SOX Compliance - Overview
Twenty years ago, Congress passed the Sarbanes-Oxley Act of 2002 (SOX). The legislation resulted in considerable changes in how businesses created and managed internal controls, as well as how their auditors reviewed them.
Since SOX was implemented, there have been several changes in corporate operations, technology, regulations, and the overall economy. In previous years, companies' compliance programs might not have been adjusted in response, or further controls may have been added over time without evaluating the ongoing usefulness of controls implemented. Having and testing too many controls instead of focusing on important controls might result in unforeseen shortcomings in internal control over financial reporting effectiveness (ICFR).
However, modernizing a SOX program may help identify economies, potentially lower compliance costs, whilst offering insights to departments other than accounting and finance.
Challenges Affecting Internal Control: Escalating Costs, Labor Shortages
Currently, the state of SOX programs as organizations facing multiple economic challenges including inflation, rising interest rates, and labor shortages affecting internal control environments. Therefore, Audit and SOX teams that focus these days on enhancing the efficiency and effectiveness of their compliance programs overlay the way for upcoming efficiencies and significant cost reductions. This is especially essential since SOX programs continue to be exposed to additional external influences that might risk internal control settings. Factors influencing current business conditions:
Continuous Rising Cost
Rising SOX compliance costs are being determined by a combination of internal and external factors — technology-driven transformation and innovation, talent shortages, strategic core, and more. Companies that spend $2 million or more on compliance whilst those that spend $500,000 or less. A sudden growth in the number of smaller firms spending $2 million or more on SOX compliance costs is likely due to last year's significant increase in IPOs, driven by special purpose acquisition companies (SPACs).
Growing Interests in Technology and Automation – Shortage of Labor
SOX compliance processes are getting more efficient due to automation systems and applications. The use of advanced technological tools such as process mining, advanced analytics, robotic process automation, and continuous monitoring, among others, can significantly reduce the volume of manual compliance tasks as well as the retention risks associated with exposing internal full-time staff to massive work loads of repetitive tasks.
During their most recent fiscal year, the majority of companies raised the number of hours documented for SOX compliance. This growth is being driven by the consistent intentions that are driving up compliance costs as well.
Automate Processes: Reduce Risk and Maintain Audit Readiness
Identifying automation and digitization opportunities can help a company's efforts to upgrade its SOX program. Leveraging technology may help a SOX program in a variety of ways, including improved quality, higher efficiency, deeper insights, and the possible reduction of total compliance costs.
Control Testing Automation
Many businesses do not automate their control monitoring and instead rely on point-in-time, sample-based testing, which results in manual reviews. This testing execution is commonly used as a comprehensive approach and may not always consider areas of emphasis and risk level to differentiate the amount of effort.
However, even if the controls were tested automatically, the organization would still need to do exception and trend monitoring in order to respond to any irregularities in control performance.
Another approach for automation, Control Automation, a properly designed automated controls are intrinsically more reliable than manual controls, and there is less chance for human error once applied.
These digital controls update the design, implementation, and testing capabilities of controls and proactively initiate corrective actions that decrease exposure and reduce residual risk. Unfortunately, not all controls can or should be automated, a company must determine which controls should be automated.
Automate an Entire Process
A significant feature in determining which process has the most automation potential is whether it is a highly manual process that occurs regularly and is characterized by a standard set of operations.
Process automation might help to liberate resources for more difficult tasks, eliminate errors by eliminating human involvement, and save time and cost by having a more efficient process. This would also allow a company to streamline the controls over that process, since the automation implemented should reduce the associated risk.
With the passage of time, companies should reconsider the real regulatory requirements as well as any inflexible concepts of what is necessary as they examine prospects for modernization. Challenging some of these concepts might result in generating new ideas and assist businesses to build new and better methods of functioning.
Also, with companies always striving to accomplish more with less, having a compliance program that does not deliver additional business insights cannot be regarded as a feasible choice. By refreshing and modernizing the SOX program, a company can identify opportunities to increase efficiency, shift focus and efforts to areas that matter most, potentially reduce compliance costs, and extract value and provide insights to areas of the organization other than finance and accounting, all while achieving compliance.