Migration to new SOX technology picks up pace, report says

The newest annual survey by the SOX & Internal Controls Professionals Group and Workiva finds the number of internal control professionals using Sarbanes-Oxley-specific software doubled from a year before, along with the use of data analytics.

Of the 475 professionals who participated in the survey, 75 percent still use desktop software as their primary means of supporting Sarbanes-Oxley internal control compliance, but the number using SOX-specific software grew to 34 percent from 17 percent the year before. Similarly, the number using data analytics grew from 10 percent in 2018 to 21 percent in 2019.

“It’s not just the rate of growth, but the rate of change in the growth that’s increasing,” says Joe Howell, vice president of strategic initiatives at Workiva. “Control issues are becoming so significant there’s really no choice but to begin to automate as much as one can.”

As the Public Company Accounting Oversight Board continues to scrutinize auditors’ work over internal controls, auditors are looking for better evidence that reviews happen or that documents are secure from revision, for example. “The problem a lot of companies have when dealing with spreadsheets, word documents, or other kinds of flow chart templates is they have all these pieces of evidence that need to be connected,” says Howell. “New technologies provide links to all of these things.”

They have the added benefit of freeing people from performing manual tasks to connect the dots, allowing them to spend more time analyzing results. “It frees humans to make sense of it, to step back and analyze and form judgments about what it all means,” says Howell.

After automating some of its SOX work, Lancaster Colony Corp. has reduced the time it spends on testing SOX controls by roughly 20 percent, says Ruth Nouanesengsy, manager of internal audit at the food company. That has reduced a great deal of the purely administrative burden associated with Sarbanes-Oxley compliance, she says.

In the nearly 20 years that companies have been reporting on the state of internal controls under Sarbanes-Oxley, the processes have not seen significant improvement before the advent of newer technologies, says Nouanesengsy. Now, with a newer generation of professionals entering the marketplace who have greater comfort with newer technologies, adoption is picking up, she says. “We have individuals who have grown up on a computer understanding software and using different apps and tools,” she says.

In addition, companies are reaching a point where they are frustrated with ongoing control lapses and inefficiencies. In the SOX survey, 61 percent said their organizations experienced control issues that led to deficiencies, significant deficiencies, or material weaknesses, and that figure was unchanged from the year before. Nearly half of those who reported deficiencies said at least one of those control problems was serious enough to be labeled a significant deficiency.

That may be inspiring more companies to take the plunge into exploring new technologies. “The first implementation with a product that’s never been tried before can be painful,” says Nouanesengsy. “But these tools have improved so much since 20 years ago, now implementing is a much less painful process and you see the results sooner.”

That’s reflected to some degree in the latest survey, which found 53 percent of professionals saying their organizations do not currently use continuous control monitoring in their SOX program, but they are considering it.

The payoff is twofold, says Nouanesengsy. Companies not only make the compliance exercise more efficient and more cost effective, they also see improvements in controls themselves. “I’m not sure it’s one or the other,” she says. “Companies continue to desire to have more done with less. Eventually there’s no more you can do until you actually make an improvement. There’s been a lot of push for that in terms of the controls side as well as the ability to comply with SOX.”

The use of technology also provides some benefits on the audit side, says Lindsay Rosenfeld, managing director at Deloitte & Touche. Robotic process automation in particular is helping companies to improve the efficiency and effectiveness of their controls processes, she says.

“It allows them to rationalize and modernize their SOX program,” says Rosenfeld. Companies are also making greater use of data visualization technology to track their SOX compliance activities, she says. That improves the entire project management experience, which includes not only testing but also review of test results and any remediation activities, all with real-time results. “It allows them to have issues come to the surface faster,” she says.

Where companies have more automated control processes, that means auditors need to do less testing of sample, says Rosenfeld, although it also means more testing of IT general controls to assure they are operating effectively. The result is auditors get more insights into the data without doing more sampling of processes, she says. “We’re getting broader insights across the environment,” she says.

Ultimately, companies using more technology are achieving compliance in a more efficient and effective way, says Rosenfeld.