Something to Consider May 2020 1
You would have to have been living under a rock not to notice that the last 6-8 weeks have been surreal with an unprecedented level of disruption to day-to-day business as result of COVID.
Business continuity arrangements are in full swing, with facility closures, remote work, social distancing, a health and safety focus on employees, customers, suppliers and partners at the highest level, revenue and supply chain impacts, global process interruptions, cash risks, and who knows what next, probably a global recession!
At times of change and uncertainty, internal control over financial reporting (ICFR) and broader internal controls to prevent fraud, waste and error become critical. These controls enable the organisation to ensure effective operation whilst themselves being under threat of being overlooked, shortcut or circumvented.
KPMG have circulated a brief report on considerations that executives and leaders in finance, technology and business operations should take note of, in collaboration (remotely, of course) with their global risk and compliance and SOX program teams.
Much of the report reflects our own experiences, observations, not least;
- Use this opportunity to get proactive in providing risk management guidance to leadership and practical advice on changes to operational practices and controls.
- In times of revenue fluctuation, it may make sense to review materiality levels.
- Get ahead of the curve on modification to risk management and reporting processes, and ensuring transparency of documentation and approval.
- If you are still clinging on to those spreadsheets, let them go and move to capture, tracking and reporting of issues with a collaborative online tool.
- Segregation of Duty policies and controls will be under stress at this time, so consider additional review processes or use of “elevated access” procedures with an appropriate audit trail.
- Approvals of appropriateness of access to financial systems is more important than ever. With furloughs and staff reorganisations, be sure that user access review (UAR) and attestation processes and systems are solid and operating effectively.
- Take a look at manual control processes which are severely challenged in these times. Can we eliminate or automate? We will be faced with a big hurdle on evidence of manual controls when all this is over!
Early action on financial control and compliance saves unnecessary losses, costs and control failures as well as unwelcome interventions in the next audit cycle!
You can read the advisory note in full here