Pandemic Impacts on SOX: Tech to Tackle the 4 Biggest Challenges
What can your SOX team do now to help define the next 6 to 12 months, no matter how the Coronavirus (COVID-19) pandemic unfolds? AuditBoard’s Tom O’Reilly spoke with industry audit leaders about what they are currently experiencing and how their audit teams are leveraging technology to gear up for the coming months. Read on to learn more, and watch the on-demand recording of our “Audit Department Strategy for Responding to the Current Pandemic Crisis” webinar for concrete ways audit teams can support their organization during this pandemic crisis.
How to Mitigate the Pandemic’s Impact on SOX Compliance
As is almost certainly true for any auditor, I’ve had an unbelievably busy week adjusting to the changes stemming from the Coronavirus (COVID-19) pandemic. I’ve spoken with 30+ audit leaders in the past ten days about how they’re managing continuity of their audit team’s operations and how to succeed in this new environment in which we find ourselves. During these conversations, the topic of Audit Management Technology kept cropping up as a key solution to the known and unknown problems that could occur for SOX compliance in the upcoming months. This article collects some common viewpoints on challenges COVID-19 is causing for SOX compliance personnel and how audit leaders are using technology to respond to the effects of the current pandemic crisis, including preparation for its aftermath.
4 Challenges COVID-19 is Causing for SOX Compliance Personnel
1. Reduced Audit and Control Owner Travel
Most Internal Audit leaders have agreed that COVID-19 is not going away anytime soon. While the “curve may be flattened” in the next two to three months, it is likely that the disease will still be prevalent. When companies reopen up their doors for the “new normal”, those with SOX responsibilities may be expected to return to office work or resume their busy schedules in still-hazardous conditions. The SOX team will need to pick up and carry out their work — but auditors and control owners are not going to be eager to jump on a plane and start control testing at in-scope locations. An Audit Management Solution purpose-built for controls compliance will help ensure the safety and wellbeing of auditors and control owners by eliminating the need for travel and allowing for SOX compliance activities to be completed from home.
Even worse, can you imagine a scenario where your team suffers attrition as a result of an employee having to choose between audit-related travel and their own health and safety? An Audit Management Solution that decreases the need for auditors and control owners to travel or go into the office will prevent a Chief Audit Executive (CAE) from having to ask team members to put themselves in danger.
2. SOX Teams Starting Behind Schedule
We also know that once we get back to our “new normal”, audit teams will have missed valuable interim testing time and are going to be behind. Teams still operating on spreadsheets and shared drives are likely to be behind schedule throughout the entire year as they try to get back up to speed while dealing with version control issues, lack of testing and remediation workflows, and inefficiencies in reporting. An Audit Management Solution that enables auditors to continue working from home will reduce the break in rhythm, and the efficiencies gained by leveraging audit technology will help teams catch up more quickly to ensure the continuity of their control assessments and SEC filings.
3. Audit Activities Are Getting Delayed, Leaving Auditors with Time on Their Hands
Audit teams want to help their companies, but it’s easy for auditees to justify delaying being audited for the next several weeks as they help the organization respond to the effects of COVID-19. The CAE and perhaps Corporate Controller are likely helping out with business continuity operations, and helping executive management show that their companies are meeting revenue goals, managing human resources, and maintaining or trying to decrease costs — but the rest of the audit team may not be able to do much at this time.
Right now is an opportune time to implement an Audit Management Solution. The vast majority of AuditBoard’s implementations are done remotely — so getting a remote team up and running in 3-4 weeks is the norm. Auditors waiting for audit activities to resume likely have a window now to spend on implementation and training. By using this time wisely to implement enabling technology, audit teams will be better positioned to respond to business needs quickly, efficiently, and effectively when the workload picks back up in the coming months.
4. Possible Need for Alternative Forms of Supporting Evidence
As a company made of auditors, we keep a pulse on the profession through our conversations with audit leaders and consulting partners including Protiviti, RSM, the IIA, and other sources of relevant SOX information. As we publish this, we have seen no evidence on the SEC website or from SEC thought leaders that there will be changes or delays to SOX compliance requirements in 2020 for companies with fiscal year ends on December 31. One reason could be that the SEC is focusing on potential changes for 2020 filers with earlier fiscal year end dates. Another could be that we are 11 months away from 12/31 filers and we could be in a “wait and see” situation.
Some foresee the potential for leeway from the SEC on the level of supporting evidence to be collected by management and the external auditor for their control attestations at year-end. It may be more difficult for control owners to access the office to get paper documents as supporting evidence. We expect that this could increase the reliance on alternative forms of evidence. For example, could external auditors rely more on control certifications and self-assessments from controls owners in lieu of providing physical supporting evidence of transactional controls? Would it be easier for control owners to include detailed written procedures as evidence that the control was performed? Could external auditors be more open to relying on video, audio, and pictures in lieu of performing their observations testing procedures?
As we learn new developments from the SEC, PCAOB, and our network of SOX thought leaders, we’ll continue to relay our expectations back to the audit community. Throughout the current Coronavirus pandemic and its aftermath, AuditBoard can help with your efforts to keep your team away from harm by reducing the need for travel, office visits, and face-to-face interactions.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.