Impact of Covid Shutdown on ICoFR for Statutory Audit of FY 2019-20

Uncertainty and it’s impact on the control environment

Covid-19 brought in uncertainty. Working under the disruptively changed period of Uncertainty should drive you to review your Internal Controls. As we head into the Audit sessions for FY 19-20, Finance teams need to provide their Audit Committees, Boards and the Statutory Auditors comfort that their company had adequate Internal Controls Systems in place that were operating effectively as at Balance Sheet Date.

Given this requirement, Control Owners, Finance teams, Internal Audit team and Management should take time to review the scoping of the Search Results Web results Internal controls over financial reporting (ICoFR) programme for the impact to the control environment and control evidence and ensure adequacy under the changed circumstances.

We list out questions that Finance Teams should consider to evaluate your year-end positions:

♣ ‘Segregation of Duties’ resulting from workflow changes during Covid:

Impact of remote working on approval processes & documentation:

• Did you stick to your standard Financial Close Checklist as at 31^st March 2020 and were all the work procedures adhered to exactly as documented?
• Do your approval processes consider the remote working realities?
• Remote working may have led to work-around processes and access controls. Did these changes impact or dilute your control environment? Did you evaluate adequacy and robustness of the team’s access-rights and potential conflicts due to the emergency?
• Is your ‘delegation of authority’ manual robust enough to consider non-availability of key resources?
• Have you reviewed your IT General Controls post shutdown for Covid-19?

♣ Revenue Recognition at a time of Supply Chain Disruption:

• Are your open Sales Orders still valid and enforceable? Have your customers triggered any Force Majeure clauses on your Customer Agreements?
• Did you evaluate if your Incoterms were stable during the disruption period?
• Did you “Dispatch” and recognize revenue without the goods leaving port? For “Bill and Hold” transactions, does your revenue recognition still trigger?
• For Revenue booking based on “percentage of completion”, have the estimates been reviewed to measure progress?

♣ Inventory:

• With Supply Chains getting stressed, have you evaluated procedures around your Inventory movement and valuations?
• Did you evaluate the strength of your ‘in-transit’ inventory during the time of Supply Chain disruption?
• Have the risks been covered by adequate and timely Insurance? Eg. A Loss of Profit policy to protect at time of shutdown. While this goes beyond Inventory, see the link for an example of good risk Insurance

https://www.insurancejournal.com/news/international/2020/04/13/564598.htm

• Do your Inventory verification processes build-in controls over remote verification?
• Is your roll-back procedure for verification robust enough?
• Have lock-down costs been considered as “absorbed” or does it drop to the P&L as abnormal costs?
• Did you re-evaluate for any Onerous Contracts and their impact on valuations?

♣ Property, Plant and Equipment:

• Do your Physical verification processes for PP&E undergo a change?
• Does your ICoFR programme consider evaluation of triggers for impairment testing of assets?

♣ Receivables:

• Has your ICoFR programme evaluated your key customer credit risks?
• What additional factors do you need to bring into your customer credit control procedures to retain its functionality during these changed circumstances? Do you need to redo your customer credit evaluation, as the past 12-month history may no longer hold water?

♣ Liquidity and working capital:

• Do your Treasury controls include evaluation of triggers of any ‘at risk’ Debt covenants?
• How does your programme factor in treasury risks around your current lines of credit?
• Have you evaluated triggering events for any performance guarantees or Force Majeure clauses kicking in?

♣ Employment Benefits:

• Does your Risk Programme evaluate changes to the actuarial assumptions and disclosures?
• Have you adequately insured your employees per Govt. norms?
• Have you evaluated the need for Keyman Risk Insurance?

♣ Third Party due diligence:

• If you outsourced some activities such as Payroll, Accounts Payable, etc., have you evaluated your contractor’s ability to operate the controls you rely on? Have you asked for SSAE-18 SOC1 or SOC2 reports from those contractors? If not, what assessment have you performed to test the operating effectiveness of controls so that you feel comfortable in relying on them?

♣ Fraud Risks:

• Does your control programme evaluate the changed considerations in areas where you depended on ‘physical’ or ‘manual’ control?
• Did you review for management override, where physical presence was not possible?

♣ The ‘FinYes’ Perspective:

ICFoR is a management responsibility and as we head slowly into normalization, it is time that each ‘level of defense’ within the management take some key steps to ensure timely and adequate compliance. {see pdf for table of responsibilities}

About the author: The author is a Partner at FinYes Consulting with over 23 years of experience in corporate finance and Board Governance. He has been pivotal in establishing a robust control environment and has worked through multiple full cycle implementations of SoX and ICoFR programmes for large corporates.