Q&A Interview with Chase Bongirno and Nick Bednorz
The COVID-19 pandemic continues to drive profound, deeply complex and far-reaching impacts across all aspects of the modern enterprise organization — including financial reporting and compliance management. In particular, organizations are seeing the internal control structures that drive their SOX compliance programs put to the test as these internal processes suddenly shift to a decentralized work environment. We sat down with a veteran of the SOX compliance world to discuss exactly how the impacts of the pandemic are stressing companies’ internal control processes — and what the future of SOX compliance looks like post-pandemic.
Chase Bongirno is the Principal Product Manager for Toppan Merrill Bridge. He leads a team of product engineers and designers committed to continuously improving the Bridge platform. His team strives to use insight gained from clients to inform the creation of innovation solutions. Chase is the Chair of the XBRL US Communication Steering Committee and a founding member of the XBRL US Data Quality Committee.
Nick Bednorz is the Co-Founder and CEO of AXIA Partners, a Houston-based professional services firm that offers specialized consultancy and technology solutions in areas such as SEC and IPO Readiness, SOX and Internal Audit. He has deep ‘hands on’ technical proficiency though his prior leadership roles in compliance at Deloitte and Royal Dutch Shell. Nick is the creator and developer of Comensure, AXIA’s leading SaaS technology platform for end-to-end SOX automation. He has a deep passion for a connected, modernized, digitized approach to internal control to transform the way compliance and assurance are delivered to organizations and its stakeholders.
Chase Bongirno: What is your general sense of the impact COVID-19 will have on the SOX compliance process?
Nick Bednorz: It’s pretty clear to me that the effects of the COVID situation are going to make SOX compliance as important as ever — and really bring it into the spotlight. This is exactly the kind of situation that SOX was designed to address: ensuring accurate and transparent reporting all the time, of course, but particularly when there are acute, unique stressors on the system. I’m definitely not the first to point this out. Analysts have talked about the increased focus on internal controls, and other thought leaders in the financial reporting world have emphasized that internal controls and accounting compliance will be critical throughout the pandemic.
Chase: Why about the pandemic makes SOX compliance acutely important?
Nick: Basically, as businesses face increased risk to their operations, there’s a corresponding risk to investor groups that companies will not be fully transparent about these risks and impacts. We saw this in 2001 after 9/11 with Enron and Worldcomm, and then we really saw this happen during the 2008 financial meltdown. Enron and Worldcomm’s demise is really what led to SOX regulations in the first place. So, here we are in the midst of another hugely disruptive event. But it’s not just the economic or geopolitical uncertainty that’s stressing the system; the pandemic has completely upended the way businesses operate, including the way financial reporting and accounting compliance is executed managed within most organizations. So it’s going to really be a test for many organizations.
Chase: What impacts are you seeing so far?
Nick: Well, a lot of companies got out ahead of this and filed statements in early Q1. They put in generic statements to the effect that they were unsure of how the evolving COVID situation would impact their business. So we won’t really see the impacts of the pandemic reflected in financial reporting results until Q2. But people are expecting to see devastating business impacts from the global economy quickly and dramatically slowing down. And with that comes temptation to for companies to downplay the impact. But moreover, there are also just a bunch of challenging new realities around managing and executing internal control processes in this new, decentralized work environment. And that increases risk quite a bit in terms of reporting inaccuracies and errors — things falling through the cracks through honest mistakes. This is exactly where SOX compliance is designed to help: to make sure the appropriate internal controls are in place and properly executed. These internal controls are the mechanism that drives accurate reporting to investors and regulators. SOX doesn’t guarantee that a number might not be reported inaccurately, but if your internal controls are designed and executed appropriately, then you (and your investors) have assurance that information is being handled in an effective, controlled manner. And then, of course, the ultimate endorsement of that control structure is the signoff from your external auditor. All of that is more important than ever in trying times like these.
Chase: What are you hearing from regulators?
Nick: The SEC and PCAOB know, as much as anyone, that this situation is exactly what SOX was designed for, and they’ve made it clear that enforcing SOX is a top priority. Steven Peikin, Co-Director of the SEC Division of Enforcement, went as far as to say the SEC “does not permit the crisis to be used as a cover for gamesmanship.” The PCAOB is taking a similar line, essentially saying, “there’s no free pass because of COVID.” They’ve also indicated that they are seeing a 35% increase in tips, complaints and referrals — that their whistleblower hotlines are lighting up with individuals already seeing evidence that information is not being properly handled, managed or disclosed. So it’s clear that regulators’ ears are perked up, they recognize the unique risks this situation has created for financial reporting compliance, and they’re watching closely.
Chase: What are some of the challenges you see SOX compliance teams facing in the near-term?
Nick: I think of the challenges along three lines: timing, practicality and collaboration/supervision. From a timing perspective, timetables have been set back by the pandemic. Internal auditors are behind schedule. Signoff tasks have been disrupted by physical dislocation. External auditors’ ability to conduct audits in a normal way (onsite, in-person) has been disrupted. Auditors are investing huge sums in remote capabilities, but you can be sure they’ll push those costs onto companies eventually. And if you’re pressed for time, you’re stressing the system, and the risk of errors goes way up. So then, if you’re relying on paper documents, physical signoffs, etc., time stress will increase the temptation to circumvent processes that, really, should be followed even more diligently during a stressed time.
From a practicality perspective, both internal teams and external auditors are used to being there in-person. They’re used to reviewing and signing off on physical documents. So almost every organization has had to make tremendous changes to the way they manage their internal controls. Every physical workplace is now a virtual network — and that’s happened almost overnight.
Finally, collaboration and supervision are challenged by this decentralized, remote work environment, as well. Everyone’s used to working together in a collaborative manner that’s really dependent on everyone being face to face, together. Informal conversations happen naturally and expedite things. Supervision follows along with that. Supervision typically happens in person, in team meetings, onsite document reviews, board meetings, etc. Now everything is being handled in a completely different manner. And again, if you’re relying on a paper-based methodology, it’s very difficult to collaborate without an automated system to manage workflow, signoff, supervision, communication between all parties — from accountants, to supervisors, to the C-suite and all the way up to the board of directors. Even the dissemination of that information to the SEC, PCAOB, etc. becomes a tricky challenge, fraught with risk when your paper-based process is mashed into a suddenly digital workplace.
Chase: Where, specifically, do you see additional risk creeping into financial reporting and SOX compliance as a result of COVID-19?
Nick: I always say that a control environment should be real-time and continuous. And that means there are going to be a lot of mundane, repetitive, day-to-day processes — but those are the foundation for the higher-level internal controls. I think those day-to-day tasks are the most at-risk in this current environment. Think about something as mundane as approval of journal entries. If you have a paper-based process of generating, entering, reviewing, signing off on and validating paper-based journal entries, all of that is based on physical proximity and a physical paper trail. Now you’re doubling (at least) the complexity of it all when you’re remote — scanning, emailing, copying, printing, signing off via email perhaps, etc. And there’s no single, digital system of record to validate that everything was executed appropriately.
Here's another thing that comes to mind: SOX is like a circuit breaker that trips when something is off in your financial reporting. It’s meant to be a proactive process to detect errors as they’re occurring, and if it’s working properly, that issue will get flagged immediately and escalated for remediation. Not just to correct the error but to correct the root cause of what tripped the circuit breaker. Trusting a manual, paper-based system in a decentralized, digital environment just creates a complicated labyrinth system that makes it too likely that a flaw could get lost and not trip the circuit breaker like it should.
Chase: What are companies doing to address these challenges and risks of manual, paper-based IFCR workflows in a remote work environment?
Nick: The core of the challenges and risks is really that, in most companies, around 80% of SOX compliance protocols are managed via spreadsheet, email, even Post-It notes. It’s often a very old-school, ad hoc, highly manual process. Things have always gotten lost or leaked in these kinds of processes, but that risk is dramatically higher when you’re trying to adapt those paper-based workflows to a digital environment.
But forward-thinking companies are increasingly shifting to digitized workflows and leveraging digital platforms with built-in automation to handle SOX compliance and ICFR processes. This enables them to seamlessly work on digital documents, collaborate, review and sign-off from anywhere, any time. It also gives them a robust data trail to validate execution of their internal controls. But it also helps the stakeholders in the compliance process to focus their attention where it matters most, by automating some of the mundane, repetitive, lower-value tasks. Deloitte talked about this in a recent article where they said automation in ICFR controls can reduce duplicate assurance activities by up to 40% and increase risk mitigation by up to 60%. Those are big numbers you can’t ignore.
Chase: Looking ahead 3 to 5 years, what will be the lasting legacy of COVID-19 in financial reporting and compliance?
Nick: Well, first of all, the shift toward digitizing and automating compliance and internal control structures was already happening before COVID-19. Some of the most innovative internal compliance teams have been doing things this way for years now. Deloitte and others were already advocating for a wholescale reevaluation and redevelopment of IFCR, and pushing toward a digitized approach that leverages a high degree of automation.
I think COVID-19 is going to be the tipping point. Any time you put intense pressures on the system, you accelerate changes. We saw it in 2001 with 9/11 as well as with the 2008 financial meltdown, but COVID-19 is unique and profound because it has fundamentally changed workplace dynamics and disrupted core workflows in a way that’s completely unprecedented in history. So every company has had to make some level of shift toward digitizing the workflows around financial reporting and internal controls just to accommodate a suddenly decentralized, remote workforce. And I like way Deloitte put it: “Now that people have moved out of their comfort zones and glimpsed what a modern control structure can do, the shift toward increasing digitization is expected to accelerate.” The question, of course, is whether an organization is going to see this wave of change coming and get ahead of it — or wait for something to more clearly “go wrong” before they start moving toward a digitized, automated approach?
See how Toppan Merrill’s SOX Automation platform brings all business locations, processes, risks and controls into a single, intuitive, collaborative, end-to-end SaaS solution.
Reach out to jump start a partnership that will bring expertise, speed, and accuracy to all of your complex disclosure and communication requirements.