Over the past few months we have seen unprecedented level of disruption to our normal lives and day-to-day processes as result of COVID-19 (commonly referred to as the coronavirus). With remote work, workforece disruptions, and a diverted focus to customer and employee safety, commercial viability, and the possibility of a global recession-there are numerous opportunities for internal controls to be shortcut or circumvented.
As organizations revisit their priorities, compliance with Sarbanes-Oxley 404 (SOX) and an appropriate internal control environment are not areas that can be deferred or ignored. While the situation continues to be extremely fluid and there are many unanswered questions, there are a number of items to consider related to your SOX programme. We believe that being proactive is critical to your organization's control environment and that early action will minimize possible future cost and control implications.
An opportunity for the SOX function to add value by providing guidance to the organization on practical ways to modify control procedures.
Often a SOX function is seen purely as a compliance programme mandated by a regulation, and more specifically, a testing function. In these turbulent times where decisions are being made rapidly, this is an opportunity for the SOX function to be a control advisor, providing practical, real-time input on ways to modify controls to address a rapidly changing environment. As organizations struggle to shift to a virtual workforce, with absent or reduced workforces, and in some cases finding that certain third parties are not able to provide support, there is an opportunity for the SOX function to prove its value. As control experts, the SOX function should be proactive in its involvement in redesigning and modifying control activities to be reactive to fluid business situations, offering guidance on the specific risks that controls are intended to mitigate and practical ways in which the design or execution of those controls can be modified to accommodate these unprecedented changes.
Organizations are not only focused on completing day-to-day tasks, but also facing an upcoming quarter-end process and need to think through potential modifications to processes and controls quickly. The critical objective is to protect the organization as we evaluate changes to the control environment. To the extent that certain individuals are not able to complete tasks, these tasks must be reallocated to others within the organization. As that happens, the following items should be considered related to SOX compliance:
These critical SOX control areas warrant additional attention:
The impact of COVID-19 on the execution of a company's SOX program is varied, but here are some of the highlights to consider in the short term, particularly for those SOX functions currently in the planning phase of their 2020 SOX Program: