Although the Securities and Exchange Commission (SEC) granted one 45-day extension for public companies subject to Sarbanes-Oxley (SOX) reporting requirements, the regulator still expects companies to appropriately protect investors and public interest by maintaining the full rigor of internal control requirements. As a result, there are a number of challenges that need to be addressed.
Members of Protiviti’s SOX Champions Group addressed some of these topics in a recent webinar titled “COVID-19 and SOX: Practical Considerations While Navigating the Crisis.” Our colleague Kristen Kelly analyzed the results from the webinar polling questions in an blog post last week. We would like to address some of the audience questions received during the live session.
Q: How is the remote work environment impacting teams responsible for overseeing the SOX program and testing?
This varies by industry and organization. A common question we hear is “What if my responsibilities have expanded to include control execution, in addition to testing?” The concern here is objectivity and independence. It is important to track any areas where SOX testers were recently tasked with management responsibilities, so that a different, independent and objective tester can be used to test these controls in 2020.
More broadly, SOX programs and testers should remain nimble and flexible to meet organizational needs. Paradoxically, the disruption may be greater in more mature SOX programs where a predictable and well-communicated calendar was previously in effect and the business knew what to expect when. Now, priorities may have shifted as organizations have had to refocus resources and attention to maintaining operations, controlling costs and developing revised forecasts. This makes it even more important to embrace flexibility and partner with the organization to figure out what are appropriate solutions at this challenging time.
One positive outcome of remote work is control and process owners scrutinizing controls and asking “Why do we do this?” or “What does this control mitigate?” When an audit professional hears that a process owner or their backup does not understand the value or reasoning behind a control activity, that can raise a yellow flag. In this case, the team should look at the control to reinforce or rationalize the control’s meaning and relevancy.
Finally, the SOX PMO should not assume anything. Some of our clients had assumed that they would delay SOX walkthroughs from the May-June time period. However, we found that many stakeholders prefer to keep to the original plan with the idea that the organization may be busier later in the year as they try to get back to business as usual.
Q: What examples of specific new SOX controls have companies added?
Added controls tend to be either in a general or industry-specific category. General controls we’ve seen include:
- Accrual searches – Timelines for cutting off searches for late invoices have been substantially extended due to vendor invoice delays. In some companies this may be an entirely new control.
- IT access review – IT has certainly faced its challenges moving the workforce to a remote work environment. To help mitigate increased risk in this space, many companies have increased the frequency with which they review access controls.
Specific to industry, we’ve seen added controls around forbearances and the forgiveness of loan payments in the real estate space. Due to the exponential increase in volume of lease non-payments, companies have been evaluating what might have been non-key controls in the past that suddenly impact a substantial amount of their leases. This is done in the context of the FASB staff-issued guidance that permits a simplified approach to accounting for COVID-19-related rent concessions, but the details are still important from a substantive audit and controls perspective.
Q: What changes have you seen in controls and how do you decide whether they are temporary or permanent?
So far, we’ve seen few concrete decisions on control or scoping changes. The focus to date has been on gathering information on current activities performed, reminding control owners to execute their controls, and evaluating whether there are necessary control updates to implement in the current process. Many companies are trying to determine if a control has fundamentally changed, or if just the evidence changed due to the shift to a remote work environment.
One example we’ve seen is clients temporarily raising the threshold of high-value disbursements requiring dual authorization. This relieves the control burden initially, and the risk is offset through a newly implemented weekly review of all disbursements. However, we have not seen this considered as a permanent change, probably because the longer-term vision is to leverage banking software, which will move companies away from physical check printing and signing.
For other examples of control changes, see our previous blog post in this series.
Q: How do we maintain and test controls with a reduced and remote workforce in a heightened risk environment?
The key, in the absence of face-to face interaction, is better communication and information sharing, as we mentioned in the answer to the first question above.
Additionally, we have been advising clients to start testing earlier in order to give the organization the most time possible to address issues and implement corrective actions. It might help to look back at the previous quarter’s testing to see what was missed and revisit those areas to ensure compliance. Also, as a barometer of the overall control environment, companies may be wise to add emphasis to the most critical 10, 20, 30 controls – the “safety net” controls – and ask for evidence much earlier than normal. If process owners cannot produce the requested evidence for Q1, that’s a pretty good indicator of a potential control failure that needs attention immediately.
Q: As new long-term solutions are implemented, what should organizations consider when assessing whether a new technology is in scope from an IT General Controls (ITGC) standpoint?
With so many new tools and technologies being implemented, both to accommodate remote work and automate outdated manual processes, companies need to be sure they are taking the time to consider controls, both automated and manual. How is the technology being used? Is it a repository? Does it have built-in workflow that the company is relying on? Obtaining SOC 1 reports from vendors should become even more important as a starting point.
Not every new tool or solution is going to be a long-term solution, but it is important to go through the control steps of analysis and documentation to ensure that all the bases are covered while the tool is deployed. Though documentation is important, avoid getting bogged down in inconsequential details; hone-in on the real risks of the new solution. Try to determine whether the work being performed can be tied back to one of the four key transactional actions: initiate, record, summarize and report. If it doesn’t tie to one of those key verbs, it is probably not in-scope for SOX purposes.
Shari Katz and Alex Conrad with Protiviti’s Internal Audit and Financial Advisory practice contributed to this content.