How COVID impacts SOX audits

Galvanize

We’re going into our second year of a global pandemic. Like many other folks, internal audit teams had to pivot and adjust to a new way of doing things—including SOX audits.

In March, when we packed up our desks and went to work from home (WFH), we all thought we would be back within the month. But here we are, almost a year into this pandemic and we’ve all had to adjust our lifestyles—and the way we work.

Right now, internal auditors are feeling their way through remote Sarbanes-Oxley (SOX) audits—trying to find the right steps to execute what was once a very physical and in-person process.

It was common to physically meet with process owners. To sit side-by-side and walk through their controls to make sure they’re still valid. Talking through updates, getting data, asking questions—it was a lot of face-to-face.

Now everything is remote. Insteading of sending auditors to a specific location to test controls, it’s done from the comfort (or uncomfort) of their homes. They’re testing data and validating controls remotely through Zoom or surveys.

What has to be done hasn’t changed, but HOW we do it has.

How has COVID changed internal audit?

The pandemic and WFH introduced a number of new challenges for auditors, including:

  • Inability to travel or conduct on-site audits
  • Limited access to documentation/increased technical challenges
  • Communication barriers (bad internet, slow response times, no face-to-face)
  • Zoom fatigue (so much Zoom fatigue)
  • More difficult to meet with process owners

These challenges in combination with working from home (WFH) may result in some auditors deciding to take shortcuts when testing controls. For example, if you tested a control last year and there were no exceptions, what’s the harm in testing a smaller sample set of data?

To that we say, “it’s all good until it’s not.” This is not the time to cut corners, even if it means more work. So how do auditors take on that work in a way that is scalable and efficient?

HOW TO ADJUST TO REMOTE SOX AUDITS

KPMG cited that some organizations have been experimenting with remote auditing for years. This is true, and it’s given rise to many new techniques and new audit management software over that time. Yet, it wasn’t until the pandemic hit that we really dove head first into an all-remote audit approach.

While some organizations, as a result, put their audit work on hold, others have fully embraced the remote audit, and for good reason. COVID has introduced all sorts of new risks and realities that internal auditors must address. Here’s how they can do that.

Reassess your risks
With these new risks, it’s important to reassess your planning. This will highlight areas where you may have to change SOX processes and controls. For example:

  • Supply chain: has there been disruptions or declines in quality/delivery that have impacted the business?
  • Third-party: has new technology been quickly introduced to work from home, bypassing the usual security screening process?
  • Liquidity: have revenues been impacted or more debt taken on?
  • Business continuity: what new factors could result in increased cyber threats?
  • Communications: is the organization ready to respond if the situation continues to get worse?

By proactively taking a step back and reviewing the business operations and processes, you’ll be able to identify and prioritize your audit focus.

Automate what you can
Now is the time to automate what you can in order to point precious resources to the things that can’t be automated, like your risk assessment. Automation has the power to reduce cost and time, plus improve the control environment.

  • Automate control testing (or some of the steps) where possible to minimize manual efforts.
  • Test entire populations of data instead of sample sets to get complete assurance.
  • Implement continuous monitoring so exceptions are flagged and mitigated before they can escalate.

For more on automating SOX testing, watch our on-demand webinar, Automating SOX control testing: how to get started, demonstrate ROI, and expand impact.

Implement an agile approach
We spoke with a customer recently to get a feel of how COVID impacted SOX audits for her team. She noted that the transition was fairly smooth because she had implemented an agile approach to audit some time ago. Plus, her team was already working remotely one day a week before the pandemic, and they were on the road a lot. So remote work was not new.

To keep things on track and moving forward, the audit team:

  • Meets three times a week as a group to discuss projects and status updates
  • Schedules additional 30-minute catch-ups and coffee breaks in smaller groups
  • Sets a regular cadence of meetings with process owners
  • Ensures all team has access to senior leadership when needed
  • Has a casual Friday video get-togethers to maintain relationships
  • Works from a shared calendar to make sure everyone has visibility into the work
  • Uses the screen sharing function in Zoom to do walkthroughs and review data

While our customer did say that she couldn’t wait to travel again and meet with process owners in person, she said they’ve been able to quickly adjust thanks to the foundation they already had in place. Read more about agile auditing in our eBook, Sprinting ahead with agile audit.

Tap into technology
For years, there’s been a push to evolve audit into a more tech-aware function, but there’ve been a lot of roadblocks along the way. Technology adoption, team change management, overall governance changes, and the continued need to show value every step of the way.

But change begets change, and with the shift to remote work, now is the ideal time to make a case for technology. Using a tool like AuditBond, you’ll be able to:

  • Increase your team’s capacity with templates, workflows and project roll-forwards
  • Easily show real-time value through dashboards and one-click reports
  • Improve remote collaboration within your team and across the organization
  • Provide data-backed insights to drive decision-making
  • Stay current on SOX control updates with built-in content

Technology was a key consideration in a recent article we posted, Four things internal audit should focus on during COVID-19, written with consultation from Liz Sandwith, Chief Professional Practices Adviser, Chartered Institute of Internal Auditors.

What’s next?
The vaccines are already starting to roll out across the globe and there is a light at the end of the tunnel. But we can’t lose sight of the fact that testing controls within your SOX program remains of utmost importance. Cutting corners will only result in less assurance, more risk, and potentially more work—or worse, financial or reputational damage.

Internal auditors are responsible to make sure they have what they need in order to do their job, be that leadership resources, data, technology, or time with process owners. If you need help, ask. If you need a resource, ask. SOX controls covers so many areas across an organization, and now is not the time to pull back on oversight.

eBook

Making SOX Compliance Easier for Everyone

You’ll discover how technology can make significant improvements in your SOX compliance processes and help you:

  • Increase collaboration among the Three Lines of Defense
  • Leverage data and analytics to achieve greater insights into relationships between risks
  • Automate processes and reduce the time and resources involved in control testing
  • Get started on the path to improved SOX compliance today.

Download eBook

Related Articles

lang="en-US"
X

Galvanize is now part of Diligent.

To stay up to date on the latest product offerings, research and GRC resources please visit or to login to your Galvanize products please visit www.diligent.com

Visit Diligent Login