Keep Your 2020 SOX Program Afloat by Making These 3 Critical Adjustments
Remember all that SOX planning you did around January? Probably not all that relevant anymore.
As you read this, you're likely looking for ways to adjust or overhaul your SOX program to ensure your organization has the appropriate internal controls over financial reporting in light of COVID-19.
Keep your program headed on the right track by considering these three areas as you make updates for 2020.
1. Refresh your scoping
Chances are you scoped your 2020 program based on your 2019 financial statements or chose to carry over your 2019 program into 2020. Safe to say, this year won't be like the last. Here's your opportunity to reassess your scope.
The COVID-19 situation is constantly evolving, but we do know it has seriously disrupted business performance globally. Determine your 2020 SOX materiality based on Q1 2020 data, rather than relying on prior year data. The global downturn will negatively impact financial performance, resulting in smaller balance sheets and income statements. The materiality threshold will likely change under the 2020 outlook, and additional financial statement line items may come into scope.
Additionally, refreshing the SOX scope as of Q1 2020 allows your organization to scope in areas that pose a high risk to financial reporting in light of COVID-19, which may have not been in-scope as of 2019 year-end.
But there's a silver lining: this is a great opportunity to automate the scoping processes that require a lot of manual execution. Automation reduces the level of effort involved in scope refreshes, allowing SOX teams to perform additional scoping throughout the year and align their program based on updated financials.
Base your 2020 materiality for SOX using Q1 financial data, and work from there. Also, investigate how cloud technologies can lessen the impact on already-strained teams.
2. Business continuity
I can count on one hand the number of meetings I had in March that didn't mention business continuity. COVID-19 has brought business continuity right into the forefront of executive conversations, and if it hasn't ended up in your 2020 SOX program, it should.
In short, scope in business continuity programs that cover financial reporting processes. From a design perspective, assess if the controls in these business continuity programs address pandemic risk in addition to other risks.
Additionally, consider the third-party providers instrumental to your financial reporting process. Rather than wait on the SOC reports from these providers, engage with them during the year regarding their business continuity processes and controls. Find more tips on engaging with suppliers and third parties in this recent article.
The way you communicate internally and externally makes enormous difference when preparing business continuity, as does incorporating all risks that impact business continuity—physical, political, and pandemic.
3. Data security
Our current existence of remote work is the new normal. Your home office might be your only office, and you're updating risk matrices using the same network as your kids who are playing video games. Somewhere, your IT and security teams are screaming.
With teams working from home, there is heightened risk around secure transfer of financial data. Your 2020 SOX program should include controls around encryption of data in transit and at rest, virtual private networks (VPN), data privacy, firewalls, and data integrity.
Centralize data on a single, secure cloud platform to avoid juggling documents, presentations, and spreadsheets via local machines.
Bonus: Free COVID-19 templates from AuditNet
To help your organization avert risk, no matter what software you use, we collaborated with AuditNet to create four critical templates, covering risk management, business continuity, preparedness and planning review, and more.
Download them now, and keep your organization running smoothly despite the risks of COVID-19.
For more information on making sense of what’s happening in the world of risk and how to keep your team on track, visit our Handbook for the New Normal of Accounting, Finance, and Risk.
About the Author
David Thande, Director of Product Marketing at Workiva, has over 15 years of experience in SOX compliance and internal audit. Prior to Workiva, David served as a senior manager with Synchrony Financial, in addition to holding various SOX compliance and risk management roles at a General Electric. David started his audit career with PwC and is a Certified Internal Auditor.