Although the Securities and Exchange Commission (SEC) granted one 45-day extension for public companies subject to Sarbanes-Oxley (SOX) reporting requirements, the regulator still expects companies to appropriately protect investors and the public interest by maintaining the full rigor of internal control requirements. As a result, a number of challenges need to be addressed.
I had the opportunity, along with two of my colleagues from the Protiviti SOX Champions Group, Terry Hartzog and Michael Seek, to address several of these topics in a recent webinar titled “COVID-19 and SOX: Practical Considerations While Navigating the Crisis.“ Nearly 1,500 participants attended the live webinar and answered several polling questions. The results of the polling questions are significant in that they show where companies are currently experiencing challenges dealing with changes to their SOX programs. We share those results with some commentary below.
New Controls Added as a Result of COVID-19 and Methods of Alternative Documentation
An initial poll of the webinar’s audience revealed both uncertainty and delayed reaction around the necessary documentation of internal control changes required by office closings and worldwide work-from-home orders.
Remote working arrangements have made it difficult, if not impossible, to execute some kinds of controls, particularly those requiring signatures or visual inspection. Many companies have adapted by accepting electronic signatures or other inspection alternatives, such as drones, to meet control standards. (We discussed control alternatives in a previous blog post.)
The important thing, from a SOX perspective, is that any control changes need to be documented and clearly communicated. For example, a company that utilizes a dual-signature control on high-dollar-value checks may have raised the threshold during quarantine to reduce administrative burden. That company could decide to maintain the higher threshold upon return to the office, return it to the previous level, or eliminate check printing and signatures by moving to a paperless payment process for the long term. Bottom line, documentation and communication are key.
As a consequence of the widespread move to a remote working environment, we further asked how plans have been adjusted to address the heightened IT security risks. The results revealed that only around half of respondents are actively reviewing IT security, or planning to review IT security, within the next 60 days.
Companies should continue to evaluate the risks presented with the new remote work environment and supporting technology that has been implemented or modified to allow for this. Performing a new risk assessment in the shadow of COVID was addressed in our blog post on SOX risk assessment.
Updates to Risk Assessment and Potential Changes in Scoping
Close to half of respondents polled indicated that their companies had begun to update their SOX risk assessment to reflect any material financial changes caused by the shutdown, with 13% indicating they have completed the process. Most surprising, however, was the 10% who indicated that they were not planning to update their risk assessment.
More than 50% of respondents had either not begun or were not planning to assess the impact to SOX compliance of financial materiality changes as a result of a downturn in business and changes in controls to accommodate remote work. Those companies have additional work to do in planning for FY2020. They will want to monitor financial results and refresh the risk assessment and materiality calculation at the end of the remaining quarters for their current fiscal years.
Our webinar polling also revealed that for many companies, it’s not yet clear whether the changes caused by the pandemic will bring into scope new locations, processes or business units for purposes of FY20 SOX compliance. Almost half of poll respondents indicated that they were not sure.
This isn’t necessarily because respondents haven’t considered scoping; rather, it may not be clear, at present, whether materiality changes are temporary or permanent. As forecasting becomes more reliable in late Q2 and into Q3 2020, companies will need to reassess implications to their SOX scoping.
Although companies don’t have to decide immediately whether they plan to adopt temporary or permanent process changes, or whether their materiality update may drive permanent scoping changes, it would be smart to keep these considerations in mind. Many of the changes required for remote work involve investing in automation and digitization of paper processes. Clearly, an organization that already maintains control evidence in digital form is going to have different long-term priorities than a paper-based company trying to navigate the move to a digital environment. In general, consider evaluating changes affecting process documentation, succession planning and business continuity plans, with an eye toward being prepared for future events.
During the webinar, participants asked a number of interesting questions. We’ll address those questions in a Part 2 of this discussion.
Shari Katz and Alex Conrad with Protiviti’s Internal Audit and Financial Advisory practice contributed to this content.