Is COVID-19 Infecting Your Internal Control over Financial Reporting?
Various Risks to ICFR Due to the Coronavirus
|Tuesday, May 12, 2020|
By Michael Ussery, Partner of Kral Ussery LLC as published by CorporateComplianceInsights.com
The rapid closure of many “nonessential” businesses and government orders to “shelter in place” have had unprecedented impacts on businesses of every size and shape. Businesses have shuttered offices or significantly reduced office personnel. As a result, most office workers, including accounting and financial reporting staff, have been forced to work from home. This migration has not only impacted where employees work, but how they work. Many companies have been forced to implement temporary workarounds for processes and procedures that worked smoothly in a cohesive office environment but may be ill-suited for a home-based workforce.
Remote work arrangements have also raised new potential challenges and fraud risk. The onset of the changes was so quick, few companies had sufficient time to react. In a matter of a couple of days, many companies had to migrate from office staff working cohesively in a closed office environment to a virtual home environment. Some employees had company-issued laptops and others had personal computers at home that were set-up for remote work, but many staff had no alternative but to unplug their office desktop and connect it at their home location.
Exacerbating the stress on the control environment are additional business, financial reporting and disclosure challenges brought about by COVID-19. In response to the significant impact of COVID-19, the Chief Accountant of the SEC stated, “as we face these challenging times, investors and other stakeholders need high-quality financial information more than ever…” Moreover, SEC registrants continue to be required to disclose material changes in ICFR each quarter in every 10-Q and the 10-K for the fourth quarter.
ICFR and a Remote Workforce
Maintaining Adequate Review and Supervision Processes
Interpersonal interaction can represent an important element of staff training and supervision and thereby can be critical to maintaining effective ICFR. The benefits of informal interpersonal connectivity to asking questions, getting direction and sharing information are immense, but they may be overlooked in the age of computers. As workforces have become more dispersed in response to COVID-19, supervisors should continue to encourage staff to ask questions and provide informal open lines of communication through phone, text or company instant messaging apps. Managers and supervisors should encourage staff to ask questions and foster open communication on an informal basis. Additionally, to the extent supervisors regularly held staff meetings pre-COVID-19, such meetings should now be held regularly through video conferencing.
Supervisors and managers would be well advised to stress the importance of ICFR at meetings and openly discuss and document workarounds that may be required as a result of the changes brought about by COVID-19. For example:
Maintaining Efficient and Effective Processes
As the physical and mental separation between work and home life has disappeared, family obligations may give rise to inefficiencies that could adversely affect ICFR. Many staff may have school-age children at home that have been subject to the same shelter-in-place orders, often leading to stressful situations when employees are pressed to meet deadlines. Under such circumstances, some employees may be tempted to take shortcuts or forego certain controls altogether.
Illness of all types can also adversely affect the effectiveness of ICFR. While the world’s attention is focused on COVID-19, other illnesses continue to occur. In a normal office environment, a staff absence due to illness or need to be a caregiver to an ill family member is obvious, triggering alternative procedures to meet the ICFR duties of the absent employee. However, in a 100 percent remote-working environment, supervisors may not be aware that a staff member is unavailable to perform key processes or review procedures on a timely basis. Many companies utilize checklists or similar procedures to monitor control activities, especially for time-sensitive processes such as month- or quarter-end closing. Companies would be well-advised to continue the practice (modified for remote application, if necessary) or implement such policies if they are not part of the company’s normal practices.
Managers should recognize that maximizing efficiency may require flexibility in terms of work hours. Some supervisors monitor login activity as a means of supervising staff, causing many staff to log in during “normal” working hours, even though home computers may be unattended during this time. Instead of promoting “normal” working hours, companies should recognize that employees will have different ideal working hours depending upon the other responsibilities they are currently managing.
For example, the most efficient time for work for a parent may be during the evening hours, after the kids have gone to bed. Other employees may continue to maximize effectiveness and efficiency during standard working hours. Companies will need to achieve a balance, as off-hour work may not be practical for all companies and certain job responsibilities may dictate set working hours. However, work-hour flexibility for employees working from home may increase efficiency and, ultimately, the effectiveness of ICFR. We are aware of at least one situation where remote video conferencing staff meetings are held at 9 p.m. to accommodate staff family obligations during working hours and to decrease meeting interruptions. HR departments might offer other tips to help stressed employee-parents deal with meeting family needs and work requirements.
Ensuring Secure IT Systems
With employees working from home using personal routers for internet access and, in some cases, personal computers, IT security should not be overlooked. Many companies opened up access to company IT systems for remote employees so they could work from home with secure protocols for access. However, few home networks are as secure as the company’s network. Most home internet connectivity is through wireless connections to a home-based router. In many cases, the passwords used to secure router access are simple or have never been changed.
For example, in a 2019 survey of consumers conducted by the National Cyber Security Alliance (NCSA), only 40 percent of the respondents had changed their default router credentials during the initial setup at home. Moreover, home computers may lack up-to-date security software. If a hacker gains access to a computer connected to a company server, the hacker may also have the ability to gain access to the company’s IT systems. Access to company bank accounts may also be compromised if treasury or other staff use home computers or unprotected home routers to perform routine banking functions. We recommend IT staff consider possible vulnerabilities in home internet environments, implement training and provide tools for mitigating identified risks.
Pressure on Financial Reporting Results
Investors and lenders recognize that businesses have been severely impacted by COVID-19 and its impact on the business environment, but outside parties are generally hard pressed to estimate or quantify the extent of the impact with reasonable degrees of certainty until companies start to report post-COVID-19 earnings. Investors, lenders and other interested parties are expected to carefully scrutinize financial results, disclosures and management’s discussion of forward-looking expectations during the periods after the impacts of COVID-19 are reflected in the financial statements.
On April 8, 2020, the SEC issued a public statement on the importance of COVID-19 disclosures urging companies to provide as much information as is practicable regarding their current financial and operating status, as well as their future operational and financial planning. The release offered specific “observations and requests” that management should consider in issuing earnings releases and conducting analysts and investor calls. Management must carefully consider required disclosures (including any “observations and requests” by the SEC) and management judgments applied in financial reporting. Companies should strive to achieve an ICFR structure – one that employs both a regimented and disciplined approach to meeting financial reporting and regulatory requirements – and a supportive tone at the top.
For example, in assessing goodwill or other asset impairments, management might consider the impacts of COVID-19 to be so unique and difficult to measure that management might be tempted to discount, override or abandon previous impairment estimation procedures. Others in the organization may improperly interpret management’s actions as an indication that circumvention of certain ICFR controls is acceptable. It is during these times of increased pressure on financial results that strict compliance with ICFR policies and procedures is critical to the financial reporting process.
An important consideration in ICFR is fraud risk. COVID-19 stressors, both business and personal, have elevated fraud risk for all companies. In a few short weeks, the U.S. economy has transitioned from an expansion to a sharp contraction. Unemployment reached a record 26 million for the week ending April 24, 2020. However, not all businesses have been impacted by COVID-19 in the same way. Companies in the travel, restaurant and beverage service, “brick and mortar” retail and entertainment sectors have seen their revenues evaporate as governments have ordered the physical closures of many stores and locations. Yet other industries – such as grocery, banking and industries that specialize in home-delivery operations – have scaled-up, and hiring has increased to accommodate increased demand.
The speed with which COVID-19 has impacted business processes raises fraud risk. For example, companies that have experienced increases in demand may circumvent hiring and payroll controls to speed up their onboarding processes. Banks may also circumvent controls surrounding loan documentation to meet customer pressure for government loan programs. Furthermore, the availability of personnel may make it difficult to ensure segregation of duties.
The financial pressures placed on businesses and the way businesses respond to those pressures can also raise fraud risk. Many companies are implementing cost-saving measures and other changes in business strategies to address the economic changes brought about by the COVID-19 pandemic. Some companies are even fighting for survival. Cost-saving strategies inevitably may involve salary cuts and/or involuntary reductions in force. These factors further increase fraud risk, as individuals seek ways to ensure their financial survival.
Fears over contracting COVID-19 using certain payment formats may also raise fraud risk. For example, we have observed an increase in vendor requests for automated payments (wire transfers or ACH) and more customer requests for automated billings. Typically, these transactions are too large for p-cards. Paper checks and paper billings are touch points, and entities may be concerned that COVID-19 may be transmitted via indirect touch points. Companies would be well-advised to revisit ICFR surrounding setup, approval and monitoring of wire transfer and ACH procedures.
It is important for management to set a strong tone at the top in an increasing environment of fraud risk and economic uncertainty. For example, management would be advised to stress fraud awareness and the importance of anti-fraud controls in quarterly disclosure controls meetings or similar meetings or communications. In addition, management should consider implementing scenario-based stress tests of anti-fraud controls.
Unquestionably, COVID-19 has changed how companies do business resulting in unprecedented economic uncertainty. Even the most well-seasoned and knowledgeable managers are finding it difficult to navigate and address these business challenges. In this morass of COVID-19 issues, as businesses adapt and cope, ICFR should remain a top priority for company management. Any policies and procedures that are changed, modified or adapted should be documented, and control designs should be continually assessed to ensure ICFR integrity.
 While most agree that restaurants, bars, recreational and entertainment venues where close personal contact is unavoidable are included in nonessential business closing decrees, the definition of essential and nonessential business varies by jurisdiction.
 Securities and Exchange Commission, Public Statement of Sagar Teotia, Statement on the Importance of High Quality Financial Reporting in Light of the Significant Impacts of COVID-19 (Apr. 3, 2020).