After more than a year of living and working through the pandemic, there appears to be a light at the end of the tunnel. Even as some countries begin to loosen restrictions, uncertainty remains around when it will end, what life will look like afterward and what changes might persist. This uncertainty will continue to affect internal control over financial reporting (ICFR), disclosure and regulation at financial services companies, and shape the questions that audit committees should be asking.
At the start of the pandemic, financial services companies were, for the most part, able to move quickly to remote work. And while there were initial concerns about controls, the transition has led to few material issues. Still, audit committees will want to question management about how they’re continuing to act on their business continuity plan, what they envision for the future of work, and whether there have been any areas where they’ve needed to change their approach.
Adapting controls to new work models
New work models introduced during the pandemic will have implications from controls to people to premises. Some companies, acknowledging the importance and complexity of the future of work, have formed working groups to look at the issue.
As employees move back to the office or work in some form of hybrid model, companies will need to reassess whether the controls they have in place are suitable for this new model. For example, if there are parallel tracks for certain people to work from home and others to work from the office, there will need to be appropriate controls in both streams. Regulators will be looking for assurances that the control framework is appropriate for both models and is backed by the proper controls and oversight.
Employee health is now a control issue
Although it’s not traditionally considered an ICFR issue, the pandemic and remote work have highlighted that supporting and adapting to the needs of the workforce will become an important factor for both controls and overall operations. If workers are experiencing mental health challenges and burnout, it can affect their ability to do their job effectively. It’s critical to have an effective control framework that can detect and prevent potential control issues.
In this environment, it may be challenging to hire quickly to fill open positions, increasing the workload for remaining employees. And, as we move out of the pandemic, managers may need to oversee people both remotely and at the office, which could cause them to be overextended. Audit committees will need to understand how the workforce is being affected, how this might impact the overall control environment and what is in place to mitigate potential risks.
Another area where the pandemic will have a lasting effect is on modelling and projections. Modellers now have some data to provide insight into what might happen to multiple variables, from consumer behaviour to credit risk, during such a massive event. However, there continues to be uncertainty around the recovery pattern and timing of recovery.
Management and audit committees will need to be comfortable with how much stress is applied to the models when forecasting and the assumptions made. Heightened estimation uncertainty is an ongoing issue because of the uncertainty around vaccine timing, the impact of government support programs and what consumer patterns will look like as we return to normal. Management will also need to decide to what degree they will consider this period in the data, as it is an extraordinary time that may not be indicative of future cycles. Companies will need to provide transparency around how these uncertainties are being considered in their estimates.
Disclosures are evolving
This estimation uncertainty is one of the drivers behind the increase in disclosures by financial services companies around the impacts of COVID-19. The initial hurdle was deciding what to say around the risks and uncertainties arising from the pandemic and how that was impacting the business. But reporting has evolved from the first quarter post-COVID to year-end financial statements to now being into quarters more than a year post-COVID. The securities regulators have also provided some guidance around best practices for disclosures.
In the immediate term, management and audit committees will need to evaluate whether the company’s disclosures continue to make sense and how they should be updated. New issues may have arisen and others may no longer be as much of a risk or disclosure point, and a decision will need to be made as to when it no longer makes sense to continue to highlight certain items through disclosure. Audit committees will want to monitor the evolution of disclosures and whether the focus is in the right areas. And they must ensure there is consistency between the key financial reporting risks being discussed among management and the audit committee and those that are being disclosed.
By asking the right questions, audit committees can provide the necessary oversight through this time of heightened uncertainty and prepare for what is likely to be a new way of working. To do this they will need to be mindful of employee health and ensure that processes and controls have been adapted to the new reality of work. Audit committees will also need to be satisfied with how management is forming its estimates and remain current on the shifting requirements of disclosure.
What should audit committees be asking?
- Is management continuing to act on their business continuity plan and are there any areas they’ve identified where they’ve had to change their approach?
- What is management envisioning for the future of work?
- How is our workforce and working models being impacted by the pandemic and how does this affect controls?
- What are the key assumptions management has used to determine their estimates and how have their modeled forecasts been evolving to arrive at estimates?
- Do our disclosures still make sense and should anything be added or discontinued? Are the key financial reporting risks being discussed between management and the audit committee accurately reflected in the disclosure documents?