2020 was certainly a year for change in so many ways, not the least of which was companies adapting their internal controls to the stay-at-home orders resulting from the COVID-19 pandemic. Now, as many are considering bringing people back to the office at least part time, the internal controls environment is up for yet another change. Protiviti’s SOX Champions Network, a global network of Protiviti professionals who assist clients in building and adapting their SOX compliance activities, recently convened to discuss internal controls implications that businesses should consider as they plan to resume in-person work. While it may still be some time before organizations are ready for the back-to-the-office transition, it is not too soon to start planning. In this blog post, we cover three categories of control changes as we look forward: control changes introduced during COVID that are likely to stay, control changes that will still need to be adopted, and control changes to embed when reinstating historical controls.
Control Changes Likely to Stay
As controls were adapted to the remote work environment, there were some benefits gained that should be retained even after the return to the office. A prime example is in the area of management review controls (MRCs). In many cases, increased rigor was applied in the documentation of management reviews due to fewer in-person meetings as a result of the remote work environment. This beneficial enhancement to management’s evidence of control execution should remain going forward. As an added benefit, this enhancement may even positively impact future PCAOB inspection results, as MRC precision has remained an ongoing focus area for reviews conducted by the agency.
New areas that were in-scope for the first time during FY20, especially due to the economic downturn, may remain in scope for the foreseeable future. For example, rent deferral/abatement rose to in-scope status in 2020 at real estate companies, whereas it may have been lower risk previously. Many organizations may have spent additional time addressing controls in areas such as unique debt refinancing and covenant waivers, intangible asset write-downs, and going-concern analyses. Depending on the industry and speed of recovery, these analyses may continue to be required in future years. Companies should continue to periodically refresh their SOX risk assessment and scope to be responsive to changes in the business.
Due to the need to conduct walkthroughs remotely, many organizations used Microsoft Teams, Zoom or Webex and found these tools to be more efficient than the traditional in-person meeting format. Screen sharing allowed attendees to view supporting systems and documentation in real time. Many companies recorded these walkthroughs to reference later for control documentation and process map updates. Recording these walkthroughs is sometimes helpful to remind all participants of agreements reached in these meetings. While meeting organizers must be careful to follow certain protocols (for example, ask all attendees to agree prior to being recorded), this practice will likely continue even with a return to in-person work as it allows for efficient use of participants’ time.
Many companies updated their control sets to include reliance on automated workflows within their core systems. In cases where workflow was not an option, companies used different alternatives to electronically evidence formerly manual approval processes. Some used email for approval. Others adopted approvals via digital signature or a combination of printing, physically signing, scanning and emailing documents, and/or using Adobe Acrobat to provide review comments electronically. As tools like these reduce physical paperwork and enable retention of approval evidence securely, we anticipate these changes to continue even when employees return to work in person.
Remote work also created a heightened need for sharing documents electronically. Companies adapted by saving documents on a secured drive or exchanging information via email or company chat systems. This led to increased security awareness and guidance to employees. Organizations should and likely will continue to emphasize the importance of user access, security, and designating sensitivity levels to email and other documents to safeguard confidential or proprietary information from being accessed or shared inappropriately.
Control Changes That Will Still Need to be Adopted
In the rush to adjust operations to the new reality of remote work, companies did their best to mitigate risks in their modified control sets. However, some may not have documented formally what those modified controls look like in their process maps, narratives and risk and control matrices. SOX filers should take advantage of the post-year-end hiatus to revisit their documentation and make sure it reflects the revised controls. This includes documenting the enhanced MRCs noted above. In some cases, organizations had to hastily transition to electronic approvals and should take this opportunity to tighten security and increase formality of electronic signoffs, including operationalizing approval workflows in key in-scope systems. The leeway that auditors may have provided in accepting electronic approvals may not continue in the fully or partially return-to-office environment. If a deficiency is noted as a result of the modified controls, management should consider how they can redesign the control to mitigate the risk on an ongoing basis.
Control Changes to Embed When Reinstating Historical Controls
There are certain areas where external audit continued to require in-person work even during the pandemic. While we expect those areas to revert back to require in-person attendance for management as well, as we noted above, some adaptation techniques used during the pandemic yielded some unexpected benefits that can be carried forward into the post-pandemic control environment. Video observation/participation when onsite work is performed is one of these techniques. Incorporating video into physical inventory observations and to coordinate and direct remote teams or resources on site visits enhances communication and allows increased participation by management, external audit and internal audit. So, even as we all hope to resume in-person physical inventory observations and site visits in 2021, organizations may want to consider the incorporation of a video component to stay in touch with onsite teams. Another benefit of remote video observation is that it extends the reach of auditors to remote locations without incurring travel costs.
Overall, we are not seeing a trend of extensive new deficiencies as we wrap up FY20. Organizations rose to the challenge of the pandemic quickly, modifying and altering their control activities in a sufficient manner to prevent new material weaknesses from occurring. A silver lining to the extraordinary year we have all experienced is that some of the creative solutions organizations identified may continue to deliver benefits going forward. Planning early for the transition back to the office will allow organizations to harness these benefits as they continue to adapt their programs.
Kiran Gosavi, Senior Manager with Protiviti’s Internal Audit and Financial Advisory practice, contributed to this content.