Home > Risk > SOX risk assessment in 2020

SOX risk assessment in 2020

April 30, 2020 Leave a comment Go to comments

We are living in a turbulent world. But the SOX compliance requirements remain fairly static. It’s not as if the SEC is going to relax the requirements for companies to assess the condition of internal control over financial reporting, or that the PCAOB will reduce the requirement for the external auditor to provide their independent assessment.

Yet, there are issues and challenges that we need to consider.

Protiviti has done a decent job summarizing some of them in SOX Risk Assessment in the Time of COVID-19. (The text in italics is my addition to the author’s writing.)

I will come back to points of difference, even omission, later. Here are some highlights:

  • “Though forecasts may still be in the process of being reworked, they may prove to be the more suitable starting point” in determining materiality and which accounts and locations should be in scope. Note: that has always been best practice.
  • “Usual measures such as net income before tax are likely to be substantially lower for FY20 and even negative for some companies. In such situations, other measures such as EBITDA or revenue may need to be used and several materiality scenarios assessed.” This should be discussed with the external auditor. There is existing guidance on what to do when results are abnormal, including when there are losses.
  • “With the results of the materiality calculation likely being lower than in recent prior years, there may be financial statement elements or perhaps even locations that will” have to be brought into scope.”
  • “…if materiality has significantly decreased, thresholds or tolerances applied in controls, particularly for management-review controls, may need to be calibrated to the unique circumstances of FY20.”
  • “This new environment we are living in will push us more than ever toward real-time risk assessment rather than an annual update.” The best practice that I teach has always been to check the materiality level and program scope quarterly.
  • “…it will be important to closely communicate updates to filing calendars and coordinate with the Legal, Investor Relations and Financial Reporting departments.” If the SEC makes changes to annual reporting and filing requirements, they should be studied to determine whether they change the timing or nature of year-end and other procedures.
  • “…technology that may have been hastily deployed to a newly remote workforce but perhaps without the normal diligence to ITGC coverage or with a mind-set of enablement rather than restriction regarding user access. Organizations should consider the impact of these new exposures in a robust fraud risk assessment.” While it is possible, even likely, that the nature and magnitude of fraud schemes may have changed, the same fraud risk assessment process as in prior years should be performed. The author highlights access controls, which should merit increased attention. However, the focus remains on the possibility of fraud that leads to a material error or omission in the filed financial statements – and this remains unlikely for most companies, even with a lower materiality level.
  • “Management should review and obtain external audit agreement with the risk assessment conclusion and establish practical cadence for updates in FY20. Additionally, management should discuss how the timing and extent of audit procedures will be impacted and coordinate on the impact of any filing extension.”

I only disagree with the author on one minor point: she says that April is when 12/31 year-end companies start their SOX planning. I teach best practice as starting no later than January. The earlier you plan and then start walkthroughs, the more time you have to perform them and a first round of testing.

What is missing that matters?

Just one point, with consequences.

The way in which people work has changed and probably will still be different for the rest of this year, if not longer.

That means that controls may be performed differently. The information needed by control owners may not be provided the same way, for example, when people are not working in close proximity.

It is important, therefore, to have every control owner revisit their controls and update the documentation now and as it changes during the year.

The changes in how controls are performed needs to be shared with the SOX team so that an assessment can be made as to whether they remain adequately designed. For example, will evidence of the control being performed be recorded the same way; how will work be reviewed?

In addition, the way in which the controls can and should be tested may have to change. It may not be possible to perform walkthroughs or tests of operation by observing how an individual works at home.

Common sense and thinking about what we are seeing now and are likely to see in the future will help us succeed this year, as it does every year.

We need agility in our thinking as well, being prepared to adjust as everything changes.

We are living in a turbulent world.

I welcome your thoughts.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.