Continued on next page.

The COVID-19 global pandemic has created challenges far greater than SOX compliance. However, key activities such as executing and documenting internal controls must continue. Yet it’s clear that for many, this work must be done in a different way. People are working remotely, possibly on a long-term basis. Critical data and systems may not be readily available.

Fortunately, there are proven approaches to overcome these obstacles and complete needed

controls work. Moreover, these and relatedimprovements will enable organizations to stay ahead of these types of concerns in the future. In the accompanying table, consider the solutions for potential activities where the COVID-19 pandemic has impacted SOX compliance activities.

For more information, read Protiviti’s research report, SOXCompliance Amid a New Business Equilibrium, available at www.protiviti.com/SOXSurvey.

COVID-19 and SOX Compliance Activities — Executing New Approaches

• Review: Use digital signature and a PDFwriter to complete review and mark upscanned documents.

• Supporting evidence: Capture supportinformation through screen shots orphone pictures and email to retainevidence for this period (includingcomputer timestamp to provetimeliness of review).

• Use audit management software, Share-Point or similar tools to store journalreports and a PDF writer to evidencereview and mark up review notes.

• Use a manual journal review risk rankingto focus on high-risk journal entries.

• Create a SharePoint or intranet folderwith restricted access and allow posting tothat site to signify approval for this period.

• Grant a temporary extension or scope outcertain low-risk or low-activity accounts.

• Validate with a follow-up email tothe preparer noting approval and norequired follow-up procedures.

Manual journal entry review

Period-end manual journal entry completeness review

Manual account reconciliation review

Activity Short-Term Solution Long-Term Solution

• Use workflow within ERP or tools tofacilitate automation and control of thefinancial close process (including accountreconciliations), with an add-on to allowfor easy viewing of journal entry supportif needed.

• Utilize artificial intelligence and dataanalytics solutions to profile and analyzejournal entry data and identify outliers,anomalies and high-risk transactions.

• Use technologies such as MicrosoftTeams to evidence task completionand record evidence of completion.

• Use a manual journal review risk rankingto focus on high-risk journal entries.

• Leverage an automated reconciliationtool to facilitate the process and retainsupport; risk-rank account reconciliations.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans.

Period-endchecklists

10-Q/Ktie-outbinder

Manual employee change notices or user access provisioning forms

Period-end physical inventory count/validation

Period-enduser accessreview

Minimum passwordresetfrequency

Dual check signaturerequirement

Manual approval of invoices, contracts, agreements, asset purchase or disposals, scrap sale, etc.

• Use collaboration tools such as Microsoft Teams to evidence task completion and record evidence of completion.

• Use process workflow tools to help enforce the process, support step-to-step progression and monitor status.

• Use a tool to facilitate financial reportingsupport and tie-out process for submittingSEC filings.

• Leverage IT incident management toolsto capture and evidence approvals.

• Use automated/remote scanning ortagging solutions to validate barcodesof inventory on hand.

• Configure system to automatically runand distribute reports within predefineddate and data parameters.

• Institute an automated password resetapplication driven off security questionsto avoid impact on IT support to allowfor password reset frequency withoutinterruption.

• Utilize banking software tools.

• Use workflow within ERP, with anadd-on to allow for easy viewing ofsecured documents and sign off usingdigital signature tools.

Activity Short-Term Solution Long-Term Solution

• Use SharePoint with secured folders tostore checklists and online signaturetools such as DocuSign to captureevidence of review and approval (includingtimestamps and identity authentication).

• Utilize PDF software to capture tie-outelectronically.

• Capture handwritten tie-out via ascanner and save.

• Create a network folder which only thereviewer has access to and allow transferinto this file to serve as evidence of review.

• Create a centralized SOX documentationemail box to be copied on email approvals.

• Leverage DocuSign or other signaturetools to capture evidence of review andapproval (including timestamps andidentity authentication).

• Utilize video share to locate and view sampleselections to validate quantity and qualitywhere needed for higher risk locations,or deploy in-building/outside drones.

• Have third party certify or confirmcount for lower risk locations.

• Rollback or rollforward inventorybalance to alternate date.

• Remind owners to run reports on or asof period-end date exactly. If reports arerun as of a later date, this may forcereconciliation back to the period-end date.

• If your organization is suspending thereset of passwords every x days, ensurethat control wording is updated andrisks are mitigated by other controls.Consider longer, more complex passwordsin lieu of frequent change practices.

• Temporarily update transactional authority to a central point such as controller or head of finance, and periodically monitor activity through weekly review of high-risk/high-

dollar activity to ensure appropriateness.

• Utilize secured digital signature toolssuch as DocuSign to record approvalson the secured documents.