Heraclitus, a Greek philosopher, is credited with saying that “change is the only constant in life.” It is no secret that with the surge of IPO activity, rapidly changing technology and recent external disruptions, there has been constant change to our people, processes and technology. This uptick in change, along with increased regulatory requirements, has increased strain on our control programs, including the Sarbanes-Oxley Act (SOX). How might we track change more effectively and adopt technology that helps ease internal control program and SOX compliance burdens?
That was the main message 660 global professionals delivered in Protiviti’s 2021 Sarbanes-Oxley Compliance Survey, an annual look at SOX trends, strategies and challenges that we produce in partnership with AuditBoard. Recently, I had an opportunity to participate in a webinar to discuss the survey’s findings — specifically, the extent to which organizations are adopting digital solutions to streamline SOX compliance, the areas to which they are applying the technologies and the reasons some companies forgo investing in the tools.
Technology Usage Rising
From a broad perspective, a growing number of organizations see the value of SOX compliance technologies and are interested in exploring and implementing solutions. But many lack the knowledge and capability to move forward.
Increased GRC usage
The survey indicated that 45% of all respondents had changed their technology tools related to governance, risk and compliance (GRC) since the beginning of their new fiscal year. For digital leaders, 56% also reported that they had changed GRC technology tools over the period. (We generally define digital leaders as organizations that have a solid track record of adopting emerging technologies and are focused on continuous improvement of their digital activities.) Overall, 75% of digital leaders are using GRC software versus 65% of all organizations surveyed. GRC solutions are a good place to provide quick value in automating the control testing life cycle, including distribution and collection of request lists, status dashboards, issue management, and review comment functionality.
Control testing automation
Similarly, an increasing number of organizations are using at least some technology tools in the testing of controls to comply with Section 404 of SOX. These include data analytics packages, robotic process automation (RPA), process mining and other solutions. Some of these tools will analyze large chunks of data or, like RPA, will mimic what a human does from a testing standpoint.
Using technology tools in control testing is a very hot topic among chief audit executives (CAEs) and others responsible for overseeing control programs. As Public Company Accounting Oversight Board inspections influence CPA firms to expand their scope, increase their depth of procedures and adjust other behaviors, the cost of compliance keeps rising and adds pressure on budgets. Not only are organizations trying to do more with less, but they also want to reduce the time spent on SOX compliance to free up resources addressing the broader set of risks that they are facing.
Given these dynamics, it’s no surprise that 66% of digital leaders surveyed said that they were using tech tools in 2021, a substantial jump from 45% last year. Yet in many cases, the use of technology is still discrete and limited versus broad-based and embedded, which presents even these digital leaders with an opportunity to more fully utilize the solutions. When it comes to all respondents, 51% said that they were using tech tools in 2021, an increase of five percentage points over 2020. Of the 49% that didn’t respond affirmatively to the question, about half reported that they were pursuing efforts to include implementation of technology tools in their budgets.
Where to Begin?
The survey also revealed where organizations are applying these tools for controls testing. Of the 51% of respondents using tools, we asked them to identify to which of 14 separate processes they applied the solutions. While some percentage of organizations are using technology in every process, the following areas were most targeted:
- IT application controls: Using technology tools to pull configurations or access listings out of ERP systems or other applications saves time that staff would otherwise spend on retrieving screenshots.
- Accounts payable: We’ve seen a lot of organizations utilize data analytics solutions, enabling them to spot duplicate payments, multiple instances for a single vendor, invoice payment terms mismatched from contracts, lost opportunities for discounts and myriad other use cases.
- IT general controls: Technology tools applied to IT processes related to logical access, change management and IT operations can help significantly reduce manual testing efforts and expand testing coverage. Very common use cases include identifying former employees who may still have access to systems as well as supporting aspects of the user access review process.
While companies focus their use of technology on these processes most when it comes to satisfying SOX Section 404, they may not be the top areas of technology focus for all organizations. Among other criteria, the type of business and its controls, what the data looks like, the consistency of the data or forms, and how much time it takes to perform certain tasks are all considerations to take into account when contemplating adoption of automation or other solutions for controls testing. Performing an automation readiness assessment can cut through this noise and help identify which processes are the best candidates and have the highest potential for return on investment.
Companies not using tech tools for SOX compliance — or organizations that are having difficulty innovating further — cite various challenges. The top reasons include:
- The level of effort it would take to implement technologies, train people to use them, and govern and maintain the tools
- A lack of time to spend exploring automation due to other priorities, including preparing for an initial public offering or completing a merger
- Many areas of the SOX control environment simply not being conducive to automation
- A lack of funding and/or executive support for automation
- A lack of knowledge on available tools and technology
Among those responses, the third one can be true for a number of organizations. In many cases, data or forms are not clean or consistent enough to make a transition to automation practical. But companies that perform automation-readiness assessments often discover that they have a greater opportunity to automate than they initially thought. Therefore, organizations should take every opportunity to explore ways to adopt technology or make broader use of existing solutions to drive improvements in efficiency, effectiveness and coverage. The time to begin that endeavor is now.
(A side note: Some organizations cannot financially justify implementing technology to assist with SOX compliance even after an assessment. Protiviti helps these companies by leveraging our new suite of technology accelerators, which can be run on demand or as a service to bring the power of automation and analytics into these environments. View a replay of the webinar and a demonstration of how the solution works. Contact us to find out more.)
Ultimately, organizations considering adopting technology solutions to create SOX compliance efficiencies can take preliminary steps to gauge feasibility by performing a control assessment to identify highly manual tasks, data availability and consistency, and highly transactional controls. For those that have data analytics, RPA solutions or a similar technology already in-house, it’s easier to leverage the IT function and add the analytics or RPA use cases into the existing programs to measure their effectiveness.
Regardless of which route an organization decides to take, the key is to start small and pick the best use case to test. Once organizations commit to implementing technology and get familiar with it, the results will fuel ideas on how to fully utilize the solution, thereby generating even more efficiency and a greater return on investment.