Management’s Reporting on the Control Environment During COVID-19: Extra Attention Is Required

Christopher Baumgartner, Associate Director Internal Audit and Financial Advisory

Organizations across all jurisdictions and industries have been faced with the difficult task of drafting and submitting their financial statements to regulators and banks during the COVID-19 pandemic. This has led to unique challenges and logistics to ensure appropriate personnel are connected and able to perform their duties and, ultimately, report to regulatory bodies with accuracy. Many companies have chosen to call out these challenges, either prospectively or retrospectively within Item 9A of their 10-K financial statements or Item 4 of their 10-Q financial statements, to appropriately capture the operational impact of the pandemic upon their control environment. As can be expected in a substantially remote environment, the threat of fraud, reduced visibility, and changes in review procedures have increased.

Throughout this crisis, the Securities and Exchange Commission (SEC) has been issuing guidance on best practices and its expectations for public filers. The primary focus of these communications from the SEC has been related to the following three tenets of company disclosure:

  • Where the company stands today, operationally and financially;
  • How the company’s COVID-19 response, including its efforts to protect the health and wellbeing of its workforce and its customers, is progressing; and
  • How the company’s operations and financial condition may change as the COVID-19 situation develops and the pandemic’s impacts become better known (in this estimate, historical information may be relatively less significant).

As a result of the unstable operating environment precipitated by the pandemic, external auditors have elevated their focus on the changes imparted upon the internal control environment in response to the crisis. Noted changes are result of a reduction in physical access to assets, impaired ability of management to provide remote oversight and detailed review, and growing concerns about cybersecurity risks in a remote working environment. Management will need to carefully scrutinize the current control environment and disclose these changes in a way that is appropriate and reflective of the identified risk to financial statements that could result from the changes. This is a critical process for companies to take part in even if the external auditor is not relying upon the company’s operating effectiveness of controls. Pervasive changes can have considerable impacts upon the external auditor’s substantive testing plan. The external audit firm will work to establish its full understanding of the control environment and subsequently reflect this in the risk profile it audits.

To assist companies in adequately capturing the impact of the pandemic on their control environment, we reviewed public disclosures from a broad population of companies, which can be leveraged for management’s conclusions within Item 9A, “Changes in Internal Control over Financial Reporting,” and Item 4, “Controls and Procedures.” These disclosures can be categorized into three buckets, reflecting three different levels of impact that can be communicated to the end user of the financial statements. We’ve described each level below and included an example disclosure for each category.

  • No changes to the internal control environment – As companies have begun to evaluate their control environments, some have determined that the impact of the pandemic was negligible and did not warrant further disclosure to auditors or the end user of the financial statements. From a disclosure perspective, companies in this position have noted no material impact to their company’s internal controls over financial reporting or their operations underlying their financial statements. It must be noted, however, that all companies in this class of disclosure have stated they will continue to evaluate this conclusion as the pandemic evolves and the operating environment remains in flux (disclosures also point towards Item 1A, “Risk Factors,” to highlight business disruption.)

    Example disclosuree.l.f. Beauty, Inc. (Form 10-K for period ended 3/31/2020)
  • Changes made to the internal control environment (immaterial impact) – Some companies have chosen to disclose that changes have not been made to their internal controls over financial reporting while also qualifying this disclosure with a statement indicating that they have made changes to the overall control environment to better address emerging risks associated with this period of crisis. Based on publicly available information, this disclosure has been used frequently to communicate to the end user of the financials that, although the financial statements are unaffected for now, the company remains nimble and is continually assessing/updating its control environment as business conditions change. These disclosures primarily focus on the safety and security of the company’s personnel, partners, customers and assets, and the company’s alignment with local and national government policies. They typically indicate that remote working has resulted in some modifications of control procedures; however, they are not material.

    Example disclosure LiveRamp Holdings, Inc. (Form 10-K for period ended 3/31/2020)
  • Changes made to the internal control environment (material impact) –Some management teams have determined the need to disclose in their financial statements material changes and deficiencies within their control environment caused by the events of the pandemic. Additionally, some of these companies were in the process of remediating previously identified material weaknesses when the pandemic hit and are now facing delays and disruption in their remediation timelines. As a result, significant disclosure is required to articulate how management is assessing material deficiencies in their internal controls over financial reporting, provide appropriate detail about the areas in the control framework where the deficiencies exist, and note management’s remediation plan and resolution timeline. The disclosed remediation plans are punctuated with solutions to pandemic-specific risks, such as data security, review procedures and oversight performed remotely; personnel needs; new policy requirements; and process and procedural redesigns. The degree of impact for this category of disclosure is highly dependent on the health of the industry in which the company operates and the resiliency of the company’s business model during the ongoing pandemic crisis.

    Example disclosure Telidyne, Inc. (Form 10-K for period ended 1/31/2020)

During this unprecedented time, it is critical for management to thoroughly examine the state of their control environment and be forthcoming with information in their SEC filings. Changes within organizations are occurring daily as personnel responds to new challenges and governmental orders. Ongoing evaluation of both the process and the personnel responsible for the control environment can ensure that companies’ SOX compliance programs are effective in reducing the potential risk of misstatement within their financial statements.

Shari Katz, Senior Manager with Protiviti’s Internal Audit and Financial Advisory practice, contributed to this content.

Add comment