In a preview of their presentation at the Dec. 10-11 PICPA Accounting & Auditing Conference, Michael McAllister and Barry Pelagatti of RKL join us to discuss COVID-19’s effect on risk factors brought on by the pandemic, complications of the necessary rush to digitize business operations, and more.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
At the December 10-11 PICPA Accounting and Auditing Conference, Michael McAllister and Barry Pelagatti of RKL will explore the impact COVID-19 has had on internal controls and audits. Among the aspects they'll cover will be the risks of digitizing business operations and concerns when evaluating SOC reports. Today, they offer us a sneak preview of their session.
Do you think the rush to digitize business operations and the response to the pandemic could have led to even greater instances of internal control breakdowns? And, if so, how was that?
[McAllister] Absolutely. I think with regard to the rush to move everybody to a remote environment, trying to keep business flowing as expected, or as needed, there absolutely was a rush to or a need for new services and new vendors to make the process work, to ensure that data is flowing from cradle to grave, and it's normal course, as best as could be expected under these new circumstances. In doing that, companies didn't have time to maybe do the due diligence that they should have or could have done. There are many opportunities there for internal breakdowns to occur. With regard to that, the level of security concerns range anywhere from proper vendor due diligence to how do you secure 10, 20, 200, 500 employees that are all working remotely within their home environments within their home Wi-Fis?
And that's the hard part and the difficulty with the sudden shift of everybody working centralized to the entire world is decentralized. How does a company manage that? Because of that, the centralization, new levels of security risk have gone up quite a bit. To CIOs and CISOs, that might've not been a concern initially, but I know talking to many clients, that is a concern now.
[Pelagatti] From a substantive perspective, there's a lot of criticality there. From my perspective, as an external auditor, I think one additional area that needs to be considered in this digitalization process is that once the substantive changes are made, it's paramount for the management team to ensure that all of those changes are appropriately documented, to ensure an evidential matter trail for the external auditors when they come in. Because, while the substance is critical, there's also a burden on management from a financial reporting perspective, that when the auditors show up they can get a strong sense of how those changes were made and how management's ensuring that it was done effectively. So, there's definitely a second level of perspective beyond the substance of just the transformation itself.
Is there one risk factor brought on by the pandemic that you feel is being overlooked in this area?
[McAllister] I believe that the initial, or the most significant, risk factor that was being overlooked, and it might not be quite as much now, but I think it's very hard to get their hands around, is the concern of remote employees, and how do you safeguard? People are working from their kitchen tables, from their basements, and everybody's using the devices that they have, whether it's Comcast or a normal DSL line, whatever, however they're communicating, or maybe even they're going to Starbucks. Well, maybe not Starbucks now. You can't sit inside. But we're working off of a public Wi-Fi. To ensure that the protocols are in place and bringing the knowledge level up from what was never a concern with regard to home employees, making sure that their home environments are secure, that they're using encryption, that the proper virtual private networks, VPNs, had been established.
So, when data is transferred between employees and the home office, that it's properly being secured and safeguarded. In addition to that, there's concern about whether it's reports, whether it's any kind of information that the employees might be looking at remotely, what about are they generating paper? Are they generating NPI, non-public information, or sensitive information, remotely that they need to do their jobs? Even though we're mostly a digital world, people still like paper, they'll still print paper. Is that paper containing sensitive information that is properly being secured? Is it properly being shredded? That's the concern, I think, that was not on the forefront of individuals’ minds when we started this, but I think it's a natural course of this is where we're going. This is where we might be for quite a while. And I think it's starting to gain traction with this consideration of risk, but I don't know if it has been fully vetted yet on what the potential outcome could be for all this data floating out across the world.
One of the things you plan to discuss during your presentation is general computer controls. Can you briefly describe what those are and what their significance would be?
[McAllister] There's going to be a couple of topics that we're going to go over, and they range, well, I'll just start at the top. First one, as we work in this world of the new normal, is governance, IT governance, with respect to what is the tone at the top with regard to how this process and the expectations are being handled internally from a company to the employees, or even to their clients? So, IT governance is light and fluffy, but it has a significant impact in the setting of expectations. That's going to be one aspect. The second aspect will be security considerations, which is going to be whether we're talking about virtual private networks, or firewalls, or the use of any kind of multi- or two-factor authentication. How are they securing what is being done?
What's being done to secure the information around their operations? One aspect that will be covered in addition to that is social engineering considerations. Individuals and employees are … we're curious in nature. We're always looking to see something that could be of interest, and we're easily lured into something that we shouldn't click on. Social engineering is a major consideration these days. And I would imagine that will continue being a significant aspect of any general control consideration, because the strongest or weakest link to any process could be centered around the actual employee. We'll talk about remote access and the securing of remote access, whether it's home networks, work PCs, business-owned devices or personal PCs, how or what are being used to process through the actual day-to-day work level?
Mobile device security, there's some considerations there that we'll be talking about as well. The aspect of change management. How does the company handle change management in a world, again, where most of their employees would be decentralized? How do you get the information where the patches and the updates, how do you get it to where it needs to be? Is there proper controls and considerations to make sure that's in place? Then the last aspect that we're going to talk about is the actual challenges in management. How do you manage people in hardware in this type of environment? Those are a very high-level aspect of what we're going to be going over in the presentation.
What are a few ways COVID-19 has changed, altered, or impacted the SOC report?
[McAllister] That's a really good question, and I had to think about that for a minute. I don't think it changed the SOC report itself, but I think it changed the consideration of the SOC report.
One aspect that changed was the criticality of remote services and the monitoring of those services. As we mentioned earlier, a lot of companies have chosen to bring in vendors that would help them continue their business operations. There's a shift in the risks. Whereas initially information was retained on premises at a company, now it's out in the cloud. There's a risk that remains. It's just a matter of identifying where that risk now resides.
With regard to the SOC reports, it's really become quite critical. Over the past couple of years, companies have gotten more aware – and I think in our current trending, it will continue to be a strong emphasis –about vendor management. Good, strong vendor management, vendor due diligence. The actual evaluation, the proper evaluation of a SOC report, whether it's a SOC 1 or a SOC 2, is very, very important. With regard to, of course, SOC 1s are deemed around the concern of financial information, SOC 2s, I believe there's going to be a stronger emphasis on those as well, because those are the reports that are talking about the security, availability, confidentiality, and location where data is residing, and to make sure that they're being secured. I think SOC 2s are starting to come into their maturity a little bit more. I think they've not been where they quite should've been over the years, but I think in the world that we live in now, I'm expecting those to be a central part of any vendor management and due diligence.
So, the question about the impact of SOC reports, again, I don't think it impacted the SOC report, but it absolutely should impact the awareness and the need for SOC reports to ensure that companies are doing what they said they're doing, to make sure the processes are clear and safe.
[Pelagatti] What we're seeing, piggybacking off of the sentiment about vendor management and organizations having a greater awareness of SOC reports and their purpose, is we are also trying to remind organizations that a SOC report by itself is not a solution and a safe harbor, that there definitely is a requirement that management teams review these SOC reports, even if they're using a vendor to help them evaluate them, and have an understanding of where the tool that's covered by the SOC reports stops and where the burden transitions back to management. Having a very strong understanding of user control considerations and areas that management has a responsibility to supplement the controls that are in place by the system. That's of paramount importance, because a highly effective system is only as useful as how it's implemented and put into the operations of the organization.
They can't be mutually exclusive at the end of the day. We do find it very common that management, when we're out in the field requesting information, basically says, "Well, here's our SOC report." And when we say, "Well, how did you evaluate your user controls," we sometimes get that blank stare like, "Well, what do you mean? The SOC report was fine."
Having an understanding that there's an additional burden definitely can't get lost in a COVID, or a non-COVID, environment. The criticality of that will not change.
[McAllister] The one aspect I think that people don't really connect is when a SOC report is created, those CUECs, they're determined by the vendor and by their independent auditor to be key controls, key controls that support the control objective, or the criteria, or whatever it is being applied upon. That needs to be translated down to make sure that those considerations are in some way, shape, or form being addressed at the end client.
For this question, we'll assume that at some point in 2021, we're going to get back to some type of normalcy. It'll never be as normal as it was before, but some sort of normalcy. What are a few best practices CPAs need to be aware of when they're evaluating internal controls in 2021?
[Pelagatti] I think that's going to be a little bit of let's wait and see, because I think right now a lot of the CPAs on the public side are still anticipating what it’s going to look like when they go out and actually do the 2020 audit under COVID? I think management is eagerly waiting to get that feedback. What I hope is the outcome, and let's call it in an optimistic post-COVID world or post-vaccine world, is that all of the best practices that were learned, the embracing of a cyber environment, the creating a flexibility for employees to do their jobs in maybe a different way than they were in 2019, that none of that is lost, but at the same time, it continues to get refined. That technology is embraced and is used to complement the human knowledge and the organizational knowledge, to allow organizations to maybe, let's say, be more efficient going forward, and maybe be able to eliminate some of the hard operational costs to attract more talent, to invest in new products, to basically provide better delivery channels to organizations.
Really what it comes down to is the hope shouldn't be to return to the old way. The hope should really be to look at the silver lining and reap the benefits of what was forced upon us in reacting to the pandemic. So, hopefully we don't just revert back to February 2020, but we look forward and say, "How can we be better as a by-product of the pandemic environment that was created?"
[McAllister] One thought I had on that was with the pandemic being, it is what it is in 2020, going into 2021, most companies, whether they realize or not, would have implemented their business continuity plan in reference to a pandemic. So, those considerations going into 2021 and beyond will be an interesting introspective aspect for the client and also for the external auditor to see what the actual impact is from that kind of consideration as well.