A lot of audit teams have been going back and reevaluating materiality based on changes and financial reporting results. All of a sudden there could be new entities, new account balances, or new applications that are in scope for the first time. Here are some approaches audit leaders are taking when reassessing materiality and reperforming the SOX risk assessment.
Audit teams at companies significantly impacted by the COVID-19 are having discussions with the CFO and CAO about risk appetite and key controls. What are the top 25-30 controls that we want to make sure are effective? Are we OK with having a higher failure rate on others? Audit teams are having frank conversations about scenario planning to establish the organization’s risk tolerance at a time when there is a need to focus on certain elements of the business.
A frequent first step is to do a refreshed risk assessment, which will allow the audit and controls team to identify opportunities to shift resources to key risk areas and away from areas of less priority. For example, one team went through an assessment for each of the 17 COSO principles to understand COVID-19 impacts in terms of their risk assessment, impact to controls working remotely, impact on higher priority controls (such as MRCs, disclosure controls, budget/actual), as well as the level of precision attributed to each of the controls.
Reach out to your external auditor now to make sure you’re on the same page and proactively discuss any changes to the original approach. SOX leaders will benefit from working with teams internally first, then promoting their approach to external audit and working with them to fix any concerns. For example: a complicating factor for many companies this year is that significant deficiencies could be seen as Critical Audit Matters (CAMs).
If you’re going through the reforecasting process now, we don’t know when we’ll be out of the woods — June? November? Several audit leaders have reached out to their external auditors to discuss this topic. One piece of advice was to make sure you’re talking with management about how you’re coming up with expectations and assumptions that are used as the basis for review controls. Many of these will require enhanced documentation on the front end to validate how management is obtaining comfort around these assumptions instead of relying on prior year information.
One audit leader predicted that IT areas will feel a lot of pressure now that many people are working remote, especially around authentication controls and cybersecurity. Now is the time for audit to educate around IT general controls before issues become critical.
One audit leader recommended asking what are the greatest risks to financial reporting an organization is likely to face. Fraud keeps any external auditor up at night — and internal audit too. One audit team thought through different fraud scenarios that would be more common with people being remote and having a desire or need for cash. Then, they identified which transactional level controls were in place to prevent and detect that potential fraud. These became higher priority controls, and the audit team communicated the elevation in importance to management and control owners.
“One of the things we’ve thought about given the current situation is the greater propensity for fraud given financial stress in people’s lives, so we’ve taken steps to implement some incremental controls to make sure fraud doesn’t become an issue. We’ve also seen an increase in phishing attacks happening across most companies. One common example is vendors supposedly changing bank accounts. To keep people on their toes with this, we had an education session about being aware while working remotely to stay vigilant and not fall prey to these scams. Cash is king right now, and no one wants to have preventable losses from a phishing scam.”
— Kenneth Garofalo, Director of Internal Audit at Lydall
Auditors have found themselves confronted with a host of unexpected effects from recent shifts to remote work and inability to travel — as well as changes to how control owners perform their responsibilities while remote. Consensus was that now is the time for internal audit to reach out and provide more communication, guidance, and support than they might under ordinary circumstances.
With many people working remotely, now might be a good time to do more hand holding with control owners than some might do ordinarily. Controls may be happening, but if the documentation is lacking it can lead to a control deficiency. Controls are of high importance to auditors, but they may not have the same priority for others working on the front lines. Reaching out to provide additional guidance and check in more frequently can help keep controls top of mind.
One audit leader brought up an interesting point that performing a control in a different fashion than people are used to could create a risk of error. For example, if someone is used to working with two monitors in the office, but while working from home are working on a smaller screen, is there a potential for them to miss something? Even if you’re already an electronic documentation workshop, working from home could impact the way control owners review some of their controls.
Using an audit management solution like AuditBoard enabled one auditor to build and send out a questionnaire to control owners to confirm that they are performing their control as currently stated, or if not, to capture, document, and approve those changes.
One member was from a global company that was embarking on their first year of SOX. For some international locations that had never done SOX before, the audit team had planned to travel for training. Now, they are figuring out how to teach Sarbanes-Oxley over video conferencing, and working with their external auditors on doing walkthroughs for the first time remotely.
“At this point, I’ve moved the entire team to a 100% remote auditing model. I started with my Asia team, but now, globally everyone is grounded. As a result, we pulled forward a lot of the work we can do while remote, and plan to defer the inventory counts and fixed asset verification procedures for later during the year. One outcome that it’ll be interesting to see is, what’s going to happen now that we’ve shown it’s possible to audit a much larger percentage of our operations remotely, way more than we’d ever managed before? Will this become the new normal for us going forward — though at a significant trade-off in losing the kind of interactions and relationships you can build with in-person audits?
Being remote has had less of an impact on how we work together. I’ve been working remotely for a while and my team is spread around different regions, so we’re used to virtual collaboration tools and communicating via Microsoft Teams, and Zoom calls. Recently, though, I’ve instituted an every other day Check In where we bring the team together to provide updates on audit status, issues with remote audits, etc. I think it’s helpful for people working remotely to have a routine, but these Check Ins are also a good time to motivate each other, build team rapport, and discuss fun things beyond just work.”
— Pedro Lay, VP of Internal Audit at Amphenol Corporation
Now, more than ever, internal audit should actively work to solidify their place as a critical business partner helping the organization achieve its goals amid crisis. Leveraging technology can empower internal audit to stay connected with SOX and audit stakeholders, centralize electronic documentation, and streamline administrative activities to free up more time for value-add audit work. By acting now to identify and get in front of upcoming pandemic implications for SOX — and across the organization — internal audit can be a trusted advisor to the business in a time of unprecedented uncertainty.