Internal Controls over Financial Reporting: Post COVID-19

1. Has our responsibility changed over ICFR in the post-COVID-19 environment?

No. Management is responsible for establishing and maintaining the company’s system of ICFR. This requirement hasn’t changed, and regulatory relief related to ICFR hasn’t been granted. For more information on requirements for ICFR, see the Internal Control – Integrated Framework issued by the Committee on Sponsoring Organizations of the Treadway Commission (COSO).

2. What aspects of our internal control environment should we focus on now that we rely on a remote workforce?

Proper Segregation of Duties

With employees working remotely, or in situations where a company’s workforce has been reduced, it’s important to maintain proper segregation of duties. If the review function of a control was shifted to a different employee, management should confirm that the employee doesn’t have access to systems that would impair an independent review. Ensuring the review function isn’t being performed by an employee who has the ability to process transactions on systems that are key to financial reporting (including the general ledger and any critical subsidiary systems) is a key pillar to ICFR. If management changed an employee’s access to reallocate operational responsibilities, management should make sure any new responsibilities assigned don’t conflict with that employee’s current review responsibilities.

We’ve detailed some examples of this situation to demonstrate its importance:

Case A

Company X reconciles all balance sheet accounts on a monthly basis, which are reviewed by the Controller. Due to the impact of COVID-19 on the Company’s business, the Company had to lay off one of their staff accountants. As a result, the Company granted the Controller access to post to the general ledger to serve as a back-up in case the other staff accountant wasn’t available. Review of monthly reconciliations by the Controller would no longer be independent, as the Controller can post entries to the general ledger, resulting in a lack of segregation of duties.

Case B

Bank X granted Joe Smith, the Vice President of Loan Servicing, transactional capability on their loan system to help process the high volume of Paycheck Protection Program (PPP) loan applications. Joe is the primary reviewer of the daily loan file maintenance reports generated from the loan system. As Joe was granted the ability to transact on the loan system, his review of the daily loan file maintenance reports is no longer independent, leading to a lack of segregation of duties.

Review of Administrative Changes to User Access

Administrators on the general ledger and critical subsidiary systems have the ability to make changes to user access. As increased changes to user access are processed to react to the remote workforce, it’s important that the Company has controls in place to review administrator activity. Administrators on the general ledger and the critical subsidiary systems have the “keys to the castle,” and unauthorized or inaccurate changes to user access could result in increased risk to the Company. Companies should work with vendors of their key financial reporting systems to ensure that reports detailing administrative activity are available, and management should implement controls to make sure that administrative activity is independently reviewed.

Timely Reviews and Evidence of Review Completion

It’s essential that reviews continue to be completed in a timely manner in order to identify any potential errors or unauthorized activity. Any delay in reviews could increase the risk of misstatements in financial statements. In a remote work environment, management may also need to consider how the review process is being evidenced. Electronic sign-offs or email evidence of reviews may need to be implemented as a substitute for manual sign-offs.

3. We had to make changes to our financial internal controls due to COVID-19. How should these changes be documented?

An important consideration is whether there was a true “change” in the control. In certain circumstances, an argument could be made that the internal control hasn’t changed, the individual performing the control did. An update to the control operator in the Company’s documentation may be needed. However, if the Company had to incorporate new controls during the year, these controls should be documented within the Company’s internal control documentation and appropriately tested.

4. We may have more exceptions in our control testing this year than in prior years. How will that impact the Company?

Any exceptions in internal control testing should be identified as soon as possible. This will allow the Company to respond to the exception and remediate any exceptions by year end. Exceptions that are not remediated by year end, or that impact a substantial portion of the year, may require communication to the Company’s Audit Committee by either the internal or external auditors.  Exceptions may also require further testing and procedures to be performed by auditors. It’s crucial that management maintains open communication with those charged with governance throughout the year as it relates to ICFR and any identified exceptions.

Conclusion

With more companies engaging a remote workforce, a focus on ICFR is critical to ensure that the Company’s financial statements are prepared in accordance with the applicable financial reporting frameworks and are free of material misstatements. Management should incorporate these comprehensive questions into regularly scheduled meetings to properly identify ICFR concerns and remediate any gaps in their programs.