Learn current top-of-mind concerns and pandemic response strategies shared by contemporary audit leaders in a virtual roundtable convened by AuditBoard’s Tom O’Reilly.
SOX Leaders on COVID-19 Pandemic Impacts, SOX Materiality, and Remote Work Effects on SOX
In mid-April 2020, I held a virtual roundtable with 15+ forward-thinking auditors to exchange ideas for responding to current effects from the Coronavirus (COVID-19) pandemic with a special focus on SOX. Consensus was that forward-thinking audit teams are finding ways to get ahead of the curve when it comes to impacts on SOX. Now is the time for audit to be agile and adapt to changing conditions — and to take a leadership role in helping to anticipate and communicate the implications of those changes for the organization. On a more personal level, audit can help bring normalcy to control owners who may be experiencing significant changes not only to how they perform their controls, but to their everyday work more broadly. Below, I’ve collected key points from our discussion about pandemic impacts to SOX teams, what’s in-scope for 2020, and how auditors are adapting to a remote work environment.
1. Pandemic impacts to internal audit and SOX teams:
What impact is the COVID-19 pandemic crisis having on audit’s resources to carry out needed SOX work — and other outcomes? Not unexpectedly, industry played a large role in how severely audit teams themselves were impacted. In industries harder hit by the effects of the Coronavirus, audit teams are facing a range of challenges around audit resourcing and effects stemming from furloughed workforces, while all audit leaders reported some alterations to business as usual resulting from remote work and other downstream effects. Below are some of the key points raised:
Audit Team Resourcing
While some teams have been unaffected, some are experiencing reduced and/or furloughed staff, and many reported hiring freezes or postponements — all of which will impact the ability to do deep dives. Teams that had aimed for a more even balance between SOX and audit work prior to the pandemic are having to cut their planned audits to focus on the required SOX work with reduced manpower.
Furloughed Control Owners
Even audit teams that have not themselves experienced staffing reductions may now have to deal with control owners being furloughed. One roundtable member has been going through her company’s furlough list and following up with management teams to find out who is taking over the control and whether it is still being performed.
Preparing Management for Increased Documentation
One audit leader had partnered with their external auditors to generate a list of sample questions for management review controls. For all disclosures they will have to consider for the year, the audit team trained the process owners on questions they may be asked. The audit team communicated that they will be expecting a high level of documentation to be available, knowing that there will be an elevated level of scrutiny for testing these controls.
Certifications at the Manager Level
Perhaps six or seven certifications throughout the organization are currently sufficient to make the CEO and CFO comfortable when signing 302 certifications. Consensus was that now we should be getting down to the next level to have control owners provide a certification confirming the execution of controls, or having them do electronic reviews if they did paper reviews in the past.
“Because of our businesses in China, we’ve been dealing with our response to COVID since January right around the Lunar New Year. When COVID started to spread beyond the Chinese border, we started asking what do we do about new and emerging financial statement risks, what and how controls should change to address those risk, and ultimately what do we disclose to investors. So, we started a rapid risk assessment to gather information about the many unknowns given the current situation. As part of the rapid risk assessment, we reached out to our largest entities to see what they’re doing on a control activity by control activity basis, what has changed, and what’s going to be permanent vs temporary. It’s helped us get a pulse on the current situation and emerging risks so we’ll be more prepared to respond appropriately.”
— Pedro Lay, VP of Internal Audit at Amphenol Corporation
“We’ve seen some impacts to our SOX team from reduced travel and more people working remotely. Internal audit has been doing a lot of outreach to teams about documenting control evidence in a remote environment. For people at manufacturing plants who are used to paper documentation, we’re educating them about how to document controls and leverage technology — particularly in this current pandemic environment.”
— Kenneth Garofalo, Director of Internal Audit at Lydall
2. SOX materiality and what is in-scope for SOX compliance in 2020
A lot of audit teams have been going back and reevaluating materiality based on changes and financial reporting results. All of a sudden there could be new entities, new account balances, or new applications that are in scope for the first time. Here are some approaches audit leaders are taking when reassessing materiality and reperforming the SOX risk assessment.
Reevaluate Risk Appetite
Audit teams at companies significantly impacted by the COVID-19 are having discussions with the CFO and CAO about risk appetite and key controls. What are the top 25-30 controls that we want to make sure are effective? Are we OK with having a higher failure rate on others? Audit teams are having frank conversations about scenario planning to establish the organization’s risk tolerance at a time when there is a need to focus on certain elements of the business.
Refresh Risk Assessment
A frequent first step is to do a refreshed risk assessment, which will allow the audit and controls team to identify opportunities to shift resources to key risk areas and away from areas of less priority. For example, one team went through an assessment for each of the 17 COSO principles to understand COVID-19 impacts in terms of their risk assessment, impact to controls working remotely, impact on higher priority controls (such as MRCs, disclosure controls, budget/actual), as well as the level of precision attributed to each of the controls.
Communicate with Your External Auditor
Reach out to your external auditor now to make sure you’re on the same page and proactively discuss any changes to the original approach. SOX leaders will benefit from working with teams internally first, then promoting their approach to external audit and working with them to fix any concerns. For example: a complicating factor for many companies this year is that significant deficiencies could be seen as Critical Audit Matters (CAMs).
Pandemic Impact on Forecast and Business Results
If you’re going through the reforecasting process now, we don’t know when we’ll be out of the woods — June? November? Several audit leaders have reached out to their external auditors to discuss this topic. One piece of advice was to make sure you’re talking with management about how you’re coming up with expectations and assumptions that are used as the basis for review controls. Many of these will require enhanced documentation on the front end to validate how management is obtaining comfort around these assumptions instead of relying on prior year information.
IT and Cybersecurity
One audit leader predicted that IT areas will feel a lot of pressure now that many people are working remote, especially around authentication controls and cybersecurity. Now is the time for audit to educate around IT general controls before issues become critical.
One audit leader recommended asking what are the greatest risks to financial reporting an organization is likely to face. Fraud keeps any external auditor up at night — and internal audit too. One audit team thought through different fraud scenarios that would be more common with people being remote and having a desire or need for cash. Then, they identified which transactional level controls were in place to prevent and detect that potential fraud. These became higher priority controls, and the audit team communicated the elevation in importance to management and control owners.
“One of the things we’ve thought about given the current situation is the greater propensity for fraud given financial stress in people’s lives, so we’ve taken steps to implement some incremental controls to make sure fraud doesn’t become an issue. We’ve also seen an increase in phishing attacks happening across most companies. One common example is vendors supposedly changing bank accounts. To keep people on their toes with this, we had an education session about being aware while working remotely to stay vigilant and not fall prey to these scams. Cash is king right now, and no one wants to have preventable losses from a phishing scam.”
— Kenneth Garofalo, Director of Internal Audit at Lydall
3. Impacts to internal audit teams from working remote and eliminating travel
Auditors have found themselves confronted with a host of unexpected effects from recent shifts to remote work and inability to travel — as well as changes to how control owners perform their responsibilities while remote. Consensus was that now is the time for internal audit to reach out and provide more communication, guidance, and support than they might under ordinary circumstances.
More Hand Holding with Control Owners
With many people working remotely, now might be a good time to do more hand holding with control owners than some might do ordinarily. Controls may be happening, but if the documentation is lacking it can lead to a control deficiency. Controls are of high importance to auditors, but they may not have the same priority for others working on the front lines. Reaching out to provide additional guidance and check in more frequently can help keep controls top of mind.
Performing a Control Remotely
One audit leader brought up an interesting point that performing a control in a different fashion than people are used to could create a risk of error. For example, if someone is used to working with two monitors in the office, but while working from home are working on a smaller screen, is there a potential for them to miss something? Even if you’re already an electronic documentation workshop, working from home could impact the way control owners review some of their controls.
Using an audit management solution like AuditBoard enabled one auditor to build and send out a questionnaire to control owners to confirm that they are performing their control as currently stated, or if not, to capture, document, and approve those changes.
Global SOX without Travel
One member was from a global company that was embarking on their first year of SOX. For some international locations that had never done SOX before, the audit team had planned to travel for training. Now, they are figuring out how to teach Sarbanes-Oxley over video conferencing, and working with their external auditors on doing walkthroughs for the first time remotely.
“At this point, I’ve moved the entire team to a 100% remote auditing model. I started with my Asia team, but now, globally everyone is grounded. As a result, we pulled forward a lot of the work we can do while remote, and plan to defer the inventory counts and fixed asset verification procedures for later during the year. One outcome that it’ll be interesting to see is, what’s going to happen now that we’ve shown it’s possible to audit a much larger percentage of our operations remotely, way more than we’d ever managed before? Will this become the new normal for us going forward — though at a significant trade-off in losing the kind of interactions and relationships you can build with in-person audits?
Being remote has had less of an impact on how we work together. I’ve been working remotely for a while and my team is spread around different regions, so we’re used to virtual collaboration tools and communicating via Microsoft Teams, and Zoom calls. Recently, though, I’ve instituted an every other day Check In where we bring the team together to provide updates on audit status, issues with remote audits, etc. I think it’s helpful for people working remotely to have a routine, but these Check Ins are also a good time to motivate each other, build team rapport, and discuss fun things beyond just work.”
— Pedro Lay, VP of Internal Audit at Amphenol Corporation
Now, more than ever, internal audit should actively work to solidify their place as a critical business partner helping the organization achieve its goals amid crisis. Leveraging technology can empower internal audit to stay connected with SOX and audit stakeholders, centralize electronic documentation, and streamline administrative activities to free up more time for value-add audit work. By acting now to identify and get in front of upcoming pandemic implications for SOX — and across the organization — internal audit can be a trusted advisor to the business in a time of unprecedented uncertainty.
Tom O’Reilly, CIA, is Director and Internal Audit Practice Leader with AuditBoard in Boston. Before joining AuditBoard, Tom was the Director of Internal Audit and Chief Audit Executive at Analog Devices. He is the Founder of the CAE Leadership Forum, a networking and training community for New England-based internal audit leaders. O’Reilly also currently serves on the board of directors of Easter Seals Massachusetts. Connect with Tom on LinkedIn.