Assessing SOX compliance risk in the coronavirus environment
As most accounting, finance and audit professionals are well aware, COVID-19 has thrown a wrench into business operations around the world. Offices once busy with staff sit empty as people have worked from home for the last several months. Considering that a number of well-known organizations have announced that remote work could become permanent for some of their employees, business won’t return to the “old normal” anytime soon, if ever.
Among numerous business activities, the pandemic is introducing changes — potentially significant ones — to the Sarbanes-Oxley compliance process. Of particular note to finance leaders and staff, we see growing numbers of controls requiring updates. Organizational and external market developments are altering what organizations need to audit and capture in control reviews.
This disruption is particularly challenging for the risk assessment process. Spring marks the traditional start of the SOX risk assessment season for calendar-year filers. With the 10-K and proxy statement filed, organizations typically kick off the next fiscal year’s compliance efforts with the annual risk assessment. Thus these activities are, or should be, underway.
The unprecedented velocity of change cannot be ignored or allowed to cause a delay to the risk assessment process. Regardless of the environment, risk assessments need to be updated following the second quarter of fiscal year 2020 and likely even more frequently as circumstances continue to evolve. Organizations must demonstrate that their SOX risk assessment and scoping reflect any material changes in the financial statements at the end of the current fiscal year. This new environment we are living in will push us more than ever toward real-time, dynamic risk assessments, rather than the typical annual update.
What to consider now
Here’s what we know: It’s important to stay the course with SOX compliance activities in 2020, even though these efforts will be a bit different this year. In fact, despite the global pandemic and its effects on businesses, no changes or leniency are expected in management’s evaluation of controls or compliance.
Knowing this, here are some practical considerations as companies perform their SOX risk assessments for fiscal year 2020:
1. Historical quantitative inputs to materiality calculations may not be sufficient. While the starting point for the fiscal year 2020 risk assessment may still be the final fiscal year 2019 financial statements, it is unlikely this input will be representative of what fiscal year 2020 financial results will look like for most companies. Forecasts, though they may still be in the process of being reworked, may prove to be the more suitable starting point. The usual measures such as net income before taxes are likely to be substantially lower for fiscal year 2020 and even negative for some companies. In such situations, other measures, such as EBITDA or revenue, may need to be used and several materiality scenarios assessed to determine the level of adjustment that would impact the earnings per share measurement.
2. New financial statement elements and locations may come into scope. With the results of the materiality calculation likely being lower than in recent prior years, there may be financial statement elements or perhaps even locations that will rise above the quantitative and qualitative measures typically used to define the SOX program scope. This may require additional judgment in the risk assessment process as well as planning to address these items in fiscal year 2020. Risk assessment conclusions should be clearly documented and supported. Perhaps there are current monitoring controls that can be adjusted to address the risks of these new processes or locations coming into scope in fiscal year 2020. If not, new controls may need to be implemented and tested in relatively short order for new scope areas. Additionally, if materiality has significantly decreased, thresholds or tolerances applied in controls, including management review controls, may need to be calibrated to the unique circumstances of fiscal year 2020.
3. The annual update to risk assessment and scoping may not be sufficient. The pace of change in response to the pandemic is like nothing we have seen before. Extended shelter-in-place requirements, changes to the definition of essential businesses, and responses by organizations to pivot from business-as-usual to address emerging challenges and risks show no signs of slowing down. Risk assessments will need to be updated following Q2 and likely even more frequently as circumstances change.
4. Filing status and deadlines may change. The current market volatility, coupled with the Securities and Exchange Commission’s recent changes to the definitions of accelerated and nonaccelerated filers, may result in changes to the filing status of a number of organizations to reduce the need for external auditor attestation. Companies should educate themselves on the recent SEC updates and pay close attention to where they stand on the June 30 measurement date (for Dec. 31 year-end filers). With the SEC also allowing for the extension of filings due between March 1 and July 1, and with many employees working remotely, it will be important to communicate updates to filing calendars and coordinate with the legal, investor relations and financial reporting departments.
5. A detailed fraud risk assessment is warranted. Some organizations include the assessment of fraud risk as a component of the overall SOX risk assessment. In a period of overwhelming change such as what we are experiencing today, there is a heightened risk of fraud. Recently, we have seen an uptick in fraud schemes perpetrated to take advantage of the current uncertainty at the same time that relaxation of certain control requirements is happening. For example, a dual signature is often required for transactions over a certain threshold. A company may temporarily suspend this requirement or may extend the deadlines for completion of account reconciliations — situations that create opportunities for fraud. Another consideration is technology that may have been deployed hastily to a newly remote workforce, but perhaps without the normal diligence to IT general controls coverage or with a mindset of enablement rather than restriction regarding user access. Organizations should consider the impact of these new exposures as part of a robust fraud risk assessment.
6. Coordination with external audit is crucial. As with all aspects of internal control over financial reporting, early and frequent communication with the external auditor on COVID-19 impacts is recommended. Management should review and obtain external audit agreement with the risk assessment conclusion and establish a practical cadence for updates in fiscal year 2020. Additionally, management should discuss how the timing and extent of audit procedures will be impacted and coordinate on the impact of any filing extension.
What to consider soon
While there may not be time to update all process and procedure documents in the near term, control descriptions should be updated to reflect changes to procedures and ensure testing occurs against these revised practices. Organizations may consider facilitating a control certification, even if off-cycle from their typical annual or quarterly frequency, to confirm control owners have adjusted control design and timing of execution to still mitigate risks and document their activities adequately. Once organizations return to the new equilibrium post-COVID-19, it will be important to reassess any temporary changes in control design and operation to ensure they continue to be aligned with the organization’s risk appetite.
What to consider eventually
Given the likely changes in the organization’s control environment, it’s important to start controls reviews early. SOX compliance teams working remotely may need more time to conduct proper reviews and gather appropriate evidence. As part of this, finance and audit teams need to focus on being problem-solvers. Organizations need solutions to new challenges emerging from the crisis, such as remotely conducting proper audits of controls as part of SOX compliance activities.
Above all, good communication is critical — with control owners, with management, with the external auditor and with the audit committee. We are seeing the changes in our businesses firsthand — we need to keep on the same page regarding plans, audits, deadlines and expectations.