibilities, or cross-training is necessary.

Material changes in ICFR

With many organizations transitioning to a virtual work environment, companies will need to look at their existing controls and processes and determine whether adjustments and changes will be required to accommodate remote working. For example, new controls may be implemented and/or modified as organizations implement emergency procedures, modify information technology (IT) to enable remote workforces, or account for unanticipated significant events. Companies need to carefully assess whether any such change is considered to be a material change in ICFR, and if so, disclosure would be required, including documentation of all the changes.

Inventory counts and physical asset inspection

If such controls cannot be performed due to working remotely, reduced workforce, or operational shutdowns, companies will need to consider alternatives or other compensating controls that can be relied upon or implemented. For instance, controls over receipts and requisitions may need to be relied upon more heavily, and tested with greater rigour, and inventory counts may need to be performed after the balance sheet date, in which case rollback procedures will be necessary. Early discussions with the company's internal and external auditors will be critical in managing the difficulties with inventory counts and physical asset inspection, as external audit standards require physical attendance at inventory counts for material inventory.

Fraud risk assessment

Companies will need to assess whether fraud risks have changed as a result of the virtual environment. For instance, reduced visibility and oversight may create a greater opportunity for financial reporting fraud or misappropriation of assets, or the ensuing economic conditions and impact on operational performance may create more incentive for financial reporting fraud.

Reporting and disclosure matters new to the company

Economic uncertainties and market volatility have the potential to affect accounting conclusions, and may result in new and emerging accounting and disclosure matters for which controls will need to be implemented. Examples include controls over liquidity analysis and going concern assessment, asset and inventory valuation assessment, commitments for severance costs, unanticipated significant unusual transactions, such as insurance recoveries related to business interruption, or subsequent events accounting and disclosure, in light of the rapidly evolving environment.

Entity level controls

Difficulties with directing and supervising work of team members due to a virtual work environment could change the control environment and require changes to the way in which entity level controls are implemented. Examples include direct oversight, means and frequency of communication, monitoring, considerations with respect to compliance and enforcement of the company's code of conduct, risk assessment process, etc.

Regulators and filing requirements

Regulators are extending filing deadlines in response to the business challenges faced by many organizations in light of the current environment. Companies should consider whether they should take advantage of extended filing deadlines, and will also need to continuously monitor information released by regulators on updates to filing requirements and additional relief.


Companies may face potential increased vulnerability to cyber- attacks due to remote work environments, such as greater susceptibility to phishing attacks and malware. Consequently, organizations will need to think about increasing awareness and education related to cybersecurity, and may need to enhance their security monitoring capabilities to detect threats and potential infections, as well as perform vulnerability assessments and other testing to ensure proper cybersecurity measures are in place.

Management review controls

Where there is heavy reliance on review controls that involve trend and predictive analyses, companies should consider whether the predictability of outcomes remains reliable, given the rapidly changing environment. Review controls may require more comprehensive analysis, or probability weighting as opposed to point estimates, which will also necessitate additional documentation to appropriately evidence the performance of the review.

Additionally, there may be circumstances where review controls will need to be relied on more heavily for testing purposes, if easier to test remotely than manual preventative controls. Review controls typically have additional supporting documentation requirements, which companies need to consider in evaluating ICFR.

Evidence and ICFR testing

An important aspect of ICFR is the maintenance of sufficient evidence regarding the performance of a control. There may be changes to the way in which controls are performed in a virtual environment, with more reliance on electronic records and documents. Companies may need to develop a system to appropriately document and evidence the performance of a control, in particular where hard copy documents have traditionally been retained as evidence of review. Organizations need to ensure the relevant technology is available to support the changes, and that there are appropriate controls over electronic sign-offs, server access, and protocols are in place for maintaining digital records.

Companies should also consider whether changes in the planned testing approach are needed due to travel restrictions and working remotely, and should develop an approach for testing that is dynamic and responsive to the current environment.

Recommendations and best practices

The following are some key recommendations for companies to consider in assessing and responding to necessary changes to ICFR in light of the current environment:

  • Implement an iterative risk assessment process, including fraud risk assessment. Companies will need to revisit their financial reporting risk assessment on an ongoing basis by looking at the financial statements and giving consideration to where new and enhanced accounting and disclosures and ensuing controls, may be required as a result of the ever-evolving circumstances.
  • Identify an individual or group to evaluate existing processes and controls and assess what changes are necessary. Do this now!
  • Engage those charged with governance.
  • Consider whether revisions to reporting requirements may be necessary to accommodate new processes, competing demands on team members, and barriers to obtaining financial data.
  • Consider taking advantage of extended reporting deadlines granted by regulators, and continuously monitor information released by regulators with regard to revisions to reporting deadlines and requirements.

How KPMG can help

We have highlighted five areas where KPMG can provide support:

  1. Sounding board: Provide advice on reviewing and assessing the current state of ICFR, and best practices as you transition and adapt to the new circumstances.
  2. Risk assessment updates, including fraud risk assessment: Review and assess processes and controls and advise on changes to your risk assessment process.
  3. Internal audit "readiness assessment": Perform an assessment of newly implemented processes and controls with the aim of identifying gaps and areas for improvement before new controls are fully implemented.
  4. Designing and documenting new controls and processes: Update documentation, including process narratives, control descriptions, and risk and control matrices, to reflect changes to the existing control environment.
  5. Internal control evaluation: Assess the design, implementation and test the operating effectiveness of newly implemented internal controls.

© 2021 KPMG LLP, an Ontario limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Sign up today