SOX compliance has changed as a direct result of COVID-19. Concerns over COVID-19 continue across the country, and many companies have fully shifted to remote work. While this change is necessary to maintain business operations, it can put internal controls at risk and make SOX compliance a challenge. Adjusting internal control processes as quickly as possible can prevent disruptions to the remote close process and protect businesses as they move to a remote work environment.
Reprioritize Close Activities – Conduct an evaluation of your close calendar to determine how remote work will impact control operations. Create a risk ranking for close activities and controls to reprioritize which activities are essential. It may be necessary to delay some items or eliminate them altogether if they are not necessary at this time.
Evaluating close activities as soon as possible is crucial to properly alert any third-party partners that will be impacted. Data may not be available in a timely manner, and you will have to adjust your close calendar as a result. If your company plans to use the SEC report filing extension, this can also impact your close calendar, internal controls and SOX compliance.
Adjust Manual Approval Processes – Internal controls that require manual approvals, like hard copy sign-offs, will need to be adjusted for remote work. In order to accommodate the new environment, you will need to enable the use of digital signatures or email approvals. Creating a template for review can help streamline the digital approval process and ensure approvals are handled consistently. Be sure to include any requirements for reference documentation in the approval process.
Implement New Internal Controls – The shift to remote work may make some internal controls impossible. If a manual control cannot be adapted, it might need to be replaced with a new control. Controls such as physical inventory counts that cannot be conducted during this time will need to be supplemented by inventory controls that can be conducted remotely. In some cases, you can transition non-key controls to key controls to make up for manual controls. By adding or reclassifying controls, you can reduce the risk associated with missing controls.
Documenting changes made to internal controls is crucial. Keep a record of any deviations from existing controls brought on by a remote work environment. This record can be referenced later by management to determine how changes impact the business.
Document Estimates Carefully – A shift to remote work due to COVID-19 concerns will likely result in revisions or enhancements of management estimates. Asset impairment and going concern evaluation are identified by the PCAOB as deficient areas in audit firm inspection reports. Scrutiny of internal controls related to asset impairment and going concern evaluation will increase in a remote work environment making it necessary to carefully document estimate assumptions and conclusions. Documentation also makes it easier to apply these assumptions and methodologies consistently across the board.
Communicate with External Auditors – Changes in internal controls can cause disruptions during the close process, especially in a remote work environment. By engaging external auditors early in the process and maintaining open lines of communication, you can limit disruptions throughout the process. Your remote close process is likely to be smoother and free of last-minute disruptions that could disconnect the process.
Reinforce Effective IT Controls – Remote work opens companies up to considerable IT security risks. During this time, it is crucial to reinforce policies and procedures related to IT controls. Regular IT security training can keep employees up to date with safety practices and behaviors. You should also remind employees of their responsibility when it comes to effective IT controls and make your policies clear to avoid confusion or disruption.
Document System Access – Access controls are another important area of focus in a remote work environment. Approvals for system access should be documented, and access should be removed as soon as it is no longer needed. Even an email record of access approvals can help maintain secure networks and data. As employees move to remote work, users are likely to request system access more frequently. Documenting login information can help ensure the right people have access to the right systems.
Keep Confidential Information Protected – The protection of confidential information changes drastically in a remote work environment. As employees have more access to personal computers or store confidential information in their home, securing data is essential to the health of a business. Make sure employees never use personal email accounts or personal devices for work because security could be compromised.
You should also make sure that employees have proper storage available for confidential information in hard copy documents and secure disposal methods for when the information is no longer needed. The process for saving passwords, requesting proper access controls, and obtaining account approval should be clearly defined for all members of your team and be an integral part of SOX compliance.
Invest in Encryption – With employees at home, network security may be lessened when compared to corporate networks. Home wireless networks should be secured to prevent data security issues, and public Wi-Fi should not be used for business purposes. Encourage or require employees to implement Wi-Fi network encryption for their home network, and provide clear tutorials or instructions to do so. All online tools used for business purposes should be approved by the IT team and have HTTPS/SSL encryption enabled.
Sooner is Better Than Later – The transition to remote work occurred quickly for many businesses as a necessary step to stay operational. However, it is important to identify obstacles with internal controls as soon as possible in order to maintain SOX compliance. Recognizing issues and making adjustments early can help prevent challenges with reporting and compliance.
As companies settle into a remote work environment, internal resources may seem overwhelmed. K-38 Consulting provides support and resources from experienced financial professionals. Let our team assist with the transition to remote work and adjusting internal controls accordingly.