April 3, 2020
Forbes is featuring a growing list of companies that are "doing their bit" in the battle against COVID-19. The Coronavirus Business Tracker is documenting organizations worldwide that have pivoted their production lines, research and development labs, software, or support services in much the way companies retooled themselves in World War II to produce war machines and munitions. While many of the companies are pharmaceutical or biotech firms working on vaccines or treatments, there are also fashion makers now designing masks and gowns, makeup companies bottling hand sanitizers, and aerospace companies producing ventilators. Even companies like Airbnb and Uber are contributing services to first responders. Clearly, companies that demonstrate agility and innovation during crises may be more poised to come out ahead both economically and reputationally.
At 7:15 pm EST on April 2, U.S. Treasury Secretary Steven Mnuchin tweeted out lender guidance for the Paycheck Protection Program, which allocates $349 billion for small businesses to access loans as part of the recently signed $2 trillion dollar economic stimulus package. The application program formally began at midnight, but following the announcement, according to an article in Forbes, many banks have indicated they are not prepared to start lending. JPMorgan Chase, for example, emailed its customers late Thursday and said it would "most likely not be able to start accepting applications on Friday, April 3, as [it] had hoped." In their efforts to provide critical assurance, internal auditors in the financial sector will play a critical role in steering their organizations through this process.
The strain of the coronavirus pandemic on systems well outside the fields of epidemiology and medicine could claim a significant victim — the European Union (EU). Some observers warn that growing nationalistic and regional rifts could weaken and even lead to the dismantling of the political and economic union, The Washington Post reports. Already traumatized by Brexit, the E.U. faces greater challenges from nationalist, Euroskeptic and anti-democratic forces, which have gained ground since the 2008 financial crisis. Such instability in a major economic/trading market could make recovery from the pandemic more difficult and delay a return to normalcy.
Crisis response often puts public funds and foreign aid at risk of abuse, such as fraud and corruption. Governments typically need to ease controls and increase policymaker discretion to accelerate the use of resources in response to public emergencies. This Americas Quarterly article argues that strong audit and oversight practices in the public sector can help ensure the funds reach their intended destinations, especially when tools are implemented to enhance transparency and accountability. Web-based digital systems, for example, enable the public to monitor and share reliable information about emergency resources. Additionally, centralized agencies may improve the coordination of relief efforts and the ability to monitor the use of resources.
The European Union (EU) is taking action to help small- and medium-sized businesses survive the COVID-19 pandemic. Among other actions, the EU is redirecting €1 billion from its budget to the European Investment Fund to encourage banks to provide liquidity to these businesses and help them access financing. These companies have about two-thirds of the jobs in the EU and have been hit especially hard by COVID-19. Internal audit can assess the risks in providing this liquidity and the risks to the businesses as they adapt to the new pandemic environment.
April 2, 2020
Concerns around videoconferencing platform Zoom's business practices are growing after a New York Times analysis of the platform uncovered surveillance practices allowing some users to access LinkedIn profile data about other users without their permission or without notifying them. The data-mining feature, which was disabled after a Times inquiry last week, was available to Zoom users who subscribed to LinkedIn Sales Navigator, a sales prospecting tool. Once enabled, a Zoom user could access LinkedIn data such as locations, employer names, and job titles. This is especially concerning given the number of employers, public schools, health providers, and others using it to stay connected while most Americans work from home. Zoom's CEO said in a blog post that Zoom would enact a feature freeze for the next 90 days to concentrate on data security and privacy issues.
Last week's death of Jeffries Group LLC's chief financial officer (CFO) due to coronavirus complications further supports the need for organizations to address their short-term succession planning during a pandemic. Boards are adapting their plans to accommodate medical leave beyond the CEO and CFO in the event of multiple absences of critical employees, according to an Agenda article (registration required). Human resource officers are being asked to identify key roles in areas of supply chain, cyber security, technology, and strategically critical areas to determine potential short-term replacements. The duration of short-term illness plans means boards can divide roles, have executives temporarily share responsibilities, or put two regions under one leader. They also need to account for the potential replacement not being available.
Small and medium-sized businesses in China have resumed work at a 76% rate, up from 60% in mid-March, CNBC reports. Large companies had a 98% work rate and had brought back nearly 90% of employees by the end of March. Nationwide, more than 400,000 businesses have dissolved or suspended operations this year, with wholesale and retail businesses hardest hit at 38%. For internal auditors, China's experience may be the first indication of how quickly business operations could resume once the crisis begins to abate. It also may indicate the resilience of the organization's operations and consumer market in that country.
Public cloud computing providers have seen an uptick in usage during the coronavirus crisis, as businesses have moved to remote work, InfoWorld reports. At the same time, the crisis has revealed shortcomings in IT teams' abilities to support on-site systems, which public cloud operations could alleviate, the article notes. It predicts more organizations will move business-critical systems to the public cloud. Moving forward, internal audit can help assess the reliability of on-site systems throughout the crisis and advise the organizations about the pros and cons of moving more systems to the public cloud, as well as the risks involved.
The current crisis calls for leaders to be resilient — able to recognize "harsh realities," inspire people, and take action, Fast Company reports. Resilient leaders have four qualities: They can deliver a compelling message, show confidence, are poised, and are tenacious, according to an executive coach interviewed in the article. Internal audit can advise leaders about how to develop and demonstrate these qualities and assess how they impact organizational performance and employee confidence.
April 1, 2020
The U.S. Department of Labor has issued updated guidance to its rules governing the new emergency sick leave law enacted in response to the COVID-19 pandemic. Among other things, updates to the Families First Coronavirus Response Act address the extent to which some small businesses can be exempted from the act and whether public sector workers can avail themselves of leave under the new law. Internal audit can assist management and public-sector officials in helping to ensure compliance with the law.
Local governments can now quickly glimpse what other communities around the U.S. are doing in response to the pandemic through a new database called the COVID-19: Local Action Tracker. Developed by the National League of Cities and Bloomberg Philanthropy, municipalities are using the tracker to share emergency declarations, ordinances, executive orders, public-private partnerships, and other actions. The sortable database helps local leaders understand what their peers are doing in areas such as curfews, communication campaigns, small business relief, donation drives, utilities ordinances, and food programs. Internal auditors in the public sector can use the database to provide assurance to local leaders.
As in other disaster situations, lawyers and attorneys general are on the lookout for companies seen as engaging in price gouging or making fraudulent claims. According to an article on Law.com, in early March, Germ-X was hit with a class action lawsuit by California consumers for advertising that its hand sanitizer offers "coronavirus/flu prevention." Similarly, the U.S. Food and Drug Administration and the Federal Trade Commission mailed warning letters to several companies who falsely claimed their products could treat or prevent COVID-19. Meanwhile, attorney generals in several states have ordered online sites to remove posts that seek to profit and play on consumer fears. While most of these actions affect only product manufacturers or websites, internal audit should be aware that the risk of lawsuits for services not rendered, or even for employee- or consumer-related health concerns, may also increase for some organizations, depending on stakeholders.
Video conferencing has become the new normal for workers, managers, and even individual households. But the rapid increase in popularity of web conferencing tools, particularly Zoom, has raised new privacy concerns that warrant attention. According to recent investigations, Zoom notifies Facebook when someone opens the app and informs them of their device model, its location, and other such information that could be used for advertising purposes. According to an article (paywall) in The Telegraph, if a company forces their employees to use platforms such as Zoom, and those employees do not offer proper consent to have their information shared, then there could be grounds for them to sue their employers — especially if the employer falls under the jurisdiction of regulations such as the General Data Protection Regulation (GDPR). This is an emerging risk that warrants significant consideration by businesses and their internal audit activities.
Amid the continuing COVID-19 outbreak, some employees who are not able to work at home have begun organizing strikes, walk-outs, and petitions with demands ranging from accommodations for "proper safety precautions" to supplemental hazard pay. In this article, the Society for Human Resource Management (SHRM), points out that U.S. "employers need to comply with the National Labor Relations Act, including the 'concerted activity' protections that apply to nonunionized and unionized employers, during the coronavirus pandemic." Internal auditors help bring attention to risks related to labor laws, which are likely to remain high in the coming months.
It's an important time for companies to begin taking a closer at the force majeure clauses in their contracts with third parties. Force majeure is a common clause in legal contracts that allows either party to limit their contractual liability due to some unforeseeable, extraordinary event. In the U.S., force majeure is notoriously difficult to establish, and a lost legal battle may result in the need to pay monetary damages. The Fast Company article suggests that parties in contractual relationships be flexible and creative to avoid legal proceedings.
The U.S. Federal Bureau of Investigation's (FBI's) Boston field office issued a warning this week for users of video teleconferencing (VTC) apps about a new threat known as "Zoom-bombing." Not unlike "photobombing" where an uninvited person spoils a photograph, there have been at least two reported incidents of outsiders dialing into unsecured online Zoom calls and creating disruptions. The FBI alert offers precautions to stop the unwelcomed participants in VTC calls, including managing screen sharing and using available password protections.
March 31, 2020
Economists' opinions are divided about how quickly the U.S. economy will bounce back from the coronavirus crisis, USA Today reports. Some economists say it may take several months for consumers to feel comfortable booking travel or venture out to restaurants and other public places, possibly extending into 2021. It is likely to hit small businesses particularly hard. Other economists say the loan provisions of the $2.2 trillion stimulus package will enable businesses to retain their staffs, while the unemployment benefits and stimulus checks will put money in those workers' pockets. Internal audit should ensure management is aware of going-concern risks over the next few months, as well as pay attention to the potential impact that employee layoffs and furloughs may have on the organization's ability to grow should the economy improve.
Last week's coronavirus relief package gives large public banks a temporary delay in adopting the Financial Accounting Standard Board's ASU 2016-13 and current expected credit loss (CECL) methods until Dec. 31 or when the coronavirus pandemic ends, whichever comes first. According to a Compliance Week article, the accounting challenge for companies choosing to report CECL in the first quarter despite reporting relief will be "how to reasonably reflect the potential effects of the coronavirus in estimates of current expected credit losses." Internal audit should continue to play a role in the ongoing assessment of internal controls, risk management, and governance systems and processes, while being aware of the potential rise in risks of material misstatement.
McKinsey & Co. reports that chief information security officers are addressing cyber risks on two fronts during the coronavirus pandemic. They are securing work-at-home arrangements "at scale" by promoting resilience, making sure required controls — such as critical system patching and multifactor authentication — are in place, and communicating to employees about the crisis and its risks. On the second front, they are helping the organization support high levels of consumer-facing network traffic by ensuring it has sufficient network capacity and has integrated security activities into network availability processes. Internal audit can review whether these processes are in place and operating effectively.
Concerns over workers' safety at "can't-close" retailers is growing during the coronavirus pandemic, causing walkouts and strikes at places such as Instacart and Amazon's Whole Foods delivery services (New York Times). Workers are protesting what they see as "inadequate safety measures and insufficient pay" for the risks they are taking to keep shelves stocked and orders filled. Harvard Business Review research about "good jobs companies" provides best practices from companies such as Costco, Mercadona, and more, that can be adopted to keep employees and customers safe. As a strategic partner, internal audit can use these guidelines to provide service to a critical area during this time.
In just three weeks, small and mid-sized business (SMB) owners have gone from expecting a banner year in 2020 before the pandemic began to most saying this year will be much worse, according to research from PYMTS.com. More than 80% say their revenues have declined during this time, while one-fourth doubt their business will survive the coronavirus crisis. Already, 5% of surveyed businesses have closed. Only 37% of SMBs surveyed are confident they will survive. Internal auditors in SMB companies should make management aware of going concern risks — particularly liquidity — and advise them of their options. In the U.S., many of these companies are eligible for small business loans as part of the recently passed stimulus package.
March 30, 2020
The historic $2 trillion coronavirus rescue package signed into law last week includes creation of a new inspector general's office to oversee disbursal of more than $400 billion earmarked for emergency loans to corporations, cities, and states. The Washington Post reports the accountability measure already is creating a potential clash between Congress and the White House. President Trump wants to limit some oversight provision "by asserting presidential authority over a new inspector general's office," according to the Post article. In a statement released shortly after the signing, the president signaled his displeasure over a provision that requires the new Special Inspector General for Pandemic Recovery to notify Congress if the administration withholds information requested by investigators.
Companies operating in the European Union (EU) are facing compliance challenges as regulators in EU countries respond to the disruption caused by the COVID-19 pandemic. The relaxation of rules and the uncertainty caused by the pandemic's disruption create opportunities for fraud and corruption. In addition, companies should not look at the relaxation as a signal to ignore rules and regulations. Internal auditors can play key roles in working with a company's compliance officers to identify, mitigate, and control such risks.
Asset managers are analyzing companies' responses to the COVID-19 pandemic and using the findings in environmental, social, and governance (ESG) research, according to a report in Agenda's sister publication FundFire (paywall). The managers are looking at how the companies are treating their employees, including compensation and benefits provided to employees during closures, as well as employee safety measures. Internal audit can provide guidance to management in developing compensation and benefit packages that address the disruption faced by companies in the pandemic.
On March 26th, the Environmental Protection Agency announced that it will indefinitely cease enforcement of many of its own environmental regulations due to the COVID-19 outbreak. According to an article in Business Insider, although the agency expects business facilities to comply with regulations "where reasonably predictable," there will not be penalties for noncompliance with monitoring and reporting obligations. The policy only applies to civil violations, says the EPA, and "does not provide leniency for intentional criminal violations of law." In an environment where organizations will be expected to hold themselves more accountable, internal audit's ability to provide objective, independent assurance against EHS-related risks such as pollution will prove critical.
Social distancing has pushed organizations already invested in digital transformation to digitize their operations and services at an even faster rate. According to an article (paywall) in the Harvard Business Review, companies that have been slow to digitize may be left behind. Meanwhile, sectors that can't fully digitize — transportation, hospitality, traditional retail — are facing many more economic and social issues, such as layoffs and employee health concerns. The current crisis sharply underscores the need for organizations to evaluate digital transformation as a risk.