Over the past few months we have seen unprecedented level of disruption to our normal lives and day-to-day processes as result of COVID-19 (commonly referred to as the coronavirus). With remote work, workforece disruptions, and a diverted focus to customer and employee safety, commercial viability, and the possibility of a global recession-there are numerous opportunities for internal controls to be shortcut or circumvented.
As organizations revisit their priorities, compliance with Sarbanes-Oxley 404 (SOX) and an appropriate internal control environment are not areas that can be deferred or ignored. While the situation continues to be extremely fluid and there are many unanswered questions, there are a number of items to consider related to your SOX programme. We believe that being proactive is critical to your organization's control environment and that early action will minimize possible future cost and control implications.
An opportunity for the SOX function to add value by providing guidance to the organization on practical ways to modify control procedures.
Often a SOX function is seen purely as a compliance programme mandated by a regulation, and more specifically, a testing function. In these turbulent times where decisions are being made rapidly, this is an opportunity for the SOX function to be a control advisor, providing practical, real-time input on ways to modify controls to address a rapidly changing environment. As organizations struggle to shift to a virtual workforce, with absent or reduced workforces, and in some cases finding that certain third parties are not able to provide support, there is an opportunity for the SOX function to prove its value. As control experts, the SOX function should be proactive in its involvement in redesigning and modifying control activities to be reactive to fluid business situations, offering guidance on the specific risks that controls are intended to mitigate and practical ways in which the design or execution of those controls can be modified to accommodate these unprecedented changes.
Luisa v. Esterházy
Partner, Risk & Compliance Services
KPMG AG Wirtschaftsprüfungsgesellschaft
Modifications to processes
Organizations are not only focused on completing day-to-day tasks, but also facing an upcoming quarter-end process and need to think through potential modifications to processes and controls quickly. The critical objective is to protect the organization as we evaluate changes to the control environment. To the extent that certain individuals are not able to complete tasks, these tasks must be reallocated to others within the organization. As that happens, the following items should be considered related to SOX compliance:
- Documentation of control and process changes. It is likely that many processes will be or have been modified during this period. It's important that those changes are monitored and approved and/or inventoried so that the changes can be evaluated. In situations where extensive changes are expected, a governance process could be created to review and approve the changes. At the same time, we recommend that a log be created to note the date that processes changed and the nature of the change (e.g., change in control owner, change in system access, change in documentation format, change in review limits, etc.). This information will be important in future months when performing testing over this period, and to provide clear documentation of the nature and extent of changes from the normal process.
- If you are using a workflow tool to support your SOX programme (e.g., Workiva, AuditBoard, etc.), utilize the change log, comments, and other functionalities to support these updates. Otherwise, consider other technology and tools you have available within your organization (e.g., ServiceNow, Jira, etc.) to support workflows, tracking, and logging of changes to control documentation. Particularly while working in a remote environment, using technology beyond a spreadsheet for tracking and information sharing will be more effective and easier to manage.
- Segregation of duty implications. As organizations are dealing with individuals or groups not able to perform tasks, ownership of activities and controls will be reallocated. It is important to consider potential segregation of duty implications and whether additional review processes need to be added to compensate for the conflicts that may be created. Ideally, these reviews would take place in real time, but to the extent that the reviews take place after the fact, those too are valuable.
- System access and user privilege control implications. Additional access is being provided to employees in order to facilitate the reallocation of required tasks. It is important that even in emergency situations, additional access rights are still approved, a log of those additional access rights is maintained, and these additional access rights are revoked after process return to “normal”. This may involve completing an additional user access review over and above your typical periodic user access review frequency.
- Documentation formats. Although many processes and reviews are completed electronically, there are still many processes and reviews that are manual in nature. To the extent that reviews are typically completed manually, but now need to be converted to electronic format, this determines how the review evidence will be captured. Not all employees have access to printers and scanners at home, so a new way of documenting reviews will need to be found. This may be a great opportunity to reinforce the benefit of electronic reviews and an impetus to make a change from a historically manual control process.
- Retention of evidence. Once employees return to work, it will be important to remember to bring manual control evidence back into the office environment to be filed and retained in a way that is consistent with the historical process.
Impact on specific internal control focus areas
These critical SOX control areas warrant additional attention:
- Estimates and Reserves. There continues to be a focus on estimates and reserve areas that are subjective in nature. Estimates need to be supported by data-driven assumptions. Given the speed with which the business environment is changing, there are many estimates that will need to be revisited and the rationale for those decisions and assumptions should be well documented since facts and circumstances are changing so rapidly. For example, cash collections have slowed due to companies struggling to modify their payment processing activities to be virtual. At the same time, companies have struggled with the cash application process, and the collectability of receivables from certain vendors may have changed. All of these factors will require you to revisit the assumptions used in determining your receivable reserves. Reliance on prior assumptions and methodologies to calculate your reserves will likely not be sufficient. The same is true for many other asset valuations - inventory, goodwill and intangible assets, stock compensation, asset fair values, etc. - that are impacted by earnings and cash forecast modifications.
- Price and Quantity. The revenue process, as a higher-risk process, continues to be a focal point for control testing, specifically with respect to the controls over price and quantity. As companies and their customers contemplate a sudden change in their economic outlook, we are seeing discussions around discounts, changes to payment terms, and other concessions. It is important to think through the governance and controls around making these types of modifications and how these are being communicated throughout the organization, specifically to the accounting and finance functions.
- Significant and Unusual Transactions. Consider the controls in place around any significant transactions, such as discontinuation of operations, sale/closure of business lines, renegotiation of debt covenants, lease renegotiations, reorganizations, and receipt of federal loads or aid. All of these actions and activities include a number of assumptions and estimates that need to be documented, and the decisions need to have the appropriate review and control processes in place.
- Delegation of authority controls. Given the disruption with personnel, rapid changes in the environment, strains on working capital considerations, and the unknown economic impact of COVID-19, management may be susceptible to the override of key controls associated with delegation of authority and approval of key transactions (e.g., payments, invoicing, extending credits, etc.). Consider potential changes to the delegation of authority levels and controls to document and approve deviations from the typical processes, as well as verifying that appropriate monitoring controls remain or are put into place.
Impact of the SOX 404 programme
The impact of COVID-19 on the execution of a company's SOX program is varied, but here are some of the highlights to consider in the short term, particularly for those SOX functions currently in the planning phase of their 2020 SOX Program:
- Materiality may change significantly due to the impact of COVID-19. It is important to think about the impact of the change in the business unit revenue mix, as well as overall materiality on the business units and locations in scope.
- Update the financial statement risk assessment to assess the risk associated with the external events and the potential impact on the organization's controls. Qualitative factors, such as those discussed in this paper, should be documented and assessed to determine the impact on operations to identify where additional focus is needed (e.g., detective controls, disclosure controls, etc.) and to maintain focus on the most critical tasks.
- Walkthroughs and Test of Design activities will likely need to be more detailed to ensure a full understanding of all of the process and documentation changes or gaps that occurred while operations were closed or employees were working remotely. Also consider whether process mining technologies could be leveraged to evolve how walkthroughs are executed or gather data regarding the operation and consistency of the process.
- As many industries face uncertainty due to COVID-19, there will continue to be a focus on reducing the cost of the overall SOX programme. This is a time to consider the implementation of centralized electronic repositories for control execution/retention.
- Control deficiency evaluation. For many organizations, it's likely that processes were changed and/or controls were circumvented or did not operate for certain periods of time. In these situations, it's critical to efficiently identify and determine the potential impact of those control failures, particularly if the control issues were aggregated in certain processes (e.g. procurement or distribution) or certain geographies (e.g. Chinese subsidiaries). The aggregation of those failures should be assessed to determine if a material weakness needs to be disclosed as a material change in the control environment.
- While effective coordination with your external auditor is always important, it becomes even more critical in times of rapid change. Communicate proactively with your external auditor regarding process changes and specific internal control focus areas.