Using technology for SOX compliance

Home > Risk > Using technology for SOX compliance

Using technology for SOX compliance

December 3, 2021 Leave a comment Go to comments

There is good guidance on how technology can help an organization address SOX compliance needs, but there is also poor guidance.

Protiviti has shared both over the years. Their latest, Using Technology to Comply With Sarbanes-Oxley: Examining the Latest Trends, falls more in the latter category.

The most important error made by the author is to ignore the difference between (a) designing and operating a system of internal control over financial reporting (ICFR) and (b) evaluating and testing it.

Technology can be of great value when it comes to implementing controls that are both efficient and effective in addressing ICFR risks.

In my SOX training programs. I share a story about how I eliminated hundreds of detailed HR and payroll key controls, replacing them with three detective controls that used analytics to support a flux review of payroll expenses.

This is where technology can be best deployed for advantage, through analytics and related tools (like RPA and ML) used in detective controls.

When it comes to SOX, reliance can just as well be placed on detective as on preventive controls. (Other business risks may be better served with preventive controls or a combination of preventive and detective.)

But caution must be used in using that same technology (analytics, RPA, and ML) in evaluating and testing controls.

Remember that the purpose of the testing is to confirm the design and operation of the controls. Verifying that the data is sound provides little assurance that controls over the data are in place. At best, analytics that detects errors in the data is evidence that the controls may be deficient.

I love to ask in my training sessions how many participants have had their homes burglarized in the last year or two. (Only one person over the many years has raised their hand.) I then ask whether that proves that they always shut and locked the front door every time they left home.

Technology can be of value in certain circumstances, such as:

Helping to manage the overall SOX compliance program. At my companies, I used software designed for this purpose.
Mining data such as configuration settings (as discussed in the paper) for validation. However, care has to be taken to ensure that this provides assurance over key controls.

One of the other issues I have with the Protiviti paper is the reference to so-called “GRC solutions”.

This is a trap!

Rather than looking for and evaluating “GRC solutions”, identify your business needs and select the software that will help you achieve them.

The best solution for your needs is often not a “GRC solution” that has a broad (and often highly valuable) set of functionalities. It can easily be a specialized technology.

For example, you may want to deploy advanced analytics technology as detective controls, and this is not usually considered a “GRC solution”. The software designed to identify access control problems may or may not be part of a broad “GRC” product.

(Note: purchase of a GRC solution may well be justified based on its ability to satisfy multiple business needs, including assisting in managing risk and compliance programs. But, I would probably not get one just for SOX.)

Finally, the author has confused SOX compliance and the auditing of other business risks. Issues like duplicate payments, failure to take discounts, and so on are rarely if ever sufficiently material to be included in scope.

The author, like many consultants these days (including the major CPA firms), is in love with technology and pushing organizations, and their internal auditors in particular, to buy the latest hammer. The problem is that these organizations then look everywhere for a nail to hit – when all they can see are screws.

I love technology as well. But define your needs and make sure any purchase is justified on business grounds.

I welcome your thoughts.