With any major change or disruption in normal business processes, there will almost certainly be some impact on a company’s SOX controls. While the Covid-19 global pandemic is not just “any” major change, this global disruption to business as usual means that all corporations must re-evaluate their Sarbanes-Oxley controls to identify changes in control performance.
Here are a few things to consider as you navigate this process:
While you will ultimately need to evaluate all controls, you need to start somewhere. When prioritizing your list of controls, consider:
Direct, face-to-face interaction Areas where controls require direct, face-to-face interaction between individuals has likely shifted, where technology is now involved in the process.
IT security controls Working from home is having a significant impact on IT security controls. Current controls may be too limiting, where employees are forced to use their personal computers or cloud-based solutions.
Signatures If you have not shifted to a fully paperless environment, you may still rely on physical signatures for some approvals. Any direct signatures are likely to have shifted, either using another form of approval, or shifting to electronic signatures.
The best - and maybe only - way to capture all of the changes happening will be to survey your the individuals who are actually performing the controls. In issuing a control review survey, consider including the following questions:
Is the control being performed in the same way that it is currently documented? The most critical question is to understand whether the control is being performed as it is currently documented. Be sure to include the previous control design in your survey. (For policyIQ clients, a simple control review form process is available that will include the control documentation embedded within the survey.)
If no, how is the control being performed? If the control has changed, you will need to know how it is now being performed. If possible, set up logic in your survey such that if a control has not changed, the survey ends and the control owner does not have any additional questions to answer.
Are changes to the control related to changes in business operations due to Covid-19? While not a critical question, this will help you to separate normal changes to controls that occur in the course of typical business, versus those that are specifically impacted by the global pandemic. You may have reason to want to quantify the impact of the pandemic on your business, and data collected can be extremely valuable.
Does the control address risk to the same extent as the previous control design? You need to know if risk is exposed. While the answer to this question may need to be reviewed by someone outside of the process, the opinion of the control owner will certainly be valuable input.
If yes, should these changes be made permanent? Some changes can be made permanent, such as a shift to electronic signatures or a paperless process. Changes should only be permanent for those that address the risk at least as well as the previous control.
If no, how would you evaluate the exposed risk? Again, the actual exposed risk will likely be assessed by someone who is not as close to the process, but the control owner's assessment will be invaluable. If they believe that there is a high risk exposed, you may need to act immediately to engage an additional, mitigating control.
Now that you know what has changed, the Risk Control Matrix and other documentation needs to be updated. For those using policyIQ already, updating the controls will ripple through all other documentation.
Document updated controls such that the temporary control performance is separate from the official control language. Particularly if the control will be performed differently at different times throughout the year, you want to capture both control descriptions separately.
Capture the date on which the control changed, so that you can correctly reflect the changes in audit testing.
Don't forget to communicate changes to internal auditors! Audit plans will need to shift to accommodate the alternate control performance. Notify your auditors as soon as possible to ensure that they have time to adjust their test plans.
We recently covered this topic during a live webinar. If you are interested in viewing the full recording, click here to access that recording. If you want to get started with a control review survey, contact us today and we'll be happy to help you on the rig