June 2, 2020
Reasons to Stay on Track with SOX/Internal Audit Controls During COVID-19
Reasons to Stay on Track
with SOX/Internal Audit Controls
by Marc Blythe and Sal Sarabosing
Imagine being the captain of a vessel navigating uncharted waters,
when you’re suddenly hit with an unexpected storm.
Would your first instinct be
to throw equipment overboard to trim weight?
Or would you maintain
the navigational assets and structural integrity
while weathering the storm?
Similar to the uncharted waters and waves of uncertainty, the COVID-19 pandemic of 2020 has forced corporations around the world to operate differently. As the impact of COVID-19 continues to disrupt business, there are many reasons why companies may overlook their compliance efforts with Sarbanes-Oxley 404 (SOX) and internal controls. Among them are focusing on employee/customer safety, working remotely, and anticipating a global recession. Many companies are experiencing significantly reduced revenue or have been forced to temporarily close their doors. This has contributed to disruptions in maintaining a strong controls framework.
Despite the change in circumstances, companies are no less obligated to fulfill SOX and internal control requirements. In a recent publication, the Public Company Accounting Oversight Board (PCAOB) has stressed the importance of the obligation to “comply with PCAOB standards and rules, and other applicable regulatory and professional requirements.”
Companies are asking, “Why should we maintain a strong controls discipline when we have so many other priorities to focus on right now?”
Blythe Global has identified three key reasons to stay on track with compliance requirements:
Contend with an evolving risk landscape
Maintain and safeguard assets/access control
Avoid mishandling of compliance requirements
- Contend with an evolving risk landscape
Changes to control ownership
In recent months there have been layoffs and furloughs, causing control ownership to change. Accounting teams are shrinking and often the personnel previously responsible for control activities have shifted. New employees are taking on different roles, sometimes with inadequate or limited experience.
If your organization has prepared to meet the necessary rigors of SOX, process documentation will require adjustments that reflect changes to the current environment. If not, you will need to update documents and stay aware of potential business process changes. Now is a good time to document for the current state.
Focus has shifted from controls to impairment analysis
The focus of many public companies has shifted from internal controls to impairment analysis. For companies with an established internal audit function, regular reviews are essential to determine if controls have remained sufficient for current needs.
When the business environment returns to a new “normal,” many companies will find that their controls have loosened, and they have not been keeping up with business process and technology controls. A primary concern is that weakened SOX programs potentially will not satisfy external audit assessments. This can result in auditors communicating adverse deficiencies, leading to reportable circumstances.
We will all get back to business at some point. If your company is ill-prepared, you will be in a compromised position where poorly executed controls create reporting and corporate risks. The reputational damage is irreversible.
- Maintain and Safeguard Assets/Access Control
Remote Access to Key Data
Many companies have cloud-based application solutions. With access decisions being softened, an accounting manager, controller, and CFO could potentially have all the same access to information. If you have a proper compliance program in place, you are periodically reviewing who has elevated access to sensitive information and where segregation of duties conflicts may exist.
If you do not have a compliance program in place, access management can be problematic. Too many people can make too many changes. Your system is vulnerable to misstatements or intentional errors because you are not aware of the access that individuals have within the organization. This can be mitigated by proper compliance and risk discipline. Segregation of duties is key.
- Avoid Mishandling of Compliance Requirements
The current environment of uncertainty has resulted in changes to business and risk profiles. Some companies are hiring lower level, less experienced, or offshore resources to handle their compliance requirements. If you work with someone who can’t add value to the process, your business will be unable to take advantage of opportunities to accelerate through the economic recovery.
Now is not the time to relax internal controls, this is the time to make sure they are comprehensively addressed.
1. PCAOB Spotlight – COVID-19. Reminders for Audits Nearing Completion. Available at: https://pcaobus.org/Documents/COVID-19-Spotlight.pdf
To learn more about Blythe Global Advisors, our solutions and BlytheTeam®,
visit the Blythe Global Web site or call us at the location below that’s nearest you.
Irvine (HQ) 949-757-4180 Los Angeles 213-228-5002 San Diego 619-391-7385
The newsletters published on this Web site, current as of the dates of publication, are for general information and reference purposes only. They do not constitute specific financial or accounting advice for individual circumstances and/or companies. Such specific financial or accounting advice should always be sought separately.