The Sarbanes-Oxley (SOX) Act was passed into law just over 16 years ago. By now you might think that public companies affected would have developed efficient processes that minimize costs and resource requirements of compliance …
Yet, according to Protiviti’s report, Fine-Tuning SOX Costs, Hours and Controls, in 2017 66% of companies actually saw a more than 10% increase in SOX compliance hours. The report also said that the overall average annual expenditure on internal SOX compliance efforts was more than $1 million, while larger/global companies spent $2 million or more.
If this sounds like you, read on to find out what can be done to reduce these costs.
How technology can reduce SOX costs
While technology clearly plays a central role in managing SOX processes, many organizations (mid-sized companies in particular) are still using internal systems based on spreadsheets and shared documents. Some are using specialized, but outdated, audit or risk management software.
It’s understandable to some extent that organizations rely on spreadsheets and shared documents to manage the compliance process—it was once a simple and inexpensive approach. But the reality is spreadsheets are error-prone, difficult to manage, don’t promote efficient collaboration, and can be frustratingly inefficient to use, especially for report creation. Older audit, risk, and compliance applications are also far from ideal, and now typically expensive to upgrade and reconfigure to support collaboration and control rationalization and optimization.
The Protiviti report also revealed that simply testing each key control typically involves 30–40 hours of documenting, evaluating, testing, and re-evaluating controls, with most of these processes performed without technology or automation. One of the major drawbacks of manual control testing based on samples and periodic testing is that you don’t know on a timely basis whether a control problem exists, or a new control risk has developed. Managing the entire testing and sign-off and certification process can also be resource-intensive and unnecessarily time-consuming.
There is a better way
The following are six ways that a more optimized technology-enabled approach can improve SOX compliance processes and reduce costs.
- Automating control questionnaires and certification
Software designed for the compliance purpose supports a far higher degree of automation around dealing with control questionnaires and sign-offs.
- Facilitating collaboration
The ability to efficiently handle multiple user profiles, with various access levels to a central database and a range of different aspects of the compliance process, enables collaboration and integration among multiple roles within the Three Lines of Defense.
- Greater insight into the relationships between risks and controls
One very important area that can really be enabled through specialized software is the ability to more clearly see the links and relationships among different risks and controls. This can play an important role in control optimization, and the elimination of redundant and duplicative controls.
- Control monitoring
There are also many types of controls that can be tested automatically by using data analytics and monitoring entire populations of financial transactions for compliance. Data analytics also enables automating controls, in cases where it makes sense for transaction monitoring to become part of the control process.
- Exception management
Whenever issues and red flags are detected by automated transaction and control monitoring, the process of managing issue resolution and control remediation can be handled through an automated workflow.
- Integrating SOX compliance into ERM and overall compliance
One other area to think about is how SOX compliance processes fit into the overall compliance and risk management processes within the organization. This is where specialized technology can help considerably in putting SOX compliance into a wider perspective and enabling increased collaboration and understanding around enterprise risk and control issues.
Reduce SOX costs by optimizing technology usage
So how does better technology usage translate into actual cost reductions?
Directly, costs can be saved by reducing the time and effort involved in control testing and certification. Compliance processes become more efficient, requiring less resources. Greater collaboration among the Lines of Defense adds to efficiencies around control design and testing. Optimizing controls and reducing the number of overlapping or redundant controls means less money and time are spent on different control activities. In addition, the use of data analytics and transaction monitoring improves controls and reduces risks from error, fraud, and abuse in financial systems, all of which entail costs. Finding control weaknesses before they escalate also means that the scale of losses is minimized.
Another point to consider is the role of external auditors. If they find it difficult to follow the compliance work that’s been performed, or challenging to review the documentation of compliance activities, it will mean more work on the organization’s end. The external auditors may not trust the work performed by their client, resulting in requests for more documentation, and increase their own testing procedures—all of which results in additional time and costs.
Finally, the use of modern dashboard technology allows a far more efficient, collaborative, and valuable way of reviewing the entire SOX compliance status. Starting from a high-level summary, all those involved in managing the compliance process can review and drill down into the specific issues and risks, exploring in depth as needed.
Not your traditional SOX compliance process
Hopefully, you get the idea that an automated, technology- and data-driven approach, like the one in ACL’s solution for SOX compliance, produces results that are very different to those in a traditional SOX compliance process and reduces costs overall.
In fact, in a recent Forrester Total Economic Impact (TEI) study, ACL was proven to boost SOX productivity at a US-based manufacturer.
Something else to consider is how moving to implement more modern software and technology has transformed many businesses and critical business processes across organizations. There’s a good argument that this needs to apply to SOX compliance—as well as many other compliance processes.
In this 26-page guide, we’ll look at how you can use technology to create a sustainable ICFR framework that will reduce the financial and resource burden of ICFR, while providing greater assurance over the reliability of financial statements.