This content was published prior to the merger of equals between BKD and DHG on June 1, 2022. See all FORsights for the most up-to-date articles, webinars, and videos.
Internal Controls over Financial Reporting (ICFR) and COVID-19
Public companies reporting on Internal Controls over Financial Reporting (ICFR) in their quarterly and annual financial statements must consider the impact of COVID-19 on their ICFR/Sarbanes-Oxley (SOX) functions.
The pandemic's impact will vary from company to company based on several considerations, including information technology (IT) infrastructure, industry, locations and existing financial process maturity. Some of the changes to an ICFR function may include the modification of existing controls and/or implementation of new controls that may not have existed previously. Almost all companies will need to review their internal control documentation, including their risk and control matrices, flowcharts, testing scripts, etc., based on changes in their processes. Companies must also consider the nature, timing and extent of how the function operates. A prime example of how the changes have been brought about by COVID-19 is evidenced in controls over the existence assertion of inventory. At the time of writing, most of the U.S. is operating under a stay-at-home order. Therefore, the question for many is: How will the control executer review a cycle count or wall-to-wall physical and complete the control activity remotely? We have heard anecdotal stories of companies using technologies such as FaceTime and recordings to evidence the performance of the physical inventory controls.
Following are some thoughts and example of areas likely to be impacted and how. These are intended for discussion and do not address items such as "completeness and accuracy," which are considered implicit in all internal controls.
Over-Arching Considerations for an ICFR Function
| ICFR Program Area | Possible Impact on ICFR Program |
|---|---|
| Scoping/Materiality | With potential negative impacts on revenues, net income and net assets, and as a result, potentially materiality, some companies could find new locations and accounts being “scoped in” that were not previously in scope. We could see multiple revisions and calculations, depending on the economy. |
| Risk Assessment |
Many companies usually complete their risk assessment procedures in the first quarter of their fiscal year. These risk assessments drive both the internal audit and ICFR plans. Even though it is a best practice to leave some “unassigned” time in an audit plan for unanticipated events that occur, it is highly unlikely that companies would have considered COVID-19 to be as impactful as it has been, either positively or negatively. Accordingly, companies may consider whether they need to reperform their risk assessment and change their plans, also accounting for the impact of the materiality considerations discussed above. We could see multiple revisions throughout the year depending on the economy. |
| Site Visits | With travel restrictions in place, centrally-based teams that travel to perform testing should consider other staffing solutions and/or virtual technologies to complete testing. |
| Remote Workforce and Impact to IT |
New controls may need to be implemented and/or revised as companies start to modify IT access to enable remote workforces. New systems and platforms could be implemented to deal with the volume of remote workers. Controls will be increasingly relevant around the implementation of new systems and platforms, and the appropriate testing of moving programs from development into production. Additionally, companies could see a spike in the number of calls from employees with remote IT issues; companies must ensure they have the resources to respond and the bandwidth to follow their ticketing and approval controls around changing roles/access, etc. Remote employees potentially working different hours may complicate the matter, depending on home situations, resulting in approvals taking longer to receive. Potential reductions in force (RIF) and furloughs may occur and could require a significant amount of employee access to be removed or amended to certain systems. Companies should make certain that access change controls exist and function appropriately to effectively complete this potentially challenging control. Another difficulty for companies with significant personnel changes is executing a “periodic review of access” control. This control is often considered an “umbrella” control, utilized by companies to mitigate other access control failures. Depending on the amount of changes, companies may need to increase the review’s precision and frequency. Finally, companies will need to consider how “physical” or “in-person” controls like inventory observations can be performed via technology platforms like FaceTime, Zoom or Skype. |
| Furloughs | Until now, companies may not have previously seen a need to furlough employees. Therefore, new controls covering everything from physical and system access to employee-related benefits and tax impacts may be necessary. |
| Subsequent Events |
While controls around identifying and recording subsequent events are not new, additional thought should be given considering the velocity of changes in the business world during the first quarter of 2020. Typically, given the short time frame to file for accelerated filers, subsequent events requiring adjustments to the financial statements (Type 1 - recognized) are rare; this trend may be subject to change depending on rate of economic decline. Consequently, companies may need to conduct more detailed and precise review controls. Additionally, controls around Type 2 (nonrecognized) subsequent events will also need to be at a greater precision in order to determine if items requiring disclosure are identified timely. |
| Retention and RIFs |
Companies reducing their workforce, potentially for the first time, may need to create controls in this area. Additionally, with the inevitable request from management to operate with limited resources, companies may need to address the impact on segregation of duties. |
| Forms 10-Q and 10-K | Companies must pay increased attention to Item 4 and Item 9a in quarterly and annual financial statements, respectively. Additionally, management’s 302 and 906 certifications should receive careful consideration to safeguard that their disclosures are accurate, given all of the uncertainty and the resulting potential changes in internal controls. Controls in the financial reporting process/disclosure committee may need to be enhanced. |
| Segments | Companies may need to reassess how segments are presented, and potentially re-cast, depending on how the business may now be looked at by management. Controls should exist over the data and also around the decisions made. |
| Valuations/Fair Value Measurements | Companies may need to revisit assumptions in valuations that involve external data. Internal controls will need to focus on the assumptions used and the process by which they are selected and effectively challenged by management. |
| Going Concern | Controls over the assumptions and inputs into models should be considered, as well as overall liquidity, credit availability and uncertain future revenues. For some companies, these controls will be brand new. |
| Entity-Level Controls |
Entity-level controls are also likely to be impacted by COVID-19. While certain policies and procedures around the communication and enforcement of integrity and ethical values are unlikely to be impacted, policies (and controls) around communication and assignment of authority and responsibility may be more impacted given the higher number of remote workers. As mentioned above, controls over the segregation of duties are likely to be impacted. Therefore, companies should pay attention to this area, particularly to the precision of any access review controls. Companies should also consider the effectiveness of other monitoring controls, including the ability to monitor the results of operations and even the effectiveness of a “remote” audit committee and other self-assessment programs. |
Example of Financial Statement Accounts That May Be Impacted
| Example | Description |
|---|---|
| Cash and Cash Equivalents | Companies may need to review their controls over transfer pricing and how they are impacted by the company’s immediate cash plans. |
| Accounts Receivable/Revenue |
With the risk of customers delaying or defaulting on outstanding invoice payments, the allowance for doubtful accounts models may need to be revisited and controls revised. Additionally, as new revenue streams are identified, credit checks over new customers and surrounding controls will be increasingly important. For some companies, controls around the physical receipt of cash may be impacted by a remote workforce. Companies may be required to establish electronic processes to receive and record the cash flow. Controls over access to bank accounts and segregation of duties could be impacted as well. From a revenue perspective, companies should consider how COVID-19 impacts changes to their revenue models and subsequent controls. For example, many brick-and-mortar stores are vastly increasing their online sales channels, as in-store revenue has plummeted. Companies may need to consider revising controls around data security, accuracy and confidentiality. |
| Inventories |
Controls around the net realizable value and capitalization of variances may need to be revisited, as inventory pull-through is impacted by the economy. Additionally, companies may need to reassess controls over the existence of inventory due to remote workplace issues. |
| Long-Lived Asset Impairments | Companies may need to test long-lived assets for impairment as events or changes in circumstances indicate that the carrying amount of an asset(s) may not be recoverable. The controls around the identification and timing of these events may need to be considered. |
| Goodwill Impairment | Companies must annually assess goodwill for impairment or more frequently when indicators of impairment exist. Impairment testing for goodwill is done at the reporting unit. As a result of changes in the business, companies may need to assess whether reporting units may have changed and what the controls are around that assessment. Companies should also consider controls around the timing and identification of indicators1. |
| Accounts Payable/Accrued Expenses |
Controls over vendor set-up, monitoring and reassessment may need to be revisited as vendors experience their own liquidity challenges. Companies that still receive paper invoices will need to consider how to operate remotely and whether they should transition to a shared-service organization or technology platform. However, there are control implications around modifying the process. Companies may also start to “manage” their payables by stretching payment remittances to customers. Controls around these changes in processes and practices may need to be revisited as well. From an expense perspective, companies may also start limiting expenses and/or lower approval limits for cash expenditures, as well cancelling training events/conferences, etc. All of these activities should have some controls around the approvals, which may require documentation and testing. Additionally, there are likely to be loss contingencies and exposures that may not have previously existed. Companies will likely need controls around identifying and recording these items. |
| Debt | With the increasing importance on cash flow, companies are likely to increase their indebtedness and drawings on lines of credit. However, at the same time, financial institutions are likely to be more conservative in lending. Controls around refinancing, obtaining waivers and debt covenants are likely to be impacted as well. |
| Taxes | With many tax accounts and positions based on projections and estimates, companies will have to assess the controls around these projections and estimates and consider the controls over adjustments. |
| Equity/Human Resources | Depending on the inputs into any valuation models around equity awards, controls over both the selection of assumptions and any changes in the calculations will be required. Additionally, controls over the reductions of any bonus and/or performance award accruals will likely be impacted. |
The above list is not intended to capture all ICFR areas that could be impacted by COVID-19, but rather attempts to demonstrate how ICFR functions will have to operate differently in terms of the actual performance of key controls and how companies test those controls and ultimately work with the external auditors.
One final consideration is the impact on internal audit, or the ICFR testers. From a tactical standpoint, companies are likely to see sample sizes increase due to heightened risks. Companies may also see more testing being pushed toward the “as of date” as a result of continued uncertainty throughout the year. Additionally, depending on how COVID-19 impacts a company’s operations, companies may note an increase in the number of deficiencies caused by: new controls implemented late in the year, increased sample sizes, and controls lacking a significant-enough period in place or instances to test.
1 Assuming the company has not elected the Private Company Council Alternative for accounting for Goodwill
