SOX Compliance Teams: We Need to Talk About Tech
By Matt Kelly
Not long ago I had the chance to peek at the findings of the 2021 State of the SOX/Internal Controls Market Report, and two points jumped out at me.
First, most SOX compliance professionals like their jobs and their careers (which is great), but a considerable fraction of people also want to leave the profession because the manual tasks can be both technical and mentally exhausting.
Second, most SOX compliance teams still rely on multiple technologies to manage their compliance processes, and aren’t using advanced techniques such as automation or data analytics.
The deeper point that SOX compliance leaders should consider here is how those two trends relate to each other. That is, how much do SOX technology challenges leave your human capital at a disadvantage? And how could a better technology strategy drive better use of the human capital on your team—and, consequently, drive a better SOX compliance program overall?
First let’s look at the findings.
Seventy-five percent of respondents in this year’s survey said they use multiple technologies to manage their SOX compliance processes. Even when looking at specific processes (scoping, process narratives, evidence requests, issues management and more), respondents said they use a wide range of technologies. Microsoft Office was still the most commonly used tool, in almost every category.
Meanwhile, most respondents aren’t yet using analytics or automation. Asked to rate their use of analytics on a scale of 1 to 5, the median response was a whisker above 2, the “only a little” category. Almost nobody uses bots or other automation for testing.
Those numbers tell us that most SOX compliance teams are still busy managing the technology, rather than using it.
The survey also asked about “efficiency pain points” in the SOX compliance process. The top pains were, in order: delays in obtaining evidence for testing and receiving incorrect or incomplete evidence. A bit further down, another reason was “too much copy and paste between different systems.”
Those complaints are really making that same point about managing the technology rather than using it. People are spending too much time chasing down evidence, or transferring data from one system to another, or catching up on control process changes they were never informed about in the first place, and so forth.
Of course that’s going to exasperate employees. So we shouldn’t be surprised at one other finding: that among the 25 percent of respondents who want to leave SOX as a career, one of the top reasons is “SOX is manually intensive.”
A creaky, outdated technology strategy that drags on human capital, and therefore confines the SOX compliance function to the backwaters of the enterprise — that’s the predicament that SOX compliance leaders want to avoid.
OK. How does one avoid that?
One avoids it by building the inverse of our above statement: a modern technology strategy that empowers human capital, so the work you do to strengthen controls and business processes makes SOX compliance more relevant to the enterprise.
Every SOX compliance leader would say that’s what they want to achieve; the challenge is piecing together the specific steps you need to achieve it.
Start by looking at the technology stack you use. Can you consolidate from multiple tools to fewer ones, that work together more seamlessly? Study the business processes used in the First Line of Defense, and the data those processes generate. Where can you automate the collection of that data for SOX compliance purposes?
The goal in all of this is for employees to spend less time collecting data (because the technology should do that), so they can spend more time studying the data. Then your team can devote more time to risk assessment, control design, and other high-value tasks. More challenging work like that is what drives the 75 percent of respondents who do like working in this field.
Moreover, once a SOX team has the right technology in place, to take full advantage of the human capital you have, you can start taking on other audit challenges such as ESG issues, cloud computing, anti-corruption, and so forth.
Put another way, you can expand the range of your team, and deliver that which senior management and the audit committee want most: a complete, correct picture of risk. (Which, incidentally, touches on another point from this year’s survey: nearly half of respondents say internal audit spends too much time on SOX compliance. This is how internal audit redirects that time back to other risk activities.)
Is this journey quick and easy? No—but then, the current state of SOX compliance isn’t quick and easy either. Better use of technology can break the shackles holding back SOX compliance teams now, and let you find whole new paths of potential.