Three Ways to Prepare for an Internal Controls Audit in a Year of Significant Change
With 2021 now here, many accounting and finance leaders are beginning to reflect on the challenges created by COVID-19 and the path forward. Pre-pandemic, the inherent benefits of the typical office setting—a collaborative environment, on-premise tools, and information security—had been taken for granted. Amid lockdowns, most organizations implemented a number of workarounds to enable remote work arrangements and ensure business continuity.
After acclimating to these new working conditions, organizations across the globe face new challenges in preparation for annual audits. With so many significant changes condensed into one year, an inevitable and perhaps material impact to companies’ internal controls over financial reporting will occur. To better prepare for year-end audits and ensure effective controls, proactive leaders will address the following three areas of risk often present at organizations—areas that were even more susceptible in 2020.
Assess Updated Risks
Identify areas of higher risk that previously may have been considered low risk prior to changes to the business that may have resulted from COVID-19.
Revisit Estimation Inputs Methods
Estimation models and the underlying assumptions that were relevant just twelve months ago may no longer be relevant.
Review IT Controls
Review, test, and validate any newly-implemented technology changes, even if done in arrears. Shore up areas of concern, particularly regarding cybersecurity.
Updated risk assessment
At the beginning of 2020, management teams put together risk assessments by process, account, and subsidiary to ensure the control environment in place was effectively designed to mitigate underlying risk exposures.
With the variability in business processes over the course of the year, organizations should refresh their assessments as the risk exposure has undoubtedly changed. For example, a service organization may have designated its business encompassing its digital offerings as lower risk at the beginning of the year, if those digital offerings represented an immaterial portion of the business. A shift in demand from in-person to digital services over the course of the year will likely mean the digital business now represents a more material portion of the business and, as a result, a higher risk.
These types of changes in the risk assessment are not uncommon in a year of unprecedented volatility. In addition to scoping in subsidiaries and businesses that are higher risk, management teams should also reassess its overall materiality conclusions established using forecasts at the beginning of 2020. If actual results came in substantially lower than budget, it’s likely that materiality will have to be adjusted downward, which could cause certain accounts or other businesses previously considered immaterial to be considered a higher risk.
In both of these cases, management should evaluate if the controls and internal testing procedures related to the business and accounts that were previously considered lower risk are appropriate in light of the updated materiality. Although it isn’t ideal to identify such changes after the close of the year, performing this analysis prior to the year-end audit still allows management teams an opportunity to put in place detective controls or identify direct, precise entity level controls that mitigate these risks, avoiding a potential significant deficiency or material weakness.
In recent years, both external auditors and regulators have focused on significant estimates and reserves, including management’s process to ensure the underlying assumptions and inputs are appropriately reviewed and supported. Management has often relied on historical results and trends to support such estimates. Many companies experienced disruption to operations in 2020 and forecast these disruptions to continue into future periods because of the COVID-19 impact. As a result, historical financial information and trends may no longer be meaningful when trying to substantiate estimates such as projected future cash flows that inform critical valuation analyses, including impairment and acquisitions.
Operational disruptions related to the pandemic are likely to impact other estimates as well. Customers who historically have exhibited limited collectability risk may need to be reassessed when calculating an allowance for doubtful accounts. And, as customers put certain non-essential services on hold, conclusions related to variable consideration such as performance-based award payments for successful delivery of goods and services in contracts with customers that management had previously been recognizing over time may need to be reconsidered.
To avoid control deficiencies related to these estimates, management will need to re-evaluate its significant estimates, operating under the assumption that previous methods of supporting inputs and assumptions may no longer be appropriate. Identifying alternative methods of supporting these estimates may be difficult. Given the uncertainty in future periods, probability weighted scenario estimates may be appropriate.
For example, a management team may develop financial forecasts for three potential timelines to recover to pre-pandemic levels, assigning a percentage weighting to each based on the likelihood each occurs. By taking this approach, accounting and finance teams can use all available information to develop budgets that inform processes like goodwill impairment analyses in the face of unprecedented uncertainty. Alternatively, by year-end, companies may have two to three quarters of data to support new trends.
No matter which methodology is chosen, accounting teams should use reasoned, thoughtful, and well-documented judgments. Doing so will position accounting teams to demonstrate controls related to key estimates and reserves continue to operate effectively, despite the turbulent economic and business environment.
IT control implications
The abrupt shift from an office to remote work environment gave rise to many IT-related challenges. Virtual private networks were stretched to their breaking point, new collaboration tools rushed into production, and (due to reallocation of task ownership) system access distributed to individuals who may not have historically required it. Further, rapidly deploying these types of changes in a short period of time may have strained IT resources, including delays to routine IT activities such as security patches or updates. As a result, cybersecurity risks increased as business activities entered employees’ home networks outside of carefully curated information security protocols.
While these activities were necessary to ensure business continuity during a period of great uncertainty, organizations must properly evaluate these changes to ensure risks are adequately addressed. Proper IT and change management controls should address effective system operations, appropriate access, segregation of duties and cybersecurity.
Management teams should acknowledge that historic IT controls may not have been appropriately designed to address the risks such changes pose to the organization. Ideally, a review of design effectiveness of new or changed processes should take place in real time. However, retrospective reviews of appropriate access and segregation of duties as a result of changes to processes and roles, and a refresh of cybersecurity risks have value.
For identified issues, management should identify the compensating controls and processes in place to mitigate the impact of the deficiencies. Managers can also thoroughly investigate whether any problems with access or segregation of duties may have resulted in any improper journal entries that impact the financials. Although this review will not reduce the potential magnitude of a misstatement for control evaluation purposes, this analysis will serve as part of management’s more fulsome response to the control deficiency. It will also help external auditors to perform independent evaluations.
Maintaining business continuity despite the enormity of challenges presented by the pandemic is no easy feat. While no one could have foreseen COVID-19 or its impact on the world, a careful retrospective assessment of these areas can guide accounting organizations to respond appropriately, mitigate the impact of any issues, and proactively provide external auditors the right information to ensure a smooth year-end audit.