Corporations are turning to technology more frequently to comply with Sarbanes-Oxley requirements, but room for improvement remains. A significant number of organizations that fail to emphasize digital solutions continue to miss out on meaningful cost and time savings. I have witnessed this dynamic firsthand as a market advisor with AuditBoard, a cloud-based connected risk platform. It is further illustrated in Protiviti’s 2021 Sarbanes-Oxley Compliance Survey, an annual look at SOX trends, strategies and challenges that we produce in partnership with Protiviti.
Last summer, Protiviti sponsored a webinar in which I participated to review the survey’s findings. Another panelist at the event, Protiviti Director Jeremy Wildhaber, summarized the discussion in a recent post that you can find here.
One study result that stood out to me is the fact that nearly 75% of respondents do not consider their companies digital leaders. Among other characteristics, digital leaders are organizations that have a solid track record of adopting emerging technologies and that are continuously improving their digital depth based on lessons and predictive indicators.
The gap in digital maturity is concerning. Technology-based SOX compliance solutions are becoming a necessity rather than a luxury, particularly as the regulation grows in complexity as each year goes by. COVID-19 and the rush to institute work-from-home strategies certainly helped organizations recognize the need for new technologies to tackle SOX compliance, as did the consequent rise in supply chain disruptions, cyberattacks and other risks. While organizations scrambled to adjust in early 2020, it’s clear that remote working and unease over the prospect of possible business interruptions have become the new normal for the foreseeable future.
Given that backdrop, it’s not surprising that we are seeing an increase in SOX hours and related costs, both of which are being exacerbated by an uptick in mergers and acquisitions, spin-offs, secondary stock sales, IPOs, and other corporate activity. But organizations that utilize a cloud-based platform such as AuditBoard’s have largely been conducting business as usual, with few if any material impacts. The technology provides users with remote access capability, and consequently, SOX compliance functions were able to perform their work in 2020, consistent with prior years.
Among other advantages, this gave SOX compliance professionals the ability to complete information produced by the entity (IPE) and management review controls in a timely manner, to retain evidence, and to establish procedures and work-flow for a proper sign-off. It also allowed the internal audit and/or SOX compliance function to grant restricted access to external auditors to review work. Taken together, these AuditBoard features enabled organizations to keep cost increases to a minimum.
Meanwhile, organizations that performed SOX tasks manually and lacked sharing capabilities struggled to satisfy the demands of documentation management and to maintain workflow. As a result, the pandemic provided SOX compliance teams with an opportunity to petition for automation, and we witnessed an increase of first-time AuditBoard buyers. Going forward, I expect that the costs and hours devoted to SOX compliance will remain elevated into early 2022, and I’ll be closely watching how the hot job market will affect process and control owners.
For these reasons, I see organizations continuing to gravitate toward cloud-based technology tools so that they can manage the SOX environment with a tool that provides a “single source of truth” to minimize compliance expense and time. One client in particular noted that our platform had reduced administrative hours related to compliance by some 500 hours in a year. By comparison, 68% of nondigital leaders in the survey indicated that the hours devoted to SOX compliance had increased more than 10% in 2020.
But taking the first step toward implementation can be a daunting prospect. It’s not unusual for firms to hesitate over budgets and training concerns — which, by no coincidence, are two of the primary reasons cited by respondents in our study as to why they don’t adopt automation. Still, most organizations discover that implementation is relatively quick and painless due to the configurability of our platform, and the implementation proficiency of ourselves, and our partners, including Protiviti. In fact, as AuditBoard matures, more leading consulting firms like Protiviti are creating dedicated implementation teams and consulting solutions that specifically support the growing needs and sophistication of AuditBoard users.
Once companies start achieving SOX compliance efficiencies, they often begin expanding into other digital solutions, including robotic process automation (RPA) and artificial intelligence. I also frequently hear executives profess a desire to bring in data analytics, but some organizations lack the data to fully reap the cost savings such a solution provides. When pursuing a data analytics project, companies must consider where the information is coming from and who has access to it.
Another consideration that SOX compliance functions should be mindful of when contemplating a technology implementation is that they may be able to partner with IT. Additionally, some data analytics or RPA tools may already exist in the organization. The bottom line is that internal audit departments don’t necessarily need to tackle the purchase and installation of a solution alone.
Regardless of how they go about it, however, internal audit functions that harness the power of technology will ultimately put themselves in the best position to keep pace with the ever-growing demands and expectations of SOX compliance. For that reason, AuditBoard routinely encourages internal auditors to embrace technology and drive change within the broader organization.