The world has changed, but SOX work goes on. Organisations required to comply with the Sarbanes-Oxley Act no doubt are experiencing this sentiment firsthand. These undoubtedly are unprecedented times. The COVID-19 global pandemic has caused seismic shifts in companies of all sizes, but CAEs and internal audit, and SOX leaders, are well aware that their obligations to perform internal controls, reviews and testing continue.
This is Kevin Donahue, senior director with Protiviti, welcoming you to a new installment of Powerful Insights. Protiviti has published the results of its latest Sarbanes-Oxley survey. The report, SOX Compliance Amid a New Business Equilibrium, contains not only data on costs, hours and control counts but also guidance for conducting SOX work in a post-COVID-19 world. I have the pleasure of speaking with Brian Christensen about highlights and key results from this year’s study. Brian is executive vice president of global internal audit for Protiviti. Brian, thanks for jumping on with me today.
Well, Kevin, a lot of interest surrounds our annual SOX survey, but you’re absolutely right. The elephant in the room is, what are the implications of the pandemic that we’re currently in upon the SOX-related controls? I think they’re formidable. First, we’ve all gone to implementing workforces that are working remotely. That brings in a number of new risks that haven’t been contemplated, and because those environments have been tilted up relatively quickly, they may not have been vetted to the level and extent of other system implementations that are done, and that’s clearly on auditors’ minds.
On top of that, the catastrophic effects on many businesses is bringing in a whole new look and examination at the risk assessment process. Looking at things like growing concern, disruption of supply chain, these are all paramount to what organisations are dealing with every day, so I think the elephant in the room is clearly there, and that is that we have a different environment looking forward to 2020, on top of our results from this past year.
Well, Kevin, I think by the title of the survey – finding that equilibrium – every company is always worried about the cost of SOX. Historically, they look for better opportunities for how to improve, reduce that compliance, really getting into where it’s a recurring cost is something that can be anticipated, but year over year, we continue to see a rise in the overall cost, and a lot of that’s driven by the hours, right? There is lots of information that’s being sought by the external auditors, new areas are being examined, requiring additional work; maybe it’s more in-depth work. Those hours then translate to costs, and much to the disappointment of management, that’s the reality, and that came through loud and clear in our 2020 survey.
Brian, there’s a view we talk about a bit in our report that I think several of our folks have stated, and I wanted to get your view on this too, that at this juncture, the requirements probably are what they are, and that there’s unlikely to be a significant change in what companies have to do to comply in terms of their effort, even their cost, and so forth. Would you agree with that?
Yes. I think there are always opportunities to look for innovation that can enhance the annual SOX process. The requirements of what’s necessary, that’s an absolute, and it’s a given. We know certain elements. They’re there. They’re mandated, but there are opportunities. I think that organisations should not give up on what those are. For example, the use of automation is something that can really be an enabler, whether it’s putting things in the cloud around some general ITGC controls or things of that nature – those are opportunities that are there, but if someone’s looking for a holy grail that they’re going to be able to reduce the overall effort, I think that is really going after something that’s not really embedded in what SOX has become and what remains ongoing.
I think we become comfortable, as human beings, doing things the way we’ve always done them, and I agree. I think the pull on this is going to be that external auditors are bringing new technology and tools to bear. Those that are complying with the SOX requirements need to enhance and do the things that are there as well – such things as looking at the entire population of transactional items that occur on the GL. A lot of extraction tools exist today, and the ability to look at that is an important step within the SOX process, and many companies may not be employing something like that.
Similarly, I mentioned previously the use of controls in the cloud. We see this predominantly in the use of IT general controls – such things as user access, where you can embed a bot, or some type of tool that can look at all those. So, the testing techniques of the past of picking samples when you can do a full data set are becoming the expectations, and clearly, people need to do that, but I think there’s this comfort zone of people relying upon “Well, we did it last year – that should be sufficient tomorrow,” and that’s not the way we’re going to see the future.
I want to point out that, in our report – again, it’s called SOX Compliance Amid a New Business Equilibrium and it’s available at protiviti.com/SOXSurvey – we provide a detailed breakdown of some of these survey results around cost, hours, control counts and so forth – not only overall, but by company size, by year of SOX compliance and by industry in many cases, so we drill down in an important report much deeper than we are here.
So, Brian, last question for you: I want to circle back to COVID-19, and I think it touches on some of these issues we’ve been talking about around automation, cost and so forth. Six months, a year, from now, even longer, what are the most significant changes you see emerging in SOX compliance, even audit efforts, as a result of this pandemic and organisations probably looking to do certain things differently?
Well, I think one exciting thing that we’re starting to see is, we talked earlier in this conversation, Kevin, about the reluctance to adapt and to bring in some new technologies. I think the fact that most companies have deployed many of their employees on a remote basis, and they’re able to survive, function, monitor and test these items that we look at year over year, SOX really is an enabler to show we can do things differently.
As I look to the future, what we’re starting to see today is that whether it’s a small company or a large global company that has to comply with the SOX requirements, it’s not dependent upon a particular person being in an office, or a cubicle down the hall, to make sure all this is done. The tools and techniques are there today. We’ve really accelerated the future into our workplace, and that is a part. I think there’s good news about what the current environment is. I wish and hope that everyone is safe and healthy out there. What we’re dealing with is something that we’ve never seen in our lifetimes, but we’re learning to be agile, dynamic, in our response, and I think that’s an encouraging thing. We’ll look forward to see what that brings in next year’s results.
Thank you, Kevin. It’s always a pleasure.