After 20 Years, It May be Time to Update Your SOX Compliance Program
The Sarbanes-Oxley Act (SOX) became law on July 30, 2002 – 20 years ago. For public companies, the most significant aspect of SOX was Section 404, which requires management to report on the effectiveness of the company’s internal control over financial reporting (ICFR). Large public companies must also obtain an opinion from the company’s financial statement auditor on ICFR effectiveness. Although the federal securities laws have contained an explicit requirement that public companies establish and maintain adequate internal control since 1977, Section 404 triggered extensive and expensive efforts at many companies to strengthen and upgrade controls.
In SOX modernization: Optimizing compliance while extracting value, Deloitte points out that, in many cases, controls have not been rethought since the initial post-SOX upgrade and may have become stale:
“In the years since this federal law was enacted, there have been significant developments in technology, methodology, and business and operating environments; however, the SOX program at many companies may not have evolved at the same pace, or at all. Over the years, some SOX programs may have even continued to layer on additional controls while spending the same amount or more to achieve compliance without being able to extract value from the program.”
Deloitte recommends that companies “refresh, rethink, and modernize” their SOX programs in order to “achieve efficiencies, extract value and insights to share with other areas of the organization, and potentially lower the related cost of compliance while still achieving reasonable assurance for regulatory compliance.” Such a modernization program should have three pillars -- operating model optimization, program enhancements, and technology and automation opportunities.
Operating model optimization
An established SOX governance structure and clear accountability are fundamental to an effective operating model and should be periodically revisited. One way to drive accountability is to focus, not on controls, but on the risks that controls are intended to mitigate. “If the focus shifts to the risk, stake-holders have an opportunity to drive change to focus on those controls that mitigate that risk more effectively and efficiently.” Another approach to optimizing the operating structure is to consider how and when resources should be involved in the SOX program. Deloitte suggests five questions to consider regarding the SOX program structure:
What resources are needed, and how can those resources be flexible across compliance?
Do current resources have the required expertise?
Should there be a dedicated pool of resources in-house, and should they be centralized or global teams?
Would a co-sourcing or outsourcing model be beneficial in certain areas?
How can SOX resources and control owners continue to be up-skilled as risk, technology, and the industry evolves?
A risk assessment can help management identify areas of material misstatement risk and determine where to focus its efforts. “Over time, risks evolve, or new risks are identified, and the response may have been to design new controls without always taking into consideration if any existing controls should be modified or removed.” In addition, existing controls may not appropriately match the level of risk, “which could result in not spending enough time in areas of significant risk or spending too much time in areas of lower risk.” Control deficiency remediation also depends on effective risk assessment: “If the company tries to remediate all control deficiencies without considering the risk level, they may not remediate those with the highest impact in a timely manner.” Risk assessments should encompass both quantitative and qualitative considerations,” including:
Degree of complexity or judgment in the process.
Volume of activity, complexity, and homogeneity of the individual transactions.
Prior period errors identified.
Whether the resources performing the control activities are new to the role.
Footnotes and disclosures.
Assessment at a more granular level, such as the business unit level.
Another benefit of a risk assessment is that it is an opportunity for companies to harmonize ICFR with other compliance activities. Collaboration may “drive integration of compliance activities across the organization, including breaking down silos, having those cross-functional conversations, and leveraging data to be able to identify trends and create visualizations to gain deeper insights and add value.”
Technology and automation opportunities
Companies may be utilizing manual control processes and failing to take advantages of advances in technology that have occurred during the past 20 years. “Leveraging technology can enable a SOX program in a variety of ways and can lead to enhanced quality, increased efficiency, deeper insights, and can potentially reduce the total cost of compliance.” Deloitte outlines four options for leveraging technology:
Automate control testing. “Automated testing consists of profiling certain populations and transactions with real-time results, allowing a company to be able to test up to 100 percent of the population and potentially achieve more assurance for less time and cost.”
Automate controls. “Automated controls are inherently more reliable than manual controls when they are designed appropriately, and there is less opportunity for human error once implemented.”
Automate business processes. “A primary consideration in making the determination of which process has the most potential to be automated is to consider whether it is a highly manual process that occurs frequently and is defined by a standard set of activities. Automating processes could contribute to liberating resources to handle more complex tasks, reducing errors by removing human interaction, and reduce time and cost by having a more efficient process.”
Implement a governance, risk, and control (GRC) tool. A GRC tool can empower an organization to manage and streamline its SOX program and compliance risk overall.
Comment: Deloitte observes that by “refreshing and modernizing the SOX program, a company can identify opportunities to increase efficiency, shift focus and efforts to areas that matter most, potentially reduce the cost of compliance, and extract value and provide insights to other areas of the organization beyond finance and accounting, all while still achieving compliance.” Consulting firm Protiviti, which publishes an annual survey of SOX compliance costs, has also documented the increasing use of technology in SOX compliance and the opportunities that automation affords for cost reductions. See Protiviti: Companies are Spending More Time and Money on SOX Compliance, June-July 2022 Update.
As Deloitte suggests, rethinking the fundamentals of a SOX compliance program that has not be revisited in many years may pay dividends in terms of effectiveness, efficiency, and insight into organizational performance. Audit committees may want to explore with management whether there are opportunities to modernize controls and whether management is taking full advantage of technology.