In SOX Compliance, Automation Is Key to Higher Value

Andrew Struthers-Kennedy, Managing Director IT Audit Global Leader
Angelo Poulikakos, Director IT Audit

As executives and compliance leaders look for ways to reduce overall hours required for SOX compliance and glean strategic value from compliance activities, automating controls and testing and broader use of robotic process automation (RPA) show promise that should be evaluated.

According to Protiviti’s 2018 SOX Benchmarking survey, nearly one in three organizations reported using technology tools such as automated process approval workflow, user provisioning and segregation-of-duties review tools, data analytics and automated reconciliation tools – although very few (11 percent) indicated a current use of RPA. What the survey results indicate is that the use of automation, and broader technology solutions, is still emerging. Organizations must move towards adoption and ongoing use when it comes to data and technology-enabled SOX program activities.

Among organizations that are using technology tools, the financial close process is by far the area for which these tools are used most frequently, followed by the financial reporting process. Only 28 percent of organizations are currently using automation in the testing of their SOX Section 404 controls. With the availability and low-code accessibility of automation software, we not only anticipate, but strongly recommend, that organizations explore priority areas where they can use “bots” to automate manual controls and also control testing activities.

Among the potential benefits of automation are increased efficiency, increased coverage and effectiveness (including the ability to shift back to statistically valid sample sizes or even full population testing), and elevated job satisfaction associated with the handoff of routine, mundane tasks to “bot” counterparts.

This year’s survey also highlighted a relatively low level of automated controls in organizations’ control environments, demonstrating there is tremendous opportunity to embed automation in key systems and processes – something that RPA now makes much more accessible. The standout group in this regard are emerging growth companies (EGCs), 40 percent of whom reported at least a quarter of their controls being automated. One of the reasons for this distinction likely is the disproportionate number of companies in this group that are “born digital.” These companies have grown up in a digital environment and tend to be digital at the core rather than only sporting a digital “veneer.” Because they typically use modern, integrated technology with built-in automation, automated controls among them are much more common than in companies with legacy environments dating back decades.

Overall, automated control testing and RPA use are on the rise, and many companies are reporting commitments to pursue automation of processes and controls. Beyond these two areas, we are encouraging companies to consider how RPA can be used to drive efficiency into the SOX process – document request management, artifact gathering, interactions with GRC platforms, process and control owner follow-ups and reminders, issue validation, etc. It does not take long to think through a list of activities that would be good candidates to transition from manual performance to automation – and how the time saved could be filled with value-adding work.

While the current generation of RPA tools offers significant benefits when implemented to address priority areas, we are likely only scratching the surface. As capabilities related to artificial intelligence, natural language processing, machine learning and deep learning, and process mining become more broadly available, we should see a significant steepening of the value curve. The level of technology enablement in SOX programs is still relatively low, leaving plenty of opportunity for improvement, but as the increased availability of data and emergence of new technologies create somewhat of an inevitability in their use, the question truly is “when, not if” SOX programs will fully benefit from these advancements.

You can download the complete survey results here.

Add comment