COVID-19 has pushed many businesses to rely on remote capabilities, and as companies continue to navigate the โnew normal,โ itโs essential to consider the impact the pandemic has had on internal controls over financial reporting (ICFR). Weโve compiled a comprehensive Q&A regarding how to manage your ICFR in the post-COVID-19 environment, whatโs changed in the process, and how employees can effectively manage their ICFR responsibilities remotely.
ICFR Requirements: Q&A
1. Has our responsibility changed over ICFR in the post-COVID-19 environment?
No. Management is responsible for establishing and maintaining the companyโs system of ICFR. This requirement hasnโt changed, and regulatory relief related to ICFR hasnโt been granted. For more information on requirements for ICFR,ย see theย Internal Control โ Integrated Frameworkย issued by the Committee on Sponsoring Organizations of the Treadway Commission (COSO).
2. What aspects of our internal control environment should we focus on now that we rely on a remote workforce?
Proper Segregation of Duties
With employees working remotely, or in situations where a companyโs workforce has been reduced, itโs important to maintain proper segregation of duties. If the review function of a control was shifted to a different employee, management should confirm that the employee doesnโt have access to systems that would impair an independent review. Ensuring the review function isnโt being performed by an employee who has the ability to process transactions on systems that are key to financial reporting (including the general ledger and any critical subsidiary systems) is a key pillar to ICFR. If management changed an employeeโs access to reallocate operational responsibilities, management should make sure any new responsibilities assigned donโt conflict with that employeeโs current review responsibilities.
Weโve detailed some examples of this situation to demonstrate its importance:
Case A
Company X reconciles all balance sheet accounts on a monthly basis, which are reviewed by the Controller. Due to the impact of COVID-19 on the Companyโs business, the Company had to lay off one of their staff accountants. As a result, the Company granted the Controller access to post to the general ledger to serve as a back-up in case the other staff accountant wasnโt available. Review of monthly reconciliations by the Controller would no longer be independent, as the Controller can post entries to the general ledger, resulting in a lack of segregation of duties.
Case B
Bank X granted Joe Smith, the Vice President of Loan Servicing, transactional capability on their loan system to help process the high volume of Paycheck Protection Program (PPP) loan applications. Joe is the primary reviewer of the daily loan file maintenance reports generated from the loan system. As Joe was granted the ability to transact on the loan system, his review of the daily loan file maintenance reports is no longer independent, leading to a lack of segregation of duties.
Review of Administrative Changes to User Access
Administrators on the general ledger and critical subsidiary systems have the ability to make changes to user access. As increased changes to user access are processed to react to the remote workforce, itโs important that the Company has controls in place to review administrator activity. Administrators on the general ledger and the critical subsidiary systems have the โkeys to the castle,โ and unauthorized or inaccurate changes to user access could result in increased risk to the Company. Companies should work with vendors of their key financial reporting systems to ensure that reports detailing administrative activity are available, and management should implement controls to make sure that administrative activity is independently reviewed.
Timely Reviews and Evidence of Review Completion
Itโs essential that reviews continue to be completed in a timely manner in order to identify any potential errors or unauthorized activity. Any delay in reviews could increase the risk of misstatements in financial statements. In a remote work environment, management may also need to consider how the review process is being evidenced. Electronic sign-offs or email evidence of reviews may need to be implemented as a substitute for manual sign-offs.
3. We had to make changes to our financial internalย controls due to COVID-19. How should these changes be documented?
An important consideration is whether there was a true โchangeโ in the control. In certain circumstances, an argument could be made that the internal control hasnโt changed, the individual performing the control did. An update to the control operator in the Companyโs documentation may be needed. However, if the Company had to incorporate new controls during the year, these controls should be documented within the Companyโs internal control documentation and appropriately tested.
4. We may have more exceptions in our control testing this year than in prior years. How will that impact the Company?
Any exceptions in internal control testing should be identified as soon as possible. This will allow the Company to respond to the exception and remediate any exceptions by year end. Exceptions that are not remediated by year end, or that impact a substantial portion of the year, may require communication to the Companyโs Audit Committee by either the internal or external auditors.ย Exceptions may also require further testing and procedures to be performed by auditors. Itโs crucial that management maintains open communication with those charged with governance throughout the year as it relates to ICFR and any identified exceptions.
Conclusion
With more companies engaging a remote workforce, a focus on ICFR is critical to ensure that the Companyโs financial statements are prepared in accordance with the applicable financial reporting frameworks and are free of material misstatements. Management should incorporate these comprehensive questions into regularly scheduled meetings to properly identify ICFR concerns and remediate any gaps in their programs.
