This article highlights how Covid might have impacted the internal controls of companies. Needless to say, when the internal controls have been affected by the pandemic, the auditors of such companies need to consider its impact on their reporting on the adequacy and operating effectiveness of internal controls with reference to financial statements as prescribed u/s 143(3)(i) of the Companies Act, 2013.
The pandemic has hit all organisations globally and India is no exception. Considering this, the Securities and Exchange Board of India (SEBI) issued a Circular dated 20th May, 2020 encouraging listed entities to make timely disclosures about the impact of Covid on their companies. One of the items in the list of information that the Circular states listed companies may consider disclosing is internal financial reporting and controls.
The users of the financial statements, various stakeholders, including investors, lenders, suppliers and customers, Government agencies and so on, are keen to know to what extent the company has been affected by the pandemic. As stated in the ‘Guidance Note on Audit of Internal Financial Controls over Financial Reporting’ issued by The Institute of Chartered Accountants of India (GN on IFC) for the purpose of auditor’s reporting u/s 143(3)(i) of the Companies Act, 2013, ‘internal financial controls over financial reporting’ shall mean ‘a process designed to provide a reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.’ Therefore, to prepare reliable financial statements, internal controls over financial reporting are imperative. If such internal controls are affected by Covid and if the company has not taken adequate steps, the financial statements prepared may not be reliable for external purposes and the stakeholders will lose confidence in the entity’s financial reporting. From the governance perspective, it is important for the Audit Committee and management that new processes for financial statements closure and reporting of results and financial / operational controls are appropriately documented.
EXTENDED REPORTING TIMELINES
IMPACT ON FINANCIAL CLOSURES
(A) Performance reviews refer to overall analytical procedures of actual performance with budgets, forecasts, etc. However, it is very likely that the budgets, forecasts, prior period actuals, etc., did not include the impact of Covid at all, or had considered its impact based on information available at that time. In the absence of the robustness of a performance review, what controls does the company need to establish to ensure the reliability of financial information? Let’s understand this by way of an example. A company manufactures white goods such as dishwashers, washing machines, etc. Its volume of production in a given period is predictable as the company had established its plant many years ago. For F.Y. 2019-20, the company was able to run its normal operations throughout the year, except the last week near the year-end due to the lockdown. However, in F.Y. 2020-21, the lockdown was extended and therefore production was completely shut for part of the year. While reviewing the performance of F.Y. 2020-21 and comparing the same with the previous year, the variance can be quantified for that attributable to the period when the plant was shut.
(B) Information processing controls are application controls and general IT controls. Before Covid, these controls were usually based on the assumption that applications were being accessed by users through LAN. This identifies the user and has security firewalls to protect the data in the system to ensure its reliability. In the period of the pandemic, where many organisations had to close their offices and allow employees to work from home, IT systems are being accessed by employees through their home networks. The reduced number of employees may result in reduced controls being adhered to. Vulnerability of security for data protection and its unauthorised access pose a significant threat to the reliability of the financial close process. Further, there is heightened risk of data leakage. For example, a company has IT security through which tenders submitted by potential suppliers can be accessed by the procurement department only through the office LAN. During Covid, when staff is working on their home networks, such control cannot be implemented and needs to be modified without compromising on the security of the data. IT processes or controls that have an increased volume or that need to be performed differently due to changes in work environment or personnel, are likely to have additional risks in areas such as the following:
Access termination – Increased number of access termination requests and fewer people available to process them – this may increase the risk of unauthorised access due to terminated personnel not being removed in time. In many organisations, there is an exit form which the employee fills and after approval from the HR it is handed over to IT to ensure that all access given to that employee is terminated and confirmed by IT by signing the same form showing the date and time of termination. In the Covid scenario, the exiting personnel, HR staff and IT staff are all at different locations. To ensure coordination amongst them for terminating the access immediately when the employee leaves, different controls need to be put in place.
Change management – Verbal approvals may be accepted rather than waiting for approvals to be documented through a ticketing system, and thus there may be increased use of emergency IDs which may not be subject to the same degree or timeliness of monitoring as usually occurs. Whenever any change is required in the IT environment, many companies have a hard copy documentation system showing the requester, the approver and details of the changes made, followed by subsequent testing and implementation. During Covid, such hard copy documentation may not be possible given that the requester, approver, programme writer, testing team and implementation team are at different locations. This may require modification of the existing IT change management controls.
Execution of review controls – The questions to be answered are:
(a) What changes are made to the review process of access control, change management and other IT environment processes?
(b) To what extent are the company’s IT risks affected by the new way of working and what are the mitigating controls introduced to deal with the security threat to the IT systems that process financial data?
Many organisations are changing their strategies to take advantage of digital technology, such as storing data on cloud which can be accessed from anywhere by the authorised personnel. Even if the employee working on such data is not able to access the company’s server from her remote location, such data need not be copied on the workstation of the employee when it is available on cloud. With such changes in strategy, it is obvious that the relevant risk control matrix of the company will undergo a change. The new risks identified will be because the majority of employees are working from different locations. Controls to mitigate such risks, for example, data security risk as discussed above, will be plotted against each of such processes.
(C) Physical controls relate to the existence of assets and authorisations for their access. In the Covid scenario, such authorised person holding custody of the physical assets is away from the office or location of the assets for prolonged periods. How does the company ensure the existence of its assets when the person entrusted with their physical custody no longer has their custody? How has the company changed its internal controls which earlier were physical controls? For example, during partial lockdown, earlier internal controls might have been modified in respect of frequency of physical verification, the authority performing such verification, etc. Such modified controls may also consider any new digital technology implemented by the company or any supplemental controls to the original pre-Covid controls.
Safeguarding inventory
Safeguarding inventories is the responsibility of the management which is required to establish procedures to ensure the existence, condition and support valuation of all inventory. There may be transactions as at the yearend where the company has transferred the control of assets, but where physical possession is with the company such as bill-and-hold arrangements. The internal control framework relating to safeguarding and monitoring of inventories would need to include these considerations, e.g., assessing the inventory shrinkage by location, product type, or other disaggregated basis, comparing the actual inventory value of each location to an expected range, and investigate any individual locations that are outside of the expected range.
Further, with scenarios like localised lockdown, travel restrictions, etc., physical inventory counting would be challenging and in some cases impractical. In certain situations where the conventional method of physical verification is not practicable, management may establish internal controls to undertake physical verification remotely via video calls with the help of technology.
Environmental and safety norms
Companies may be using sensitive chemicals and industrial gases for producing goods. Some of these items are required to be stored in temperature-controlled containers and to be continuously monitored. If there is any leakage of hazardous gases or chemicals, the implications on the company could be very severe and even lead to closure of the factory, thereby affecting the going-concern assessment. Localised lockdowns imposed by various State Governments might induce stress on the monitoring mechanism relating to compliance with environmental and safety norms.
(D) Segregation of duties as a control was put in place by companies to ensure that employees preparing the information, authorising the information, recording the information and holding the custody of the documents are different. In the Covid scenario, the flow of physical documents to different employees performing these different roles is not possible. Further, many organisations had severe staff absences for prolonged periods as even the staff was affected by the pandemic. This requires delegating their responsibility to other staff and modifying internal controls around it. Has the company modified its internal control system and does the revised internal control system ensure effective segregation of duties, this is the question that companies need to answer.
Fraud risks
Fraud risks change in such a time of crisis, as new opportunities are created for internal as well as external parties. Incentives for committing fraud – both misappropriation of assets and financial reporting fraud – may also be heightened, especially if significant terminations are likely or employees suffer significant personal financial stress. As stated in the GN on IFC, ‘When planning and performing the audit of internal financial controls, the auditor should take into account the results of his or her fraud risk assessment.’ In the years when the company is hit by the Covid pandemic, fraud risk assessment of the auditor is expected to be different from the earlier years. The risk of fraud has increased significantly due to changes in the way of working. Such risks can range from the basic documentation process where scanned documents are being relied upon, which can be forged, as against the original signed documents; to frauds in complex transactions where significant estimation is involved such as fair valuation, etc., since these estimates are also significantly impacted by Covid. Some of the areas where fraud risk has increased are:
(i) Physical document approvals are replaced by email approvals in the Covid period. Such approvals carry the risk of emails being compromised.
(ii) Due to the new style of working, the demand for certain goods and services has significantly increased. This has created an opportunity in procurement fraud.
(iii) Owing to lockdown situations, many customers may be facing financial difficulties to pay their dues within the credit period. This increases the risk of financial reporting fraud by resorting to unethical means of recording receipts from debtors which are not genuine.
The auditors, while planning and performing the audit of internal financial control, will need to take into account as well as document how their audit plan is different from the earlier years due to higher risks of fraud, i.e., what is their audit response to such risks.
ASSUMPTIONS FOR THE FUTURE
Ind AS 1 requires the entity to disclose information about the assumptions it makes about the future, at the end of the reporting period, that have a significant risk of resulting in a material adjustment to the carrying amounts of assets and liabilities within the next financial year. In the Covid scenario, the future holds a lot of uncertainty and it will need the company to demonstrate its internal controls for arriving at the estimates, or its estimation process. It may have an impact inter alia on going-concern assessment, impairment of assets, fair valuation, etc., that is, financial statement items that are based on assumptions of the future. Companies faced difficulties in estimating the impact of Covid on their operations beyond the short term. This is an inherent risk because of uncertainty about the future which was never experienced before in history and has resulted from the global pandemic. Due to the disrupted supply chain and distribution models, uncertainty over pricing, etc., projecting future cash flows with acceptable precision is not possible for many companies. Coordination with management experts, such as those heading the strategy department, valuation specialists, etc., when performing impairment tests, assessing fair values of assets such as investment properties, investments, etc., and performing actuarial calculations and analyses, can be more challenging. Many auditors have considered these matters as key audit matters for their audit of the financial year ended 31st March, 2021. The question is do internal controls over the estimation process of the company consider the uncertainty brought by Covid?
Exceptions identified during control testing
It is likely that management will identify exceptions during its testing of controls because controls were designed for a totally different environment. To ensure that sufficient time is available for remediation before the year-end, management will need to modify the design of existing controls and test the operative effectiveness of the new controls during the year. If such remediation does not take place by the year-end, it will have consequences of communication with audit committees and modification in the auditor’s report. Further, in the absence of controls being effective, auditors may need to modify their strategy to evaluate the impact of ineffective controls. Therefore, companies should change their plan of testing controls affected by Covid earlier than usual in the year. If the company has had to incorporate new controls during the year, these controls should be documented in its internal control documentation and appropriately tested.
Planned changes in RCM
Each entity’s internal controls will be uniquely impacted by Covid, e.g., entities with significant dependence on technology will have different challenges to address than those with a more manual control environment. With a majority of staff working from home, manual controls maintained through hard copy documents cannot be adhered to. Technology-dependent controls may need revision with new technology suitable for the new environment. Hence, it is imperative that on a holistic basis the potential changes or shifts in focus, both in terms of scoping and risk assessment, testing approaches, etc., are made and additional controls or control modifications of existing controls are undertaken to address the risks arising from Covid. Based on the experience of Covid, companies will start making changes in their risk control matrix. It will include identification of additional risks posed by Covid, new controls to mitigate those risks, modification to existing controls in view of the ‘new normal’ and removal of some controls which have become redundant. This might include automation of all key manual controls to reduce dependency on people and physical access to the work environment, increased use of continuous monitoring and detection and defining indicators which would suggest that controls may not be operating effectively.
Changes to the design of management’s control may also require the auditor to alter the combination of testing procedures (i.e., inquiry, inspection, observation and re-performance). This includes making inquiries on the changes in the company’s mode of carrying out operations in response to Covid. For example, changes due to people working remotely, and consequently the change in the company’s policies and procedures, including execution of controls, segregation of duties, etc. This would also include evaluating the electronic or digital evidence made available by management, and the controls around the same, specifically with reference to review, reliability, security and storage of such evidence by the management.
Enhancing disclosures
The pandemic would also have wide-ranging implications on the financial statements. Hence, it is crucial that the management adequately presents their ‘side of the story’ in detail. Disclosures might include entity-specific information on the past and expected future impact of Covid on the strategic orientation and targets, operations, performance of the entity as well as any mitigating actions put in place to address the effects of the pandemic. Updating the information included in the latest annual accounts to adequately inform stakeholders of the impact of Covid, in particular in relation to significant uncertainties and risks, going-concern, impairment of non-financial assets and presentation in the statement of profit or loss, have garnered renewed focus.
SNAPSHOT
In short, the way Covid has impacted internal controls over financial reporting of companies is as follows:
a) New normal – The way companies carry out day-to-day transactions from initiation to closure that involves authorisations, recording, cash receipts or payments, etc., has changed. Given that these processes have undergone changes, all pre-Covid controls may not be relevant and new controls may be needed.
b) Risks change due to Covid – Not only are the new processes susceptible to new risks, but existing risks may also be heightened due to the change in the environment. In addition to this, there are certain inherent risks of dealing with the ‘unknown’, i.e., how long the pandemic will continue, what will be its severity and the resulting impact on the organisation, etc.
c) Controls must also change accordingly – Companies will need to thoroughly review their risk control matrix in light of the new risks. It will require addition of new controls (e.g., those relevant to new technology), changes in the existing controls (such as approval process through emails or physical verification of assets through virtual means, etc.), or removal of some of the irrelevant controls (like those related to physical documentation).
d) Audit of internal controls over financial reporting – With the new risk-control matrix, the auditors will need to plan their integrated audits in light of the changed processes of the client, the revised design of controls and testing their operating effectiveness. The auditors will need to evaluate ‘what could go wrong’ with increased audit scepticism considering the high fraud risk in the new reality, the risk of non-compliance with laws and regulations, the impact of uncertainty on the estimation process of the company, and so on.
NEXT STEPS
Companies establish criteria for internal controls over financial reporting. These are dynamic in nature and as the circumstances change, companies need to revisit internal controls on identified risks. The impact of Covid will require them to relook at their existing criteria and identify what changes are required to be carried out to achieve the objective. Many companies have prepared their own checklists to ensure that the internal controls criteria are updated based on the current environment.
At the same time, auditors need to be aware of what changes are being carried out by their clients in their criteria for internal controls and plan their audits accordingly. This may require the auditor to obtain samples of the period when operations were severely affected by Covid (and therefore have a modified design of internal controls) and when operations were running normally.
A dialogue between the clients and auditors is imperative to discuss the exceptions observed in management testing, changes being made in internal controls, effective date of incorporating the changes, plan of management testing of such controls and ensuring that those are operating effectively.
(The views expressed in this article are the personal views of the author)