Since the passage of the Sarbanes-Oxley Act (SOX) nearly two decades ago, internal audit teams that need to help their organizations comply with the law’s requirements have been desperate to find less resource-intensive ways to do so. For many, bringing technology and automation into the SOX compliance process has been the path to greater efficiency, especially in documentation and testing.
Organizations well-advanced in using technology and automation in their compliance activities may have found it easier to keep up with SOX requirements during the COVID-19 pandemic, as well. That’s what the findings from Protiviti’s latest Sarbanes-Oxley Compliance Survey suggest. For example, while the hours required for SOX compliance efforts increased for most organizations over the past year, “digital leaders” appear to have experienced a lesser impact in terms of increases in hours of more than 10%.
Digital leaders are the companies in our survey that we categorized as having made significant progress toward digital transformation. Our 2021 survey also found that these organizations are much more advanced than other, less digitally mature businesses at using technology tools and automation for IT application controls, IT general controls, and business processes that support financial reporting (e.g., payroll, accounts receivable, accounts payable, fixed assets).
Seeing how digital leaders have performed during the past year, many SOX compliance teams at less digitally mature companies are likely even more eager now to automate their activities. And this could be an ideal moment for many to move in this direction, too.
Digitization efforts set the scene for more automation, but obstacles remain
The pandemic drove many organizations to upgrade their underlying technology infrastructure and move to the cloud to support remote work. They’ve also had to digitize more data, including audit and control evidence. The upside for SOX compliance teams is that it’s now easier for them to access that critical data — and hopefully, let go of those hefty SOX audit binders for good.
We’re also seeing many companies making investments in cloud-based SOX and audit management software and already reaping benefits. This software can make it much easier for compliance teams to maintain the administrative and project management aspects of the overall SOX program, including maintaining the process, the risk and control register and related documentation that requires updates when even small changes occur. SOX and audit management software is also valuable for automating the quarterly SOX 302 certification process, facilitating document requests, status reporting, and more.
However, despite the benefits of using technology and automation in the SOX compliance process, our Sarbanes-Oxley Compliance Survey shows that many teams still face an array of challenges in achieving the change they seek. More than half of respondents (56%) to our survey said the level of effort required to implement, govern and maintain automation of the SOX compliance process, and also train staff, is a key obstacle to getting started or furthering progress. Other top challenges cited include:
- The lack of time to spend exploring automation due to other priorities (55%)
- Many areas of the SOX control environment aren’t conducive to automation (49%)
- The lack of funding and/or executive support for automation (41%)
- The lack of knowledge on available tools and technology (41%)
Overcoming any of these challenges can be a heavy lift, especially for organizations that have yet to undertake any automation-related activities for SOX compliance. While these businesses may be tempted to run as fast as they can toward automation regardless of the obstacles, taking time and being strategic with their efforts can help ensure they make meaningful progress that endures. In other words, they need to start small — focusing first on automating areas where they’re likely to find success and then building on each “win” over time.
Automate other areas first before trying to automate controls testing
Many organizations we work with want to automate the testing of SOX controls as quickly as possible. This is understandable, as that testing takes up the most time in a SOX compliance program — two to three times per year, per control. However, we find many teams are motivated to automate control testing for reasons beyond saving time and costs: They also want to achieve greater coverage and reduce risk over the long term.
Developing and then automating the execution of a control test can be a complex undertaking, though. So, here again, walking and not running is the best course for making lasting progress. That means automating one control test at a time, or perhaps, grouping some tests together.
Robotic process automation (RPA), analytics tools and other technologies can help SOX compliance teams automate their controls testing. But they need to be prepared to face continued challenges with control evidence, which isn’t always well-structured or consistent. Building automated control tests could lead to exceptions that then require investigation — and hence, more work and risk that needs to be evaluated.
Companies can lay the groundwork for automating SOX controls testing by focusing on automating these two areas first:
- Evidence generation or artifact extraction — Automating this process can help teams understand the consistency and structure of their control evidence, which then allows them to make a more informed decision about whether they can automate testing in the future. It also helps them to show the business why the state of the evidence today makes automating underlying testing difficult. That insight can lead to more focus on improving data consistency. Also, automating evidence generation creates efficiencies for the testers, and it provides value to the business by reducing time-consuming interruptions that can impact productivity.
- The controls — Automating the SOX controls themselves can lead to automating the testing of those controls over time. Starting this process can be as basic as using RPA or other tools to create more automated workflows that trigger the execution of a periodic control. These workflows could then upload the underlying evidence so that it’s all contained.
For those companies wondering how they can get started with automating their SOX compliance process, the two areas outlined above offer an answer. Automating these areas can help organizations achieve those small but significant wins that can ease SOX compliance work and cost burdens over time — and enable them to advance their digital maturity along the way, as well.
Get your free copy of Protiviti’s survey report, SOX Compliance and the Promise of Technology and Automation, at www.protiviti.com/soxsurvey. For more analysis of the survey results listen to our podcast.