As companies adopt technology to transform operations and compete in an era of big data and “thinking” machines, or AI, internal auditors are looking for ways to achieve the same kind of transformation, especially when it comes to the expensive and time-consuming tests and reporting required by the Sarbanes-Oxley Act (SOX).
Protiviti’s 2019 SOX survey shows that a growing number of internal audit teams are using technology to accomplish these next-generation goals. This trend, documented by my colleague Angelo Poulikakos in a recent blog post, is still in the early stages, but adoption of the tools is accelerating. We discussed these findings with more than 2,000 participants in a recent webinar. In this post, I’d like to share some of the key takeaways from the webinar, building on the survey findings that Angelo has already discussed.
Next-Gen Tools Drive Next-Gen Thinking
The names of the tools are becoming commonplace: robotic process automation (RPA), advanced data analytics, process mining, machine learning and artificial intelligence. And though most organizations are still doing SOX compliance work the old-fashioned way, there are signs that this is changing and that these new technology tools are beginning to drive next-generation internal audit thinking — not only to create efficiencies in existing processes, but also to introduce enhanced capabilities such as continuous monitoring and continuous auditing.
As companies modernize and transform old legacy systems and automate and streamline formerly manual processes, new risks and opportunities are introduced. It is essential that internal audit and compliance functions respond to these changes, not only to help manage the new risks, but also to be able to take full advantage of new opportunities as they are presented.
SOX Compliance Is Ripe for Disruption
There are many areas throughout the compliance lifecycle where companies can put technology to good use — from the scoping of risk assessments to control testing — especially when it comes to automating repetitive manual processes. In the most recent SOX survey, internal auditors indicated that the top five areas where they tested controls using technology include:
- Accounts payable process – 44%
- IT general controls – 40%
- Account reconciliation process – 37%
- IT application controls – 35%
- Financial reporting process – 35%
New technology-enabled tools are also being used to facilitate walkthroughs, and to conduct population-based rather than sample-based data analysis and provide real-time monitoring and data visualizations.
Data Integrity Is Key
Looking at the top five areas above, one thing that stands out is the fact that these are all data-intensive processes. Technology is only as good as the underlying data on which it relies. Auditors and compliance functions need to work closely with business partners to make sure that they have access to data and that data sets are both representative and accurate.
Also, because automation allows for the analysis of complete data populations, the number of exceptions is likely to increase. This is an important process design consideration as exception-management is still primarily a manual process, and adequate resources will need to be provided to ensure that the upfront benefits of automation aren’t derailed by a backlog of exceptions.
Many born-digital companies start with the inherent advantage of having automated their processes from the outset, to minimize payroll. These companies are also free from the burden of legacy systems that established companies often have in place and are struggling to maintain.
RPA is one way established companies have found to level the playing field, because it can be layered on top of existing infrastructure, quickly and at minimal cost. It is important, however, that RPA be implemented as a deliberate part of the company’s technology strategy, so that it doesn’t just serve as a Band-Aid over a broken process.
When internal audit and SOX leaders adopt the right technologies, many positive outcomes are achieved. They can save time and effort by automating workflows for administrative and manual tasks. They may also improve job satisfaction for their own teams, and even decrease attrition by eliminating drudgery.
Finally, when SOX and internal audit leaders adopt the right technology they can also increase the understanding and ownership of controls and correct control deficiencies, improving the culture of control compliance throughout the organization.