Internal Controls & SOX 2.0 in the time of COVID – 19 || REVIEW-RESET-RESTART

Sarbanes-Oxley (SOX) Act in 2002 refer Section 404 that requires management of issuers for establishing and maintaining an adequate internal control structure and procedures for financial reporting and to perform an annual assessment of the effectiveness of ICFR as of the entity’s year-end date and to present its assertion as to the effectiveness of the entity’s internal control over financial reporting in the annual Form 10-K filing (referred to as “management’s assessment”).

Management’s annual assessment of the effectiveness of ICFR must be made in accordance with a suitable control framework. The majority of U.S. publicly traded companies have adopted the Internal Control— Integrated Framework (2013) created by the Committee of Sponsoring Organizations of the Treadway Commission (‘‘COSO’’) as an example of a suitable framework. The article below summarizes the COSO 2013 Framework’s principles and key aspects/check points that companies should consider as they work to implement the framework for SOX 404 purposes as well as leading internal control practices

However, there is a need to review-reset-restart internal controls and SOX due to pandemic of COVID-19 which has impacted worldwide commerce, no industry is immune to the repercussions and forced all entities to identify new risks, prepare a response plan, implement new controls or augment existing controls, and monitor the effectiveness of internal control over financial reporting – all while critical human resources are working remotely.

Organizations now have to provide an assurance at the date of balance sheet about true and fair status on or before let’s say January 20 and after January 20 at the subsequent events after the set off date and have specific control in their overall control environment to cover the subsequent event and mechanisms and ways of monitoring and reporting on the subsequent events. Thus entities may have to:

  • Revisit materiality consideration, scoping and risk assessment and implement new internal controls or modify existing ones if required
  • Reconsider design and implementation work already done pre-Covid and may have to revisit this to cover period post-Covid including approach for operating effectiveness of controls
  • Assess any breakdown in review-type controls or the inability of individuals to perform control duties because of absences or remote working approach.
  • Consider how a lack of information may affect management’s ability to effectively operate controls.
  • Need to ensure that they have properly designed and implemented controls related to the selection and application of GAAP for the accounting and disclosure issues arising from COVID-19.

Restrictions in physical movement will result in change, the way the audit evidence which are available for operations of the control, evidence which may be available for the operation of control, the control may be operating however in a different manner, form, type and mechanism across geographies and processes. IT and enabled services, play a critical and pivotal role to mitigate for the inherent risks generated due to COVID-19 and controls can only be established through technology. How it can be facilitated, is illustrated below with respect to the inherent risks:

  • Emergency changes need to considered.
  • Control with respect of VPN access will become key risk and needs to remotely facilitated
  • Cyber incident management control may become key risk and its real time tracking from remote locations should be activated and monitored
  • Problem and incident management control need to be added and real time solutions should be provided
  • Control with respect to segregation of duty for changes in ERP may get changed.
  • Access approval and change approval process may become offline, so additional control need to be added and executed immediately
  • Super user access may be available remotely and with additional resources.
  • BCP control will become key risk.
  • Control on access to shared folder may become key control as critical data may be recorded in excel and access may be available and shared with many.

We at ShineWing believe that business is managed by a triad of People, Processes, and Technology.
For any related further information or way forward; our stakeholders may directly contact our technology partner Ms. Yukti Arora on the following contact details:

Email: yukti.arora@sw-india.com  Mob: +91 9818248133