Home

Quick Links

Legal

navigation

Thursday, April 2, 2020

Managing Your SOX Environment During Disruption


Reactions to the COVID-19 pandemic have been swift and wide-ranging, and the effects of the crisis have been felt from top to bottom in most organizations. But despite emergencies and changing priorities, businesses can’t let internal controls fall by the wayside.

SOX teams should consider the potential impact of the current situation on the internal controls over financial reporting (ICOFR) environment. Here are some examples to consider:

Topic Response
1. Potential reprioritization of employees’ activities, reducing their focus on documental evidence of key controls
  • Define a list of high-risk controls to ensure that the proper resources and level of attention are allocated to maintain their effectiveness.
  • Properly document the temporary changes in the control environment and adjust the interim testing approach.
  • Make sure to properly disclose these changes to the relevant stakeholders and the Disclosure Committee.
  • Properly engage auditors in early discussion regarding the changes in the control environment.
  • Optimize the control portfolio to include compensating controls to be performed in case of emergency.
2. Redefinition of the performance of controls due to remote work – e.g., controls performed with the proximity of other colleagues vs. working remotely
  • Review the control portfolio and determine the controls that are majorly impacted. Confirm this with the involved control owners and define a response to ensure proper documentation.
  • Make sure to memorialize these control changes, collect documentation (if possible), and adjust the control steps to reduce ineffective controls in future testing phases.
3. A push back on activities usually started in this period (e.g., risk assessment)
  • Focus instead on those activities to streamline the audit process that have always been put on the back burner due to competing priorities (SOX tool implementation, etc.)
4. Management ensuring that disclosure controls include considerations regarding the current pandemic
  • Management should include consideration of COVID-19 matters in the subsequent events discussion. For example:
    1. Disclosure of risks and uncertainties due to the global pandemic
    2. Disclosure of subsequent events specifically impacting the client, such as shelter-in-place orders, serious market disruptions, etc.
    3. If needed, disclosure of the decline in market value for certain types of investments in financial markets
    4. Disclosure of the decline in oil prices
    5. Disclosure of reduction in interest rates
    6. Need for revisiting any projections of future revenues or cash flows underlying estimates inherent in the financial statements, including going concern evaluations
  • Every communication with those charged with governance should probably include discussion of these matters even if they don’t rise to the level of financial statement disclosure.
5. Adjusting walkthroughs
  • Assess process changes that may have resulted from the pandemic (e.g., physical inventory counts may be pushed back).
  • Review timing with external auditors – what can be pushed back to later in the year?
  • Consider the use of video conferencing technology to conduct business and IT controls walkthroughs to meet government guidance on social distancing and protect all the parties involved in the audit process.
  • Further, discuss with the external auditors and your legal team the possibility of recording these walkthroughs for audit efficiency.
  • Can external auditors perform live observations? For example, have them join video calls as management reviews the flux analysis; this may be more efficient than formal walkthroughs.
6. Following best cybersecurity practices for working remotely
  • The increase of employees working remotely and the concerns brought by COVID-19 provide an opportunity for nefarious individuals to conduct attacks on remote employees to steal data. Consult with your cybersecurity and IT teams on how to protect your remote work force. (Here is some guidance on best cybersecurity practices for remote workforces and IT management.)
7. Adjusting form and frequency of project updates to the executive stakeholders (e.g., Audit Committee)
  • Reach out to stakeholders to agree on updated communication protocols, as needed.
8. Ensuring organizational alignment and communication
  • Publish daily top-down messages or short videos to keep employees informed on leadership’s steps to counteract the negative implications of the pandemic.
  • Create a taskforce to manage key functions impacted by the pandemic and any opportunities that may arise from it. Have the taskforce communicate daily to the broader company.
  • Existing plans might not be applicable because they do not really simulate everything that is happening today. Due to rapid global change, some assumptions may need to be revisited.
  • Seek out opportunity and upside in your organization. This helps maintain optimism in uncertain times.
  • Communicate organizational history of being able to manage change in the past.

For more information on keeping your business running during disruption, visit our COVID-19 Resource Center.

COMMENTS

comments powered by Disqus