Share

SOX Compliance in a Virtual Environment

The shift to a virtual work environment due to the COVID-19 pandemic has forced many businesses to react, adjust, and adapt at speeds they likely never have before. Although the existence of Business Continuity plans (BCPs) and leveraging technology have enabled a smooth transition to a virtual work environment, internal controls over financial reporting (ICFR) are necessary to support companies’ new processes and compliance with Sarbanes-Oxley (SOX) requirements have struggled to keep pace. Management has faced challenges in adopting newer technologies and tools at a faster pace that have led to potentially inadequate consideration of internal control requirements.

Given that one year has passed since the impact of COVID-19 was felt widely across the domestic US business environment, it is important to take stock of the key risks and corresponding mitigating steps arising from the pandemic’s impact.

Tone at the Top

The independence and autonomy of a virtual work environment can result in a lack of focus on internal controls, adherence to standard operating procedures, and an increased risk of control failure and/or fraud. It is difficult for managers to maintain the same level of supervision that would be present in an office environment. Therefore, it is incumbent on leaders to establish an emphasis on internal controls and best practices, support employee engagement, and instill accountability via enforcement of expectations and key performance metrics (such as # of control failures, timeliness of control execution, level of review, etc.). A dynamic risk assessment process should be implemented to identify and assess new risks as a companies’ people, processes, and technology evolve.

Control Review Procedures and Segregation of Duties

Independent review of calculations, control activities, and transactions may be less likely to occur at the level of precision when control preparers cannot walk down the hall to get their control owner’s review and sign-off. Leveraging software for automation can not only increase efficiency for overburdened staff but also helps enforce segregation of duties and ensure independent review occurs, where necessary. Also, automation often provides enhanced comfort over control(s) and reduces testing efforts for SOX practitioners and external auditors. When automation is not applicable or feasible, using digital signatures and even recording key calls or video meetings can produce easy to retain control documentation to satisfy auditor expectations.

System Access

Due to the digital nature of business operations in a virtual work environment, access to systems, data, and digital records is more critical than ever. Whether it is due to changes in the workforce or the need to shift or consolidate job responsibilities, many companies have had many user access changes to key data and systems more so than in prior years due to reorganizations. The more access changes that occur, the more likely that errors in the process result in users maintaining too much access and potential inadequate segregation of duties increasing the risk of fraud and/or ineffective control design. IT system owners and business users alike should ensure strong controls exist surrounding user access to critical systems and data.

Although the change to a virtual work environment was sudden, its impacts on the business landscape will be long-lasting and will require organizations to adapt to new ways of working.

SOX Preparedness

There are key steps companies can take to remain prepared for a permanent shift to a quasi or completely virtual work environment:

1. Implement a dynamic risk assessment process: Formal and informal risk assessment processes should occur on a continuous basis to properly evaluate new or changing risks. One-time, annual risk assessments may no longer be sufficient to keep up with a Company’s pace of change.
2. Evaluate IT systems to determine if more systems should be in scope: companies may be leveraging additional technology or its existing technology in expanded ways. Proactive identification of any newly in-scope systems will make scoping more accurate and allow for timely implementation of any new key controls.
3. Incorporate electronic evidence as part of SOX procedures: The use of digital signatures and Zoom call video recordings can help prevent avoidable control deficiencies.
4. Define timelines and precision of reviews: Clarify and communicate what reviews are required, when they are required, what the reviews should entail, and maintaining sufficient documentation.
5. Educate process owners: Process owners should understand how controls are being performed so that they can properly supervise personnel performing the day-to-day tasks and key controls.
6. Consult with internal audit, SOX consultants, and external auditors: SOX experts can evaluate changes, recommend enhancements, and help with the implementation of risk and control processes to support a virtual environment. And external auditors should be consulted so that companies can understand and react to auditor expectations.

The SOX impact resulting from the change to a virtual environment should not be a painfully expensive, time-consuming, or wasteful compliance exercise. While new controls may need to be evaluated and implemented, properly focusing these efforts can improve the efficiency and effectiveness of companies’ risk and control environments and SOX Compliance programs.