In previous posts (here and here) we highlighted certain discussions from a webinar we conducted earlier this year, about the results of Protiviti’s 2019 SOX survey. The webinar generated a number of questions from participants both during and after the live presentation. As those questions continue to crop up in our conversations with clients, we’d like to address two of them here.
Why aren’t we seeing robotic process automation (RPA) and automation in general advancing more quickly in the SOX compliance environment?
Some of this can be attributed the fact that there is still a lot of uncertainty about whether external auditors are ready to deal with automated control testing, and also nervousness about how much an external auditor may inquire about the bot – its scripting, coding and governance. Some auditors still question whether bots might actually cause more, rather than less, work when it comes to meeting control requirements and answering external auditor questions.
Then there is the even more basic challenge of data. For companies that are “born digital” access to data is usually not a big problem. But for those firms that are digitalizing now, data is not always available electronically, or it is not in the right format. Additional tools are needed to get to that state, and that obviously causes complexity, along with extra costs, raising the barrier to automation.
So, concerns about external auditors and data availability are both barriers to moving forward. As far as how to advance automation, our colleague Tom O’Reilly of AuditBoard pointed out during the webinar that the responsibility for RPA falls on two teams – the finance team and the internal audit team. But ultimately, the internal audit team can look at what processes or parts of SOX compliance can benefit from automation and provide well-reasoned and credible recommendations to the finance team to automate certain finance processes. This is one way to at least start the conversation.
What are some recommendations for companies to rationalize/reduce their total number of controls?
Control rationalization has been top of mind for almost as long as Sarbanes-Oxley has been in effect. Companies that seem to have had the most success in this regard are the ones that perform more frequent and agile risk assessments and involve control owners earlier in the compliance process. For example, if an organization is considering the benefits of deploying a new GRC tool, it makes sense to involve process owners early in the decision-making process. They can be consulted on defining the scope and in the testing of the controls they are owners of, and that can be a basis for control rationalization. Whether the number of controls can be reduced depends a lot on upfront process planning, and of course, involving your external auditor in that discussion.