Keeping SOX on track when pandemic strikes
It’s been several weeks since COVID-19 entered our vocabulary and made working from home the new normal. I’ve spoken with many SOX professionals over the last month about the challenges of adapting to remote work and how they are responding to the impact of the COVID-19 pandemic.
In the forefront, SOX professionals are thinking about how to revise their risk management playbook for the year in response to the pandemic. Many SOX teams are also talking about the tools they need to collaborate with each other and stakeholders to execute SOX compliance effectively and comprehensively while working remotely.
These three areas are top of mind with SOX practitioners:
1. Does my scope represent the new reality?
Not many companies planned for a global pandemic. Yet the sudden business disruption and widespread economic volatility raise questions about the current scope of your internal controls. Your risk assessment may need to shift to reflect the new reality.
With the global supply chain upended by shortages, closed borders, and manufacturing companies retooling to make critically needed ventilators and personal protective equipment for health care providers, you may need to assess the risk of delayed customer orders because of supply chain bottlenecks.
As shelter-in-place orders roll out across the country, the economy has taken a breathtaking nosedive, taking a toll on revenues while expenses increase. Now would be the time to re-examine your materiality threshold to determine your in-scope financial statement line items and account balances. Additionally, bring to bear this new reality to update financial statement risk assessment, and identify in-scope areas resulting from heightened risk factors stemming from COVID-19 (such as availability of labor and physical access to sites).
2. Will I complete all the testing required?
SOX teams hit the pause button in March to pivot and adjust accordingly. The disruption from COVID-19 has meant a shorter turnaround time for annual SOX compliance, which has many SOX teams wondering if they can complete their controls testing on schedule. As teams embark on performing the fieldwork for the 2020 SOX program, here are three areas to consider as regards completing the annual SOX testing:
- Evaluate the controls and leverage prior-year testing and data analytics to manage sample sizes and strategize on test completion. For controls that have been tested in prior years with no exceptions, teams may consider a smaller sample size (provided no process or control execution changes have occurred from 2019 to 2020), for those newly scoped-in controls teams should adhere to sample guidance in place. Teams should leverage data analytics to identify and select samples. Hence, even with a smaller sample, teams can get greater confidence about results based on the analytically determined sample.
- Where possible, automate control testing. As teams finalize the SOX plan for 2020, assess if control testing can be performed using automation. Can the SOX team deploy a bot that can run the audit procedure on the samples selected and indicate exceptions? If they're not fully automating the test procedure, can the team automate test steps in the control testing and minimize the manual level of effort?
- Deploy resources across the audit team as needed. If there is a significant change in scope, resulting in substantial additional work for the team, the organization should consider moving low-risk audits to 2021 to allow for staff augmentation on SOX compliance efforts.
3. Will my 2020 SOX program satisfy external auditor assessment?
Your 2019 SOX program yielded an unqualified opinion from your external auditors; however, 2020 is not 2019. A major area of concern is that SOX programs will not satisfy external auditor assessment. This is the time for teams to engage their external auditors — align on external auditor expectations in terms of scope, coverage, adoption of accounting standards, and control test procedures as they relate to Information Provided by Entity (IPE) and address control objectives.
The COVID-19 pandemic will require SOX teams to pivot and adjust their program to the current business environment. The collective mindshare of SOX professionals to meet these new challenges and strategize on ways to align will be critical. The SOX & Internal Control Professional Group is a global forum for SOX professionals to share ideas and best practices. The group conducts an annual survey of the state of the SOX and Internal Control Market to arm members with relevant data, trends and topical issues for thought leadership. Please join the organization, and take the 2020 survey.
As we transition through the COVID-19 pandemic, and adjust to the 100 percent work-from-home format, SOX teams need the right tools to execute the compliance mandate effectively while working remotely. As teams perform SOX testing for 2020, the work from home reality highlights the relevance of the “remote readiness” aspect of internal controls. Are the controls in your organization designed to be executed by dispersed, remote, work-from-home teams? Is control effectiveness enabled in this new work format, or hampered? Should remote readiness be monitored and managed as a risk? As a capability, how do SOX teams develop risk agility and quickly pivot to provide value to internal customers where it’s most needed? This is a topic for further discussion.
When the dust settles, we will see SOX management in a new light.