Learn 5 concrete steps to analyze how the COVID-19 pandemic has impacted your organization’s internal control environment and ensure that SOX compliance moves forward undisrupted in 2020 in this article by Mark Farage, Vice President, Operating Technology and SOX Compliance at RLJ Lodging Trust.
COVID-19 Pandemic Impacts on SOX Compliance
There is no denying the impact that the COVID-19 Pandemic (the “Pandemic”) has had on businesses around the globe. Businesses from small mom and pop run restaurants to large multi-national corporations have all been impacted in different and unique ways.
As a publicly traded company with the requirements of the Sarbanes-Oxley Act in mind, the impact is unique and the response must be equally so. With remote work in place, physical offices closed, travel curtailed, and various other activities occurring outside the “norm” SOX controls within your organization have undoubtedly been impacted.
5 Steps to Analyze Pandemic Impacts on SOX Compliance
Read on to learn 5 steps to analyze the impact and create a plan to move forward with SOX compliance for 2020.
1. Analyze Sox Controls to Make Preliminary Judgement on Impact
Have your internal audit, risk, or SOX department (depending upon who has SOX ownership) analyze the entire population of SOX controls (key and non-key) and make a preliminary judgment on the impact that the Pandemic has had on each control. Identify if the control has been impacted, what the impact is, and if the control has been modified or if a mitigating control has been developed to address the risk from the impact.
2. Meet With Process Owners & Document Impacts to Controls
Establish meetings with the process owners to review the preliminary assessment and to ensure the process owners have identified and appropriately communicated/documented the Pandemic impact on the controls they have responsibility for. Understand that this may be the first time that they have taken a moment to consider the impact, walk-through each control and have the process owner / control owner validate that each control is still operating as designed.
If the control has been impacted, document the impact to the control, the risk of the impact, the change to the control’s design, and any mitigating controls put in place to address the Pandemic impact risk. An example of this in action may be a segregation of duty control that has been changed due to work-at-home arrangements. It will be important to document the change, the segregation of duty impact, and any additional controls put in place to mitigate the associated risk.
3. Get External Auditor Buy-in on Your Control Impact Analysis
Share the complete Pandemic control impact analysis with your external auditors (and internal auditors as applicable) and get their buy-in. External audit will be keenly focused on a few key points:
- segregation of duty violations
- evidence of review controls
- information system changes (permissions / roles) to accommodate changes to the work environment
- new controls put in place as a result of the Pandemic
Let’s examine the “evidence of review controls” a bit further. Prior to the Pandemic, many review controls were evidenced by various drafts of documents, tick-marks, etc. With changes in work environments, certain review controls may now be performed remotely and electronically. As such, evidence will have to adapt but, still meet the audit standards. Thus, it will be important for review control owners to understand that their documentation may now have to consists of email chains, tick-marks on PDF documents, scanned documents showing tick-marks and / or evidence of review, etc. It is important to discuss these review controls in detail with your internal / external auditors, validate what they expect to see, and ensure that the control owners document their review appropriately. Going through this exercise now will decrease testing exceptions and complications.
4. Include a Pandemic-Specific Question to Your Internal Sox Certification Process
If you are conducting a SOX certification process internally, add a Pandemic specific question / certification that helps hold the control owners accountable. An example of this may be: “I have analyzed the impact that the COVID-19 Pandemic (the “Pandemic”) has had on the internal controls over financial reporting within my business process, that I have responsibility for, and have concluded that the Pandemic has not impacted or altered the design of or operation of the internal controls. If the internal controls have been impacted or altered, I have communicated the impact or alteration and worked to mitigate and document the impact or alteration.” If you are not conducting an internal SOX certification process at the control / process owner level, now is the time to implement one.
5. Reach Out to Third-Party Vendors to Validate Their Internal Control Assessment Process
Fifth, reach out to any of your vendors, contractors, etc. (including SaaS vendors) that are part of your company’s SOX compliance program and validate that they are going through a similar internal control assessment process. If they issue a SOC1 report, validate that they still plan to do so and create a communication schedule to check-in on that process monthly to ensure that there are no surprises communicated in the SOC1 reports when received. Ensure that you are setting the expectations that you expect them to communicate any deficiencies in their internal control environment that your company relies upon.
Taking the Right Steps to Ascertain the Impact of the Pandemic
These are steps that will get you moving in the right direction and help you ascertain the impact that the Pandemic has had on your organization’s internal control environment. Ensure that this process is repeated monthly or as the environment changes to ensure that SOX compliance, at your company, is not disrupted by the Pandemic.
Mark Farage serves as Vice President, Operating Technology and SOX Compliance at RLJ Lodging Trust, a hospitality-focused REIT. Mark has over two decades of experience focused on internal controls, SOX, and enterprise risk management; prior to joining RLJ, he was with Hilton Worldwide, FedEx, and Arthur Andersen.