​Evolution of Your Control Environment During a Global Pandemic

As the world continues to battle the novel coronavirus (COVID-19) outbreak and we all do our part to help flatten the curve, individuals and companies alike are taking steps to navigate this public health crisis.

At the same time, every one of us is asking the same question: What’s next? What’s next for our families and our communities? What’s next for small businesses and the people who run them? For large organizations and the millions who rely on them?

What’s next for our people, our customers? And what will it take to once again thrive?

To move forward, we will come together—as we always do—to define and create the best of what’s next.
 

Organizational Impact

Like many organizations, the top priority is the safety and well-being of people, clients, customers, families, and the communities in which we live and work. Seeing how people have taken care of each other in this difficult time gives hope that organizations will emerge from this stronger. To respond—and recover—from a crisis, companies and their boards must work quickly to minimize business interruption, maximize operational efficiencies, and assess cash flow and liquidity concerns. These assessments can lead to hard and life-changing decisions for their employees that are not taken lightly yet have a lasting impact.
 

Internal Controls Over Financial Reporting (ICFR) Impact

Current uncertainty continues to evolve, making it difficult for organizations to evaluate the impact on their control environments. As companies move to remote operations, or need to modify their workforce, an assessment over the control environment is required to  determine if it is operating as it had been prior to the rapid changes. These changes can impact the overall control environment including the design and operation of controls. The question organizations should be asking themselves is How has your control environment been impacted?

 

PHASE 1: PERSEVERE     Review and Adapt

 

In order to persevere, adapting quickly in today’s environment is key. As an organization, it is the ability to assess and adapt to the ‘new’ normal that will allow it to survive. Consideration of change should include:
Assess common core areas where change is likely to take place; PEOPLE, PROCESSES, TECHNOLOGY. Consider the following:

• Performance and Knowledge
  • Has the individual who initiates the transaction / analysis / procedures changed? Is there an adequate backup?
  • Does the individual who has assumed a new role have the appropriate knowledge and training to perform the task / analysis?
  • Are the policies and procedures in place up to date?
• Data & Systems
  • Has the information captured changed (process to record in the system, post, and retain)?
  • Do employees all have access to internet connectivity?
  • Is there appropriate backup and recovery of systems if network connection is lost?
  • Are access rights / logical access still appropriate and relevant for all financial systems?
  • Is there adequate cyber security and infrastructure to protect against attacks due to increased remote working?
  • Is the company following its change management/ SDLC methodology?
• Segregation of Duties (SOD) – Has the delegation of authority (DOA) for dollar thresholds and authorized individuals for approving transactions changed, management review and evidence?
• Third Parties – Has the vendor control environment been impacted?
• Fraud – What checks and balances are missing with the workforce working remotely?
• Entity-Level Controls – Has there been a change in the organization at the C-Suite level or tone at the top?
• Missing Controls – Are controls missing from a framework that were not previously required, do they require enhancement, update in frequency?
  • Impairment assessment control, going concern, valuation, subsequent events assessment, debt covenants, compliance with federal loan / grant documentation (CARES) and reporting, etc.
• Collaborate – Have other areas (Board of Directors, Audit Committee, Executive team, external audit, business process owners, Internal Audit) provided feedback on how their area has been impacted and what needs to change.

 

PHASE 2: MAINTAIN     Modify and Maintain

For gaps / risks identified in review, the following could be considered and performed:

• Validate the gaps and create mitigating actions to address them.
• Perform a risk assessment to evaluate if there has been a change to the frameworks in scope due to materiality (increase or decrease in revenue or assets), level of risk, or if there are process frameworks that need to be added or removed from scope.
• Perform a controls rationalization/optimization to determine if the gap or risk identified is a key control in current environment.
• Develop procedures or new controls to mitigate the gap / risk
• Can processes be automated? Can technology be leveraged?
• Is a new control required to mitigate the gap / risk?
• Does a risk of fraud exist due to the loss of an employee? Is another individual required for the process to fully satisfy review / segregation of duties / add another review in case of fraud?
• Is the gap or risk covered in another control?
• Consider the magnitude of the gap:
• Number of Controls Impacted - Single / Few Controls Affected or a Majority
• Type of Gap – Does the gap create a step that is missing in the overall process or a control deficiency? Does the gap add a risk or elevate an existing risk ranking due to a missing procedure below?
  • Authentication not performed?
  • Review not evidenced?
  • Data validation not performed?
  • Segregation of duties not performed?
• Assess what procedures are required to mitigate the gaps / risks and whether there are material changes to ICFR which require disclosure to the Board and or financial statements.

 

PHASE 3: RECOVER     Develop and Advance

Develop and advance, where necessary, the control environment process design, operation, and documentation.

• Develop a timeline of all the activities that are required to mitigate / remediate gaps identified. Milestones include:
  • Create new procedures/controls, add resources, or system parameters that would close the gap(s) noted in the design of control(s).
  • Update testing strategy for the new scope of locations and controls.
  • Document / update relevant policies, procedures, Risk and Control Matrix (RCM), narratives, process flow diagrams and test plans.
  • Develop training for those who are assuming new roles or may not have sufficient knowledge of the task they are performing, or new controls designed.
  • Implement these procedures in the control environment to remediate the design gaps / risks identified.
  • Test the remediation efforts to conclude if the controls are effective. If the gap or risk is not fully remediated, returning to phase 1 would be required.
• The milestones should be completed on an aggressive timeline as to provide enough time for remediation testing and validation.

 

PHASE 4: THRIVE     Update and Flourish

On-going monitoring and evaluation allow a company to update the control environment fluidly in an ever-changing world. When the implementation and remediation is complete, the process to evaluate controls on an on-going basis can be performed by management/co-source/outsource provider. This monitoring will consider if the changes made are adaptable to a changing environment or require further refinements. The on-going monitoring should evaluate the following areas and adapt and evolve the control environment to be fluid to events in the world:

• Timing – Start testing early to allow for a longer time frame due to new processes and controls and to possibly minimize the business disruptions.
• Restrictions – Implement remote testing, if possible, or be prepared to use limited on-site resources if the organization has implemented disallowance of travel and social distancing guidelines.
• Priorities – Focus on new process and controls as theses will need full process walkthroughs and documentation.
• Points of Focus – Enhance, review and/or incorporate Subject Matter Professionals (SMPs) to assist the organization in reviewing and understanding new regulations or complex accounting issues.
• Risk Assessment – Analyze and update the risk assessment when the economy and impacts of COVID-19 soften to determine if the scope (reduced or increased), as identified previously, requires adjustment.
• ICFR Program – Evaluate the overall program including:
  • Timeline – Is there enough time to complete all testing required?
  • Reporting Requirements and Disclosure
    • Have there been any changes to reporting requirements (i.e. extensions, exemptions, etc.)?
    • Are there any required disclosures to the Board of Directors, Audit Committee, or in the Financial Statements (SOX Section 302 Certifications), in regard to the change of ICFR?
  • High Risk Areas – Are there new high-risk areas identified that may require the use of SMPs?
  • Key Control Classification – Is the classification still correct, are there ‘new’ key controls which must be documented and tested?

 

Summary and Concluding Thoughts

The action steps outlined will help your organization to:

• Assess your control environment to identify any gaps or risks that are not addressed due to changes from COVID-19 by performing the following:
  • Control design assessments
  • Update risk assessment and scoping
• Evaluate the changes to the control environment and implement remediation procedures to mitigate gaps identified by performing the following:
  • Gap / risk mitigation plans
  • Collaborate with other departments / individuals across the organization
  • Update policy, procedures, and RCMs for the new normal
• Improve your ICFR program to be adaptable to impactful global or economic events
• Develop on-going monitoring and evaluation procedures to assess the ICFR program and continuously adapt to the changing environment

 

---