SOX Risk Assessment in the Time of COVID-19

Kristen Kelly, Associate Director Internal Audit and Financial Advisory

April is the traditional start of Sarbanes-Oxley (SOX) risk assessment season for calendar-year filers. With the 10-K and proxy statement filed and the Q1 close coming to completion, organizations typically kick off the next fiscal year’s compliance efforts with the annual risk assessment. As we begin to navigate this season in the time of the COVID-19 pandemic, companies are facing an unprecedented velocity of change.

We offer the following practical considerations as companies perform their SOX risk assessment for FY20:

  1. Historical quantitative inputs to materiality calculations may not be sufficient – While the starting point for the FY20 risk assessment may still be the final FY19 financial statements, this input will likely not be representative of what FY20 financial results will look like for any company in any industry. Though forecasts may still be in the process of being reworked, they may prove to be the more suitable starting point. Usual measures such as net income before tax are likely to be substantially lower for FY20 and evennegative for some companies. In such situations, other measures such as EBITDA or revenue may need to be used and several materiality scenarios assessed to determine the level of adjustment that would impact the earnings per share measurement.
  2. New financial statement elements and locations may come into scope – With the results of the materiality calculation likely being lower than in recent prior years, there may be financial statement elements or perhaps even locations that will rise above the quantitative and qualitative measures that have typically been used to define the SOX program scope. This may require additional judgment in the risk assessment process and require planning to address these items in FY20. Risk assessment conclusions should be clearly documented and supported. Perhaps there are current monitoring controls that can be adjusted to address the risks of these new processes or locations coming into scope in FY20. If not, new controls may need to be implemented and tested in relatively short order for new scope areas. Additionally, if materiality has significantly decreased, thresholds or tolerances applied in controls, particularly for management-review controls, may need to be calibrated to the unique circumstances of FY20.
  3. Annual update to risk assessment and scoping may not be sufficient – The pace of change in response to the pandemic is like nothing we have seen before. Extended shelter-in-place requirements, changes to the definition of essential businesses, and responses by organizations to pivot from business as usual to address the emerging challenges and risks show no signs of slowing down. Risk assessments will need to be updated following Q2 and likely even more frequently as circumstances change. Organizations will need to be able to demonstrate that the SOX risk assessment and scoping is reflective of any material changes in the financial statements at the end of FY20. This new environment we are living in will push us more than ever toward real-time risk assessment rather than an annual update.
  4. Filing status and deadlines may change – The current market volatility, coupled with the SEC’s recent changes to the definitions of accelerated and non-accelerated filers, may result in changes to the filing status of a number of organizations to expand the number of 404(a) filers and reduce the need for external auditor attestation. Companies will want to educate themselves on the recent SEC updates and pay close attention to where they stand on the June 30 measurement date (for 12/31 year-end filers). With the SEC also allowing for the extension of filings due between March 1 and July 1, and with many employees working remotely, it will be important to closely communicate updates to filing calendars and coordinate with the Legal, Investor Relations and Financial Reporting departments.  
  5. A detailed fraud risk assessment is warranted – Some organizations include the assessment of fraud risk as a component of the overall SOX risk assessment. In a period of overwhelming change such as we are experiencing today, there is a heightened risk of fraud. Just in the last couple of weeks, we have seen an uptick in fraud schemes perpetrated to take advantage of the current uncertainty at the same time as the relaxation of certain control requirements is happening. For example, a dual signature is often required for transactions over a certain threshold. A company may temporarily suspend this requirement, or may extend the deadlines for completion of account reconciliations – situations that may open up an opportunity for fraud. Another consideration is technology that may have been hastily deployed to a newly remote workforce but perhaps without the normal diligence to ITGC coverage or with a mind-set of enablement rather than restriction regarding user access. Organizations should consider the impact of these new exposures in a robust fraud risk assessment. 
  6. Coordination with external audit is crucial – As with all aspects of internal control over financial reporting, early and frequent communication with the external auditor on COVID-19 impacts is recommended. Management should review and obtain external audit agreement with the risk assessment conclusion and establish practical cadence for updates in FY20. Additionally, management should discuss how the timing and extent of audit procedures will be impacted and coordinate on the impact of any filing extension.  

Addressing these areas early in the completion of the FY20 risk assessment will set organizations on the right course to navigate these uncertain times.

Protiviti’s SOX Champions Network contributed to this content. For more blogs in this series, click here.

1 comment