Skip to main content

How to Keep Your Internal Controls Healthy During COVID-19

Man with internal controls written in front of him

As companies adjust to the “new normal” of remote operations during the COVID 19 pandemic maintaining focus on the effective operation of internal controls is critical. The shift to remote operations will likely require adjustments to internal control processes and timely identification of those adjustments will be key to maintaining an effective internal control environment.

When evaluating remote operation of your control processes here are five things to consider:

EVALUATE CURRENT CLOSE CALENDAR AND CONSIDER THE IMPACT ON THE TIMELINESS OF CONTROL OPERATION

Consider risk ranking close and control activities to prioritize essential activities and pushing back or eliminating items that are not key  Be sure to contact third-party partners as early as possible to determine when (and in some cases whether) data will be available and adjust calendar accordingly.  Assess whether your company will utilize SEC report filing extension and how that impacts the close calendar and execution of controls.

IDENTIFY CONTROLS WITH MANUAL APPROVALS

Identify controls that document review/approval through hard copy sign-offs. Adjust the approval process for those controls to capture digital signature approvals or approval via email. Using a review template to document digital reviews/approvals can help ensure the capture of necessary review steps and consistent application. Remember that to properly evidence data that is being approved, referenced documentation should be attached to the approval email.

ADD NEW CONTROLS WHERE NECESSARY AND DOCUMENT CHANGES TO CURRENT CONTROL PROCESSES

Where manual controls cannot easily be adapted to a remote environment new controls may need to be created. For example, if a manufacturer has a quarterly control related to physical inventory count that will not take place for Q1, management should assess whether there are other inventory controls that could be added, or non-key inventory controls that might be reclassified as key, that would cover the risks addressed by the physical inventory count.

Maintain a list of deviations from current control processes necessitated by the move to a remote close process.  Management can use this list to assess the impact of changes to the control environment throughout the close process and to support required disclosures regarding changes to internal controls over financial reporting.

PAY CLOSE ATTENTION TO THE DOCUMENTATION AROUND ESTIMATES

Due to the social and economic disruptions caused by the COVID-19 pandemic, management estimates related to asset impairment and going concern evaluations will likely require significant revisions and enhancements. As these are areas the PCAOB has already identified as deficient in recent audit firm inspection reports, audit firm scrutiny of the control processes around asset impairment and going concern evaluations will likely be increased. Estimate assumptions and conclusions should be fully documented, and assumptions and methodologies should be consistently applied.

KEEP THE LINES OF COMMUNICATION OPEN WITH EXTERNAL AUDITORS

Lastly, engage with your external auditors early and often. Ongoing discussions with your external auditor related to changes in the operation of controls will ensure a much smoother remote close process and help you avoid any last-minute disconnects.

Bringing it all together

Transitioning to a remote environment will present many challenges to the effective operation of internal controls. By identifying obstacles early, adjusting processes where necessary, and keeping lines of communication open, you can successfully navigate the reporting and compliance challenges presented by the “new normal” of remote operations.

If you find your internal resources are overloaded due to the complexities and additional demands brought on by COVID-19, our Risk & Compliance team is ready to provide support. We have extensive experience in SOX compliance, internal controls, and risk assessments, and would welcome the opportunity to help your company succeed in these unprecedented times. Ready for a solution? Get in touch!

See 5 Quick Tips for IT Compliance & Data Security During COVID-19 for useful tips to meet IT compliance & data security requirements during a pandemic.

Helpful COVID-19 SOX and Audit Resources:

By

Georgia leads teams performing internal audit functions, including SOX 404 and PCAOB audits, audit and IPO readiness, process documentation, regulatory compliance, and other internal control and compliance projects.