There have undoubtedly been changes to the risk landscape, both externally from volatility in markets, and internally through changes to business operations. Some of these changes may result in new risks for your organization or simply cause a reprioritization of existing ones due to increases in the velocity with which they can occur and impact that they can have.
Risk teams must consider the impacts of the rapid changes that management undoubtedly had to make during this time, and they must be vigilant in understanding where controls have operated differently within the newly decentralized and remote environment.
Key Considerations
1. Manual controls are at the highest risk for not operating as intended, therefore creating increased exposure.
If the organization was working to address known control weaknesses, they likely increased at the onset of the crisis. Work with management to understand where these potential vulnerabilities are to ensure that the proper mitigation plans and remediation timelines are in place and provide recommendations to automate controls where possible.
2. Changes in key personnel have an impact on the control environment.
Where reductions in force have occurred or are planned, understand whether segregation of duties issues have been created and what compensating procedures can mitigate this risk. Additionally, identify controls that have had a change – whether temporary or permanent – in control ownership. For all personnel taking on new responsibilities, ensure that there is proper training to enable proficiency and success.
3. Impacts to controls that are in-scope with SOX compliance will need to be evaluated throughout the year.
Where these review and approval controls are manual, how has management evidenced this process in a remote fashion? Will the revised process be enough to prove the integrity of the control (e.g., is typing one’s name in an Excel cell sufficient to demonstrate a review and sign off)? Moreover, ensure that the control owners have updated the impacted control descriptions to minimize issues when the external auditors begin conducting their testing.
The Public Company Accounting Oversight Board (PCAOB) is not relaxing its standards on the audit firms, so companies should anticipate the same level of control scrutiny, and in some cases increased focus, by the external auditor.
4. A reassessment of the control environment will ensure that the benefits of controls continue to outweigh the costs of managing the risk.
Depending on what changes your organization has undergone, reduced business in certain areas may warrant streamlining or reducing certain controls. For example, due to changes in business, materiality of key financial statement line items may make a control downgrade from key to non-key. Conversely, it could mean that there is higher inherent risk in a process (prone to fraud) that might require additional controls be added. Organizations may choose to refresh their annual risk assessment in light of current conditions.
5. New controls may be required to address a virtual workforce and associated risks.
With a virtual workforce comes a new risk universe that most organizations have not considered. Evaluate the need for advanced cybersecurity controls to address remote work technologies and the evolving threat landscape, as well as any additional fraud controls required.