Organizations have been getting better and more efficient at Sarbanes-Oxley (SOX) compliance practices for the past 17 years since SOX was implemented. Nonetheless, with control counts rising and external auditor expectations increasing, compliance hours are growing, too. The results of Protiviti’s 2019 Sarbanes-Oxley Compliance Survey suggest that while a reduction in hours is still possible, the best approach to efficiency is most likely through the application of technology, to achieve the same magnitude of transformation as the one occurring in other areas of the enterprise.
A new technology-driven model, SOX Compliance 2.0, is developing among a handful of leading executives. Based on the survey results, this new, more agile mindset is catching on. A full 85% of companies either discussed (in 2018) or plan to discuss (in 2019) with their external auditors the use of technology to test SOX controls. Sixty-one percent of external auditors leveraged technology tools to test SOX controls in 2018.
Some of the insights from our recent survey include:
- Use of analytics not only increased from 30% to 41% year over year but it is being applied to a wider range of compliance activities through the use of ETL (“extract, transform and load”) workflow tools (e.g., Alteryx) that can combine disparate data sources, perform reconciliations and identify anomalies/exceptions..
- A majority of organizations (53%) used technology tools to test SOX 404 controls in 2018, most frequently for accounts payable, IT general controls and account reconciliations processes.
- There has been substantial growth in the use of technology tools for areas such as automated approval workflow (from 31% to 38%), and access controls such as user access provisioning/de-provisioning, user access review, and segregation of duties review (from 30% to 36%).
- Use of robotic process automation (RPA) increased from 11% to 15% though most of its applications remain experimental and/or point-solution specific.
- Use of machine learning/deep learning soared from 2% to 13%.
While a portion of the tools mentioned may not contain cutting-edge technology, their use delivers efficiency gains that can be measured, communicated and used to demonstrate the need to invest in more advanced forms of automation.
The RPA findings are consistent with the findings of Protiviti’s 2019 RPA Survey, which found that within as little as two years, companies across industries will be using RPA in virtually every business function. Although compliance applications are currently a low priority overall, the survey found that companies with more experience and maturity in their RPA deployments are far more likely to see the benefit (24% for advanced RPA users, versus 10% for intermediates and zero for beginners).
One area where machine learning has already proven itself is in the transition to new lease accounting standards. As reported in Protiviti’s Global AI Survey, AI has been proven to reduce the time it takes to review a single complex lease from several hours to a matter of minutes, improving efficiency by an order of magnitude.
The next two years are likely to yield countless new compliance technology applications, especially when it comes to emerging technologies such as data visualization and AI. SOX compliance is ripe for technological disruption. As my colleague Andrew-Struthers Kennedy remarked about the results of this year’s survey: “Next-generation internal audit and, by extension, SOX compliance 2.0, is really about encouraging innovative thought into the audit process to deliver improved results. In all aspects of internal audit, including but certainly not limited to SOX compliance work, we need to think about where we may be able to do things better — increasing efficiency, enhancing coverage, delivering more impactful results and reports, operating in a more agile and dynamic way, and increasing leverage of data and technology. Divergent thinking should be encouraged. We need to embrace disruption and actively pursue transformation.”
The learning curve is going to be steep, but with the controls and hours increasing, the ascent is well worth the effort.
