Compliance 2.0: Transforming SOX Practices With Technology

Angelo Poulikakos, Managing Director IT Audit

Organizations have been getting better and more efficient at Sarbanes-Oxley (SOX) compliance practices for the past 17 years since SOX was implemented. Nonetheless, with control counts rising and external auditor expectations increasing, compliance hours are growing, too. The results of Protiviti’s 2019 Sarbanes-Oxley Compliance Survey suggest that while a reduction in hours is still possible, the best approach to efficiency is most likely through the application of technology, to achieve the same magnitude of transformation as the one occurring in other areas of the enterprise.

A new technology-driven model, SOX Compliance 2.0, is developing among a handful of leading executives. Based on the survey results, this new, more agile mindset is catching on. A full 85% of companies either discussed (in 2018) or plan to discuss (in 2019) with their external auditors the use of technology to test SOX controls. Sixty-one percent of external auditors leveraged technology tools to test SOX controls in 2018.

Some of the insights from our recent survey include:

  • Use of analytics not only increased from 30% to 41% year over year but it is being applied to a wider range of compliance activities through the use of ETL (“extract, transform and load”) workflow tools (e.g., Alteryx) that can combine disparate data sources, perform reconciliations and identify anomalies/exceptions..
  • A majority of organizations (53%) used technology tools to test SOX 404 controls in 2018, most frequently for accounts payable, IT general controls and account reconciliations processes.
  • There has been substantial growth in the use of technology tools for areas such as automated approval workflow (from 31% to 38%), and access controls such as user access provisioning/de-provisioning, user access review, and segregation of duties review (from 30% to 36%).
  • Use of robotic process automation (RPA) increased from 11% to 15% though most of its applications remain experimental and/or point-solution specific.
  • Use of machine learning/deep learning soared from 2% to 13%.

While a portion of the tools mentioned may not contain cutting-edge technology, their use delivers efficiency gains that can be measured, communicated and used to demonstrate the need to invest in more advanced forms of automation.

The RPA findings are consistent with the findings of Protiviti’s 2019 RPA Survey, which found that within as little as two years, companies across industries will be using RPA in virtually every business function. Although compliance applications are currently a low priority overall, the survey found that companies with more experience and maturity in their RPA deployments are far more likely to see the benefit (24% for advanced RPA users, versus 10% for intermediates and zero for beginners).

One area where machine learning has already proven itself is in the transition to new lease accounting standards. As reported in Protiviti’s Global AI Survey, AI has been proven to reduce the time it takes to review a single complex lease from several hours to a matter of minutes, improving efficiency by an order of magnitude.

The next two years are likely to yield countless new compliance technology applications, especially when it comes to emerging technologies such as data visualization and AI. SOX compliance is ripe for technological disruption. As my colleague Andrew-Struthers Kennedy remarked about the results of this year’s survey: “Next-generation internal audit and, by extension, SOX compliance 2.0, is really about encouraging innovative thought into the audit process to deliver improved results. In all aspects of internal audit, including but certainly not limited to SOX compliance work, we need to think about where we may be able to do things better — increasing efficiency, enhancing coverage, delivering more impactful results and reports, operating in a more agile and dynamic way, and increasing leverage of data and technology. Divergent thinking should be encouraged. We need to embrace disruption and actively pursue transformation.”

The learning curve is going to be steep, but with the controls and hours increasing, the ascent is well worth the effort.

6 comments

  • Please be very careful.

    The objective of SOX testing is to obtain assurance that the controls relied on to prevent or detect a material error or omission in the financial statements are effectively designed and operating.

    Use of RPA and analytics, with few exceptions, tests the data but not the control.

    If you find errors that may be an indication that the controls are not adequate.

    But if you do not find errors, that is not assurance that the controls exist let alone are adequately designed and operating effectively.

    The use of technology such as RPA and analytics as detective controls is excellent. Their use to test controls is highly doubtful.

  • Your point is valid, Norman. Yes, data mining and analytics is a form of substantive testing as we’ve traditionally thought about testing in the past. But I must point out if you are able to test virtually 100% of the recorded transactions, it is a powerful indicator that the controls were working effectively to process transactions accurately even though the means of testing is not a direct test of the underlying controls. It is the digital age and there is a shift in thinking to deploy digital tools to adopt more cost-effective means of testing control assertions. That said, to your point, a comprehensive test of recorded transactions does not address the assertion that all transactions that should be recorded were in fact captured. My take is that our survey indicates that next-generation internal audit is embracing technology in innovating the audit process because the market is moving in the direction of incorporating powerful additions to the auditor’s tool box that enable coverage of whole or large portions of transaction populations to augment the auditor’s walkthroughs and other sources of evidence.

    Thanks for the comment.

    • Jim, let me ask you the same question I ask attendees at my SOX Masters training.

      Has your home been burglarized in the last year or two?

      If not, does that ‘prove’ that you and your wife locked every door and window each time you left?

      • It’s a good question. But, in this case, I would think that most would agree that retesting significant portions of the transaction population provides indirect support for the controls assertion that transactions are processed accurately. And even some would agree that they get a higher level of confidence than they would from testing a small sample of control technique functions. I agree data mining may not address all control assertions, but if the capability is there why not deploy it to augment the walkthroughs and other sources of evidential matter available to the auditor?

        • Very interesting discussion, thanks Gentlemen.
          Can I pose another question then? What about control efficiency? I mean, say analytics proved the transactions were processed accurately (leaving completeness assertion aside for a moment). What if the control has been detecting a whole host of ‘false positives’?
          Seems to me the indirect evidence you mention might not be good enough for SOX purposes and dedicated controls testing will still be required?

          • Thank you, Artak. Good question. As important as it is, I don’t think control efficiency is the focus of SOX. The emphasis of SOX is on control effectiveness. That said, you raise a good question. Let’s just agree that digital analytics and other tools fueled by the digital age are just that — tools in the evaluator’s arsenal. They are not applied in isolation. For example, we also have walkthroughs and controls documentation to review as well as opportunities to interview control owners to understand the controls design as well as any recent changes in controls processes and personnel. At that point we can decide what else needs to be done to evaluate the effectiveness of the controls to ensure accurate processing of recorded transactions beyond reprocessing the entire population (or a substantial part of it). Again, I agree with you that efficiency is a big deal; but it’s not the primary focus of SOX Section 404.