||With potential negative impacts on revenues, net income and net assets, and as a result, potentially materiality, some companies could find new locations and accounts being “scoped in” that were not previously in scope. We could see multiple revisions and calculations, depending on the economy.
Many companies usually complete their risk assessment procedures in the first quarter of their fiscal year. These risk assessments drive both the internal audit and ICFR plans. Even though it is a best practice to leave some “unassigned” time in an audit plan for unanticipated events that occur, it is highly unlikely that companies would have considered COVID-19 to be as impactful as it has been, either positively or negatively.
Accordingly, companies may consider whether they need to reperform their risk assessment and change their plans, also accounting for the impact of the materiality considerations discussed above. We could see multiple revisions throughout the year depending on the economy.
||With travel restrictions in place, centrally-based teams that travel to perform testing should consider other staffing solutions and/or virtual technologies to complete testing.
|Remote Workforce and Impact to IT
New controls may need to be implemented and/or revised as companies start to modify IT access to enable remote workforces. New systems and platforms could be implemented to deal with the volume of remote workers. Controls will be increasingly relevant around the implementation of new systems and platforms, and the appropriate testing of moving programs from development into production.
Additionally, companies could see a spike in the number of calls from employees with remote IT issues; companies must ensure they have the resources to respond and the bandwidth to follow their ticketing and approval controls around changing roles/access, etc. Remote employees potentially working different hours may complicate the matter, depending on home situations, resulting in approvals taking longer to receive.
Potential reductions in force (RIF) and furloughs may occur and could require a significant amount of employee access to be removed or amended to certain systems. Companies should make certain that access change controls exist and function appropriately to effectively complete this potentially challenging control.
Another difficulty for companies with significant personnel changes is executing a “periodic review of access” control. This control is often considered an “umbrella” control, utilized by companies to mitigate other access control failures. Depending on the amount of changes, companies may need to increase the review’s precision and frequency.
Finally, companies will need to consider how “physical” or “in-person” controls like inventory observations can be performed via technology platforms like FaceTime, Zoom or Skype.
||Until now, companies may not have previously seen a need to furlough employees. Therefore, new controls covering everything from physical and system access to employee-related benefits and tax impacts may be necessary.
While controls around identifying and recording subsequent events are not new, additional thought should be given considering the velocity of changes in the business world during the first quarter of 2020. Typically, given the short time frame to file for accelerated filers, subsequent events requiring adjustments to the financial statements (Type 1 - recognized) are rare; this trend may be subject to change depending on rate of economic decline. Consequently, companies may need to conduct more detailed and precise review controls.
Additionally, controls around Type 2 (nonrecognized) subsequent events will also need to be at a greater precision in order to determine if items requiring disclosure are identified timely.
|Retention and RIFs
Companies reducing their workforce, potentially for the first time, may need to create controls in this area.
Additionally, with the inevitable request from management to operate with limited resources, companies may need to address the impact on segregation of duties.
|Forms 10-Q and 10-K
||Companies must pay increased attention to Item 4 and Item 9a in quarterly and annual financial statements, respectively. Additionally, management’s 302 and 906 certifications should receive careful consideration to safeguard that their disclosures are accurate, given all of the uncertainty and the resulting potential changes in internal controls. Controls in the financial reporting process/disclosure committee may need to be enhanced.
||Companies may need to reassess how segments are presented, and potentially re-cast, depending on how the business may now be looked at by management. Controls should exist over the data and also around the decisions made.
|Valuations/Fair Value Measurements
||Companies may need to revisit assumptions in valuations that involve external data. Internal controls will need to focus on the assumptions used and the process by which they are selected and effectively challenged by management.
||Controls over the assumptions and inputs into models should be considered, as well as overall liquidity, credit availability and uncertain future revenues. For some companies, these controls will be brand new.
Entity-level controls are also likely to be impacted by COVID-19. While certain policies and procedures around the communication and enforcement of integrity and ethical values are unlikely to be impacted, policies (and controls) around communication and assignment of authority and responsibility may be more impacted given the higher number of remote workers.
As mentioned above, controls over the segregation of duties are likely to be impacted. Therefore, companies should pay attention to this area, particularly to the precision of any access review controls.
Companies should also consider the effectiveness of other monitoring controls, including the ability to monitor the results of operations and even the effectiveness of a “remote” audit committee and other self-assessment programs.