Challenges and considerations
On March 11, 2020, the World Health Organization declared the Coronavirus COVID-19 outbreak a global pandemic, in recognition of its rapid spread across the globe. In response, many governments have reacted by taking stringent steps in an attempt to contain the virus, including requiring self- isolation/quarantine by those potentially affected, closing borders, "locking down" regions or even countries, and forcing the closure of businesses deemed to be non- essential.
Consequently, these measures have had a significant impact on the way in which many organizations are conducting business, and companies need to consider the potential implications on regulatory compliance, reporting and disclosure, and internal control over financial reporting (ICFR).
Barriers to obtaining information
Companies with operations in regions experiencing significant effects from the outbreak could face challenges or delays with obtaining relevant financial data for consolidated financial reporting. It is critical for organizations to understand and anticipate where this has the potential to occur, and proactively put measures or additional oversights in place.
Roles and responsibilities
Control owners may not be able to perform their controls due to illness, working remotely or a reduced workforce. Companies will need to examine the existing control structure, and determine whether a re-alignment of roles and responsibilities, or cross-training is necessary.
Material changes in ICFR
With many organizations transitioning to a virtual work environment, companies will need to look at their existing controls and processes and determine whether adjustments and changes will be required to accommodate remote working. For example, new controls may be implemented and/or modified as organizations implement emergency procedures, modify information technology (IT) to enable remote workforces, or account for unanticipated significant events. Companies need to carefully assess whether any such change is considered to be a material change in ICFR, and if so, disclosure would be required, including documentation of all the changes.
Inventory counts and physical asset inspection
If such controls cannot be performed due to working remotely, reduced workforce, or operational shutdowns, companies will need to consider alternatives or other compensating controls that can be relied upon or implemented. For instance, controls over receipts and requisitions may need to be relied upon more heavily, and tested with greater rigour, and inventory counts may need to be performed after the balance sheet date, in which case rollback procedures will be necessary. Early discussions with the company's internal and external auditors will be critical in managing the difficulties with inventory counts and physical asset inspection, as external audit standards require physical attendance at inventory counts for material inventory.
Fraud risk assessment
Companies will need to assess whether fraud risks have changed as a result of the virtual environment. For instance, reduced visibility and oversight may create a greater opportunity for financial reporting fraud or misappropriation of assets, or the ensuing economic conditions and impact on operational performance may create more incentive for financial reporting fraud.
Reporting and disclosure matters new to the company
Economic uncertainties and market volatility have the potential to affect accounting conclusions, and may result in new and emerging accounting and disclosure matters for which controls will need to be implemented. Examples include controls over liquidity analysis and going concern assessment, asset and inventory valuation assessment, commitments for severance costs, unanticipated significant unusual transactions, such as insurance recoveries related to business interruption, or subsequent events accounting and disclosure, in light of the rapidly evolving environment.
Entity level controls
Difficulties with directing and supervising work of team members due to a virtual work environment could change the control environment and require changes to the way in which entity level controls are implemented. Examples include direct oversight, means and frequency of communication, monitoring, considerations with respect to compliance and enforcement of the company's code of conduct, risk assessment process, etc.
Regulators and filing requirements
Regulators are extending filing deadlines in response to the business challenges faced by many organizations in light of the current environment. Companies should consider whether they should take advantage of extended filing deadlines, and will also need to continuously monitor information released by regulators on updates to filing requirements and additional relief.
Companies may face potential increased vulnerability to cyber- attacks due to remote work environments, such as greater susceptibility to phishing attacks and malware. Consequently, organizations will need to think about increasing awareness and education related to cybersecurity, and may need to enhance their security monitoring capabilities to detect threats and potential infections, as well as perform vulnerability assessments and other testing to ensure proper cybersecurity measures are in place.
Management review controls
Where there is heavy reliance on review controls that involve trend and predictive analyses, companies should consider whether the predictability of outcomes remains reliable, given the rapidly changing environment. Review controls may require more comprehensive analysis, or probability weighting as opposed to point estimates, which will also necessitate additional documentation to appropriately evidence the performance of the review.
Additionally, there may be circumstances where review controls will need to be relied on more heavily for testing purposes, if easier to test remotely than manual preventative controls. Review controls typically have additional supporting documentation requirements, which companies need to consider in evaluating ICFR.
Evidence and ICFR testing
An important aspect of ICFR is the maintenance of sufficient evidence regarding the performance of a control. There may be changes to the way in which controls are performed in a virtual environment, with more reliance on electronic records and documents. Companies may need to develop a system to appropriately document and evidence the performance of a control, in particular where hard copy documents have traditionally been retained as evidence of review. Organizations need to ensure the relevant technology is available to support the changes, and that there are appropriate controls over electronic sign-offs, server access, and protocols are in place for maintaining digital records.
Companies should also consider whether changes in the planned testing approach are needed due to travel restrictions and working remotely, and should develop an approach for testing that is dynamic and responsive to the current environment.
The following are some key recommendations for companies to consider in assessing and responding to necessary changes to ICFR in light of the current environment:
We have highlighted five areas where KPMG can provide support:
© 2020 KPMG LLP, an Ontario limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.