Home > Risk > Trends in SOX compliance programs

Trends in SOX compliance programs

December 13, 2020 Leave a comment Go to comments

The software company Workiva has been surveying practitioners to understand what is happening with SOX programs since 2016. They recently shared a summary of trends over these last five years.

They draw four conclusions.

1. Internal audit is the majority owner of the SOX program.

Comments:

  • Technically, management always retains ownership of the SOX program. However, internal audit may perform much of the assessment activity on behalf of management.
  • Workiva has not shared how many companies were surveyed or whether they are the same companies each year. As a result, it is somewhat speculative to draw conclusions from the survey results. However, it is not unreasonable to assume that the survey sizes have been significant and at least indicative of the trends asserted by the authors.
  • There is a huge difference between performing the testing on behalf of management and planning/managing the entire SOX program (a distinction not drawn in the report). My personal observation supports an assertion that the majority of companies rely on internal audit to perform testing. But saying that they own the program goes perhaps a bit too far.

 

2. Even when internal audit is not the owner of the SOX program, it is involved in several facets of the SOX program.

Comments:

  • The paper says “we draw the conclusion that the performance of SOX compliance activities is negatively impacting the capacity of internal audit teams to execute assurance reviews”. However, there is no evidence provided to support that position. Just because internal audit in many cases (31% here of the 77% who perform SOX testing, or 23.87% of the population) are spending more than 50% of their time on SOX does not mean that they lack sufficient resources to address their other responsibilities. That question is neither asked nor answered.
  • It is interesting that the percentage of internal audit functions performing SOX testing is down from 85% in 2016 to 77% in 2020. Since this is the greatest consumer of resources (compared to performing walkthroughs, issue tracking, and risk assessment), it is likely that internal audit resource allocation to SOX is actually less in 2020 than in 2016.
  • It is also interesting to see that a number of internal audit functions perform testing but not walkthroughs. That sounds like an opportunity that has been missed.

 

3. The cost of SOX compliance is increasing.

Comments:

  • I would be shocked if it was not increasing, given inflation and escalating external audit fees!
  • Workiva says “As organizations continue to grow and processes become more complex, the number of SOX key controls will increase, and survey results reflect this trend as well: the number of respondents who reported 250+ controls increased 10% between 2016 and 2020”. This is not logical if a proper top-down and risk-based approach is taken. Remember that as a company’s revenue grows, so does its level of materiality. In many cases, a careful scrubbing to remove non-key controls from scope should in many if not most cases reduce the number of key controls! As materiality increases, the ways in which there could be an error or omission in the consolidated financial statements will generally go down, not up.
  • I do not see the logic that adopting solutions like Workiva’s reduces cost. If anything, it is likely to increase it.

 

4. Practitioners continue to focus SOX programs on cybersecurity risk.

Comments:

  • Hackers that take advantage of cybersecurity weaknesses have never, to my knowledge, targeted the financial statements. They may steal data, ask for ransom, or cause disruption, but the likelihood of a material misstatement as a result of a hack is very low indeed.
  • If there is a breach that causes disruption and an inability to file financial statements with the SEC on time, that is not a SOX issue. It may be a violation of other SEC requirements.
  • While I often hear of pressure from the external auditors to address cybersecurity risks, a proper top-down and risk based approach (preferably using the IIA’s GAIT Methodology, which I strongly recommend) should help organizations determine whether the risk of a material misstatement is real.
  • Workiva justifies their assertion by pointing to survey results: In 2017 (there are no 2016 results) 84% had fewer than 100 ITGC key controls in scope, whereas in 2020 that is 80%. However, in 2019 the number was 77%. The survey results simply don’t support their assertion.

 

 

So, what are the SOX program trends based on my experience (I have been leading a SOX Masters[1] training class for 8 years or so)?

  1. There continue to be massive opportunities for most organizations to ‘right-size’ their program. Unless regularly pruned using a top-down and risk-based process, the program will grow out of control. Just because a control was in scope last year does not mean it should continue to be in scope in 2021.
  2. Leadership of the SOX program continues to change, necessitating training for new SOX program (and internal audit) leaders. Several companies send every new leader to my SOX Masters program.
  3. The external auditors continue to latch onto every new risk of the day. The great majority of their requests for scope changes don’t survive the question of “Where is the risk of a material misstatement? Show me!”
  4. While technology can be very helpful and increase the efficiency of the SOX program, care has to be taken when it comes to trying to use it to test controls. Most analytics and other tools test the data, not the controls.
  5. Internal audit adds tremendous value when it performs SOX testing on behalf of management, and their understanding of risk and controls aids SOX program management. But they should always work with the board to ensure they have sufficient resources to address the more significant sources of risk (including opportunity) to enterprise objectives.

 

I welcome your thoughts.

 

[1] The next class is scheduled for February, 2021

  1. John Fraser
    December 13, 2020 at 11:32 AM

    When SOX became a requirement, as the Chief Audit Executive I refused to take it on as I saw no added value. It was left to be administered by the Finance Department. We had in a Final Four firm to do much of the initial work and then Internal Audit reviewed their work to improve it for that first year only.

    • Norman Marks
      December 13, 2020 at 2:02 PM

      In the early years, the scope was totally out of control and internal audit was frequently tasked to do it without additional resources. Things are far better these days, John.

      • John Fraser
        December 13, 2020 at 2:05 PM

        Still not an added value function, best left to routine tick and boppers…many staff had much more important things to do.

        • Norman Marks
          December 13, 2020 at 2:15 PM

          Yes, it can be if done with experienced staff able to identify process improvements. In addition, you can shoot multiple birds with one audit, addressing other issues at the same time.

          Somebody has to do it! If not IA, then Finance has to hire similar staff and the cost is higher while the insight value is lower.

      • John Fraser
        December 13, 2020 at 4:01 PM

        Why should Internal Audit do it? It is a management accountability. I thought the days of Internal Audit doing bank reconciliations and such like were over.

        • Norman Marks
          December 13, 2020 at 4:07 PM

          Because it adds huge value and is the right thing for the organization as a whole.

  2. December 13, 2020 at 5:47 PM

    Setting aside the funfair, if controls to be tested are ever-increasing, there must be something wrong with the risk management (or the lack of it or risks/controls are “not being pruned” (or intensely reviewed) to set apart what’s really “matters most” that would impact on material misstatement, leaving key controls the subject of greater scrutiny).  “Internal audit is the majority owner of the SOX program”.  This assertion is basically flawed (i.e. ownership of the Program) and one that likely confuses companies. Ownership of processes and controls rests with Management and their people, not Internal Audit.  If that was so, the whole Sox compliance is doomed to fail as responsibility and ownership rest with the Internal Audit who is not the “owner” of processes and controls.

  1. December 13, 2020 at 10:41 AM
  2. December 25, 2020 at 10:33 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: