One of the Securities and Exchange Commission’s senior enforcement officials gave a pep talk in Washington this week about the importance of internal controls, and how a company should evaluate its internal controls this winter as the world tries to prevail over the disruptions of covid-19.
The official was Matthew Jacques, chief accountant in the Enforcement Division. He spoke Wednesday at the AICPA’s annual conference on public company reporting issues, and his primary message was that companies should pause to consider how the pandemic has changed your company’s operations and internal controls over the last two years. Moreover, as companies return to the office and some semblance of pre-pandemic operations, that doesn’t necessarily mean that your internal controls will revert to their previous effectiveness; you need to consider that too.
“During this time of transition, I encourage management to bring heightened scrutiny to their annual assessments of the effectiveness of internal control over financial reporting,” Jacques said.
For example, prior to covid-19, a large company might have held regular meetings with operations, accounting, and finance teams to review various projects. Those meetings might have included side conversations, or the easy ability to pull out a set of plans and review problems right on the conference room table. Then came the pandemic, and those meetings moved to a virtual setting.
OK, but what gets lost in a transition like that? Do tough conversations about potential losses no longer happen? Are judgments less certain or confident, because virtual attendees are less likely to speak up or are paying less attention?
And what happens as the company partly returns to the office? Do you understand who truly needs to be physically present, or how to accommodate a virtual attendee amid a room full of in-person coworkers? Should policies and procedures be updated to govern, say, management review controls, when some managers are in the office and others aren’t? How do you consolidate all your documentation, when half of it might be scribbled down in a live meeting and half typed up in a Zoom chat box?
Those questions will need answers sooner or later. Jacques was giving compliance professionals a nudge toward the “sooner” camp.
What Companies Have Said So Far
The real question here is whether changes that your company made to accommodate the public health risk of covid-19 then introduced new internal control risks, because those changes were rolled out so quickly in 2020.
So far, most companies seem to believe the answer to that question is no. For example, in the 2021 State of SOX/Internal Controls Market Survey, released in October, most respondents said the pandemic had no real effect on SOX compliance tasks such as status reports, certifications, and risk and control matrices; and imposed only mild difficulty with scoping, risk assessment, and testing. (Disclosure: I worked with Workiva and KPMG to write the report.)
What we don’t know, however, is whether covid-19 disruptions are a lagging indicator of internal control weaknesses. That is, perhaps deficiencies and material weaknesses were introduced during the chaos of 2020 — but those issues might go unnoticed until 2022 or later, when SEC comment letters, PCAOB audit inspection reports, and enforcement actions covering the pandemic period finally emerge.
It’s quite possible that external auditors were a bit more forgiving earlier this year as they were auditing 2020 financial results, since the pandemic imposed unprecedented disruptions on 2020 operations. Maybe your company kept revamping internal control over financial reporting this year too, and we’ll repeat the whole cycle in a few months as we begin to audit 2021 results. We don’t know.
Jacques also gave the example of internal audit performing site visits. Perhaps the internal audit team had made dozens of in-person visits around the world every year, and now has been performing virtual site visits for almost two years. “Well, what’s the impact of doing that for two years?” he asked. “What’s the risk that’s created by not having someone show up at a site in person for that long a period of time?”
After all, it’s quite common that an auditor visits a site planning to inspect one process, and ends up looking at another process that also caught your attention for some reason. If that chance for serendipity no longer exists in the virtual world, does that mean your risk assessment capability is diminished? Should you make up for it with more rigorous risk assessments elsewhere?
Those are all thought-provoking questions. Jacques’ larger point was that businesses need to start thinking about them, because we’re never going to “return” to the pre-pandemic world where we can implement our prior internal controls all over again. Rather, organizations are constantly evolving into a new world — one that will look quite different from the old even when the pandemic is gone for good.
For example, you might have…
- New risks around technology, if you implemented new cloud-based software to accommodate remote working;
- New risks around management reviews, if you restructured those reviews and approvals for a team physically separated and virtually collaborating;
- New risks around evidence and documentation, especially for critical accounting estimates where people are exercising judgment in isolation rather than the direct spotlight of a team meeting;
- New risks around control design, if you’ve undergone extensive personnel change as a result of layoffs, remote work, or even new hiring because, ya know, the economy is booming.
I don’t get the impression that Jacques and his team are perched at the SEC, waiting to jump all over your business because you weren’t perfect at the most challenging economic event anyone alive has ever seen. But they are looking for proof that you’re aware of the challenges and changes we’ve all endured in the last two years, and that you’re doing your best to address them. Plan accordingly.