Ticking off the boxes on the Sarbanes-Oxley (SOX) compliance checklist has become increasingly complex as companies look to balance governance, risk, compliance and security amid a global crisis. In March, the Division of Corporation Finance of the Securities and Exchange Commission issued the CF Disclosure Guidance: Topic No. 9, regarding disclosure obligations companies should consider with respect to COVID-19 and related business and market disruptions. This guidance encourages publicly traded companies to disclose in its public filings (10-Qs and Ks) how COVID-19 has affected business along with anticipated disruptions. Disclosing risks is nothing new for publicly traded companies. However, the significant scope and impact of today’s disruption clearly warrants disclosure as an Item 1A – Risk Factor, where a company must clearly layout risks related to the circumstances. Additional ramifications of this guidance are the challenges introduced in preparing Management's Report on Internal Control Over Financial Reporting and CEO and CFO certifications as required by Sections 302 and 404 of the Sarbanes-Oxley Act of 2002. CEOs and CFOs must fulfill their regulatory obligation to certify Management’s Report on Internal Control Over Financial Reporting. This filing minimizes the risk of shareholder lawsuits and regulatory sanctions from inaccurate financial reporting. Ultimately, the goal of SOX is to create better controls for and increase the reliability of financial reporting.
Here are two of the new SEC guidance considerations that will be top of mind for all companies when evaluating the completeness of risk disclosures and tackling the new challenges for SOX compliance:
SEC consideration #1: “Have COVID-19-related circumstances such as remote work arrangements adversely affected your ability to maintain operations, including financial reporting systems, internal control over financial reporting, and disclosure controls and procedures? If so, what material changes in your internal controls have occurred?”
Challenges to consider:
- Today's disruption may have forced your organization to move some, or all, of your employees to work from home. In some cases, employees may have been furloughed. As a result, many of the business processes and SOX disclosure controls in operation after these changes may be different than those documented and tested prior to the disruption.
- For example, you may have had a control in place to verify that all expense disbursement over a set dollar amount were properly authorized, substantiated with acceptable source documentation, and recorded accurately and in the proper period. Now, due to workforce complications from COVID-19, you may not have had sufficient qualified employees to perform this control or the control couldn’t be performed because source systems and documentation weren’t available in a remote work environment.
- During this period, your employees may have been forced to knowingly disregard an internal or external obligation that could pose material risk. Examples might include processing transactions in contradiction to Office of Foreign Asset Control (OFAC) sanction requirements or booking business in contradiction to internal policies on type, terms, or counterparty credit worthiness.
- There may be new and changing laws and regulations that recently came into force or will very soon. The ability of your team to properly prepare for compliance with these new laws and regulations may have been impacted by COVID-19, such that your organization may be out of compliance with the law(s) for some time.
- You may not be as confident now that all transactions entering your accounting systems are properly authorized as you were prior to the pandemic. When key accounting entries were entered by employees within the walls of the organization, confidence in the identity of the transaction originator was high. Now with employees working from home, there are increased identity and security risks. This also creates deteriorating confidence that segregation of duties is being enforced around transaction input and that all transactions are authorized, accurate, complete, and recorded in the proper period.
Addressing Internal Challenges
RSA customers using the RSA Archer Regulatory & Corporate Compliance Management solution and SOX governance are at a distinct advantage in addressing these challenges.
To address these challenges, companies need a platform capable of managing multiple dimensions of risk. RSA Archer can be used to communicate between business process and internal control owners in validating whether each of their documented business processes and controls are still in place and operating during the quarter. Where business processes and controls are not operating as designed, RSA Archer can be used to capture the “how and why,” changes in design that have occurred, and the point at which the owners expect controls to be operating. This capability is available with RSA Archer out of the box with an Enterprise & Operational Risk Management use case that supports Risk Control Self-Assessments (RCSAs). It can also be configured in RSA Archer to meet additional specific requirements in short order.
Organizations concerned about non-compliance with laws, regulations, internal policies and procedures, and key customer and third-party contract provisions may be prudent to use the capabilities of RSA Archer. It can survey first and second line managers about their knowledge of any breaches of existing obligations, long-term likelihood and impact of any compliance breach, and when they expect to be operating in compliance with existing obligations. RSA Archer can also be used to solicit management in identification of and degree of preparedness for new obligations.
Organizations concerned with controls around the authentication of originators entering transactions into their accounting systems should have a high degree of confidence if they are using RSA Identity and Governance Life Cycle solutions.
SEC consideration #2: “Do you anticipate a material adverse impact of COVID-19 on your supply chain or the methods used to distribute your products or services, with impact on cost and revenue?”
Challenges to consider:
It is difficult to understand which vendors are critical to your organization, the design and effectiveness of their controls and the types and amount of risk they pose. In order to address this guidance, your organization will need to answer a number of questions:
- Which vendors create disclosure risk as a result of what has happened and what is expected to transpire due to the pandemic in the region(s) in which the vendor operates?
- Which vendors are critical in contributing material revenue to your organization through the products and services provide?
- Which vendors are critical in supporting and executing the strategic objectives of your organization?
- Which vendors contributing material revenue or supporting strategic objectives has ceased or is expected to cease operations due to financial difficulties?
Depending on the types of engagements your organization has with vendor(s), your business could be exposed to SOX disclosure risk via your relationship in the same way your organization may be directly exposed to the challenges associated with SEC consideration #1.
Addressing Third-Party Challenges
If your organization has been using the RSA Archer Third Party Governance solution for some time, you are in a good position to address the following:
- Each third-party engagement is logically linked to the business processes it supports and those business processes are logically linked to your organization’s products and services. Therefore, you have direct visibility from the list of products and services your organization delivers to the vendors that support them. You know which vendors support ongoing operations and which are involved in product- and service-related revenue and expenses.
- One of the vendor engagement risk categories is Strategic Risk, that can be used to identify vendors that pose the most strategic inherent risk to your organization. For organizations using RSA Archer for Enterprise Risk Management, you should also have direct visibility to everything from strategic objectives to business processes to supporting vendor relationships. Both approaches should provide visibility into the vendors that support the most important strategic objectives of your organization.
- Lastly, the RSA Archer Third Party Governance solution provides multiple means to evaluate the financial wherewithal of third parties both prior to and during the COVID-19 crisis. This can be accomplished by uploading financial ratings from third party rating agencies such as D&B or rapid ratings, or by entering key information from a vendor’s recent balance sheet and income statement.
With each of these steps, you can narrow the population of vendors that could impact your financial statements, risk disclosures, and reporting of internal controls over financial reporting. In allocating resources based on vendor risk, you can use the RSA Archer Third Party Governance solution to solicit and capture updated vendor control questionnaires and financial information to ascertain if there are material concerns related to your pool of vendors.
Publicly traded companies in the U.S. are now faced with disclosing to investors exactly what impact the pandemic is expected to have on their business, operations, and financial condition. In addition, companies must reaffirm the adequacy of their disclosure controls to ensure financial statements are accurate and complete. This all calls for an Integrated Risk Management platform with the ability to more effectively assess, identify, monitor and manage multiple dimensions of risk.
Author: Marshall Toburen
Category: RSA Point of View, Information Security, RSA Identity Governance and Lifecycle, RSA Archer, Risk, Compliance, Sarbanes-Oxley, Blog Post