The effects of COVID-19 on your client, their internal controls, and the audit
Learn how your clients' control may be impacted, your responsibilities as the auditor, and practical audit considerations to help you in this ever-changing and unstable environment.
COVID-19 has disrupted entities across the globe and forced businesses to make significant changes to their operations. Recent Audit Quality blogs have examined how COVID-19 has affected audit evidence, interim reporting, and going concern impacts. But how has COVID-19 affected your clients' internal controls?
With remote work arrangements, reduced personnel, business disruption, and a diversion of resources to focus on the health and safety of people and business viability, an entity's system of internal control and its various components has likely been impacted.
Keep reading to learn about:
- management's responsibility for controls and identification of COVID-19-related changes
- auditor's responsibility in understanding the entity's components of internal control
- practical considerations for auditors
Management's responsibility for controls and identification of COVID-19-related changes
Management is responsible for designing, implementing and maintaining a system of internal control to provide reasonable assurance about the achievement of entity objectives with regard to reliability of financial reporting, effectiveness, and efficiency of operations, and compliance with applicable laws and regulations.
There may be areas where internal controls need to be modified or may not be enforced in the current environment. When there are significant changes to systems and controls, management is responsible for identifying and assessing new risks that might arise from system changes. Management is also responsible for making modifications to controls—or designing and implementing new controls—to mitigate assessed risks.
Where changes to operations, systems and controls have been made as a result of the effects of COVID-19, the timing and reasons for the changes should be noted by management (e.g. if there were government-mandated lockdowns in the organization's country during the period covered by the engagement or other imposed lockdowns or distancing requirements that created the need for the change). Ideally, information that describes the changes in controls and procedures should be approved prior to implementation and records of the changes should be maintained for audit purposes.
Auditor's responsibility: Understanding the entity's components of internal control
Regardless of whether the auditor plans to rely on the operating effectiveness of controls, they are still required to obtain an understanding of internal control relevant to the audit. This understanding (including the design and implementation of any changes in controls relevant to the audit) supports the identification of potential misstatements and factors that affect the risks of material misstatement. Auditors will need to understand the impact of changes on all components of internal control (including how the entity has responded to risks arising from IT)—control environment, the entity's risk assessment process, the information system relevant to financial reporting and communication, controls activities (which can include general IT controls and application controls), and monitoring of controls.
Control environment
An organization's control environment, which is meant to provide an appropriate foundation for the other components of internal control, may be adversely affected in the current environment. With many entities shifting their focus to crisis management and business recovery, elements of the control environment may be impacted by changes, such as organizational structure, approach to taking and managing business risks, attitudes and actions toward financial reporting, assignment of authority and responsibility, and HR policies and practices. In the current environment, entities may be relying more on untested technology. Given the constraints on resources, there may be less experienced staff performing control activities even where the controls themselves have not changed. There could also be more instances of management override of controls to compensate for controls that are not operating as intended. The culture of control consciousness may have changed because management is preoccupied by other priorities and may be more willing to overlook control deficiencies. Elements of an entity's control environment can have a pervasive effect on assessing the risks of material misstatement and deficiencies in the control environment may undermine the effectiveness of controls, particularly in relation to fraud.
Entity risk assessment process
In the current environment, entities are facing risks that were previously considered unlikely to occur and taking on new actions to address those risks. Regardless of whether the entity's risk assessment process is formally established (depending on the size of the entity), the auditor should ask about identified risks and how they are being addressed by management. For example, dedicating insufficient resources to address IT security risks could adversely affect internal control effectiveness by allowing improper changes to be made to computer programs or data, or unauthorized transactions to be processed. With remote work arrangements and reduced staff, it is crucial, now more than ever, for management to have a handle on their general IT controls, including access security controls—and for auditors to understand how the entity has responded to risks arising from IT.
Information system relevant to financial reporting and communication
Entities' procedures (within both IT and manual systems) for initiating, recording, processing, and transferring transaction data to the general ledger, culminating in financial statement reporting, have likely changed as a result of COVID-19. Auditors will need to understand the changes to updated procedures. With increased levels of uncertainty, auditors will also need to consider how the client's information system captures events and conditions, other than transactions, that are significant to the financial statements, such as impairments.
Additionally, controls surrounding journal entries as well as the financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and judgments, may also be impacted, for example, by changes in levels of personnel and approvals involved.
Auditors should understand how the entity communicated the changes in financial reporting roles and responsibilities, including process changes, relating to financial reporting to personnel.
Control activities
With remote working arrangements and reduced personnel, controls activities relating to authorization, performance reviews, segregation of duties, and physical controls may be at risk of breaking down or being circumvented.
Additionally, there may be more transactions outside the normal internal control processes, or new transaction streams for which control processes have not been fully established. New significant risks could be identified in the current environment which were not significant in prior audits, in which case the auditor is required to obtain an understanding of the related controls, including control activities, relevant to that new risk.
Monitoring of controls
Due to an increased risk of control breakdowns in other components in the current environment, the importance of monitoring controls may increase. For example, if transaction processing in a remote work environment is not being performed in a timely manner, an entity may enhance its monitoring over such processing controls to assess whether backlogs are identified. Where functions such as payroll administration, are outsourced to third parties, monitoring controls are important and may include the entity's correspondence with the service providers about changes in the service provider's operations and their respective operating controls. Consideration should also be given to whether monitoring controls have been expanded to cover newly implemented controls.
Practical considerations for auditors
Updating understanding of controls relevant to the audit throughout the audit period
As the combination of processes and controls in place throughout the fiscal period evolves, auditors should consider increasing the frequency of procedures to evaluate (and re-evaluate) where necessary) the design and implementation of controls relevant to the entire period under audit.
In light of COVID-19, auditors may also find that their clients are struggling to keep their control documentation up to date and increased verbal touchpoints may be needed for the auditor to understand may be needed for the auditor to understand the latest changes to controls and related available audit evidence. A summary of the (series of) interviews with the client could be helpful in confirming the auditor's understanding and for documenting the auditor's application of professional skepticism.
Performing procedures remotely
An understanding of controls relevant to the audit, including control changes and new controls, may be more challenging in the current environment. Many auditors and client personnel are working remotely and will not be able to speak with their clients face-to-face, or physically inspect documents and reports, or observe the application of specific controls. While obtaining an understanding of controls can be achieved remotely, auditors may need to tailor their approach from prior audits. Inquiry may allow auditors to gather information about the design of a control, but inquiry alone is not sufficient to determine whether a control has been implemented.
If the auditor is performing walkthroughs, i.e. tracing transactions through the information system relevant to financial reporting, this may be more complex when working remotely and may require the involvement of more experienced staff. Auditors will need to consider what evidence can be obtained remotely to determine whether a relevant control has been implemented and may consider the use of video conferencing and/or screen sharing to observe whether relevant controls are in place. Such approaches may create new audit risks in terms of the reliability of the evidence obtained.
Reliability of electronic evidence and documentation
When using information produced by the entity, the auditor is required to evaluate whether the information is sufficiently reliable (i.e., complete, accurate, precise, and detailed) for its purposes. Although the auditor is not responsible for authenticating the documents themselves, the auditor needs to exercise professional skepticism when considering their reliability as evidence. For example, the auditor needs to consider the reliability of scanned or otherwise reproduced source documents and whether the document is faithful in form and content to the original.
Relying on the operating effectiveness of controls
If controls have changed significantly or if controls were only in effect for a portion of the year, auditors would need to evaluate how much reliance can be placed on those controls. There may be a higher likelihood of control failures in the current circumstances. Further, if the auditor intends to use information obtained in the prior year, the auditor is required to determine whether changes have occurred that may affect the relevance of such information. To make this determination, the auditor may make inquiries and perform other appropriate audit procedures, such as walkthroughs of relevant systems. Remember, if you intend to rely on controls relating to significant risks, those controls must be tested in the current period.
Conclusion
The impact of COVID-19 on clients’ processes and controls, and the audit response, will depend on entity-specific circumstances. In this fast-changing and complex environment, we encourage auditors to be vigilant throughout the course of their engagements and to consider changes needed to the audit strategy, including the composition of the engagement team, supervision of team members, and the review of their work. Auditors’ exercise of professional skepticism remains highly important for auditors in understanding, assessing, and responding to significantly changed circumstances.
Want to hear more on this topic?
Tune in to our upcoming free, special edition Practitioner’s Pulse webinar: Understanding Your Client: COVID-19 implications for internal controls, on August 11, 2020.
For additional COVID-19-related audit resources, access our dedicated auditing resource hub, which is updated regularly.
For further resources, please refer to our existing non-authoritative implementation tools on CAS 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and CAS 330, The Auditor’s Response to Assessed Risks.
Keep the conversation going
What are the major issues your firm/clients are dealing with in light of COVID-19? What particular guidance would be most helpful during this period? Are there other audit resources we should know about to add to our resource hub? Post a comment below or email me directly.
Conversations about Audit Quality is designed to create an exchange of ideas on global audit quality developments and issues and their impact in Canada.
