Protiviti Managing Directors Christopher Wright and Charles Soranno offer a CFO and finance perspective on Protiviti’s 2020 SOX Compliance Survey results
Chief audit executives and internal audit leaders are once again focusing on Sarbanes-Oxley compliance work, which has taken on a new dynamic in the wake of the COVID-19 global pandemic, but these leaders and professionals are not the only ones immersed in this work. Chief financial officers and finance leaders and staff continue to perform numerous activities related to financial reporting and attestation work, all in the new-normal business world in which companies are now operating. This is Kevin Donahue, a senior director with Protiviti, welcoming you to a new installment of Powerful Insights.
Protiviti recently released the results of its 2020 Sarbanes-Oxley Compliance Survey in a new report, SOX Compliance Amid a New Business Equilibrium. Our report and other materials and insights can be found here. I recently had the pleasure of speaking with Protiviti Managing Directors Chris Wright and Charlie Soranno, who offer a CFO and finance perspective on our SOX survey results, offering some interesting insights on how the work and focus of these teams are changing in the wake of COVID-19. Chris is the global leader of Protiviti’s Business Performance Improvement solution group. Charlie is a leader in the BPI solution and in our Financial Reporting Remediation and Compliance practise. Charlie, thanks for joining me today.
Kevin, as always, it’s good to be with you.
Kevin, it’s a great question, and like the progress of the pandemic itself, the challenges had phases. Initially, many people and many organisations were simply unable to report to work, and then they were dispersed. Then, once dispersed, they discovered that they had issues regarding workflow and approvals and understanding the flow of information and funds, and IT protections, and a host of other issues around their security perimeter, as well as who is doing work and how to supervise that work remotely when perhaps it was a lot more in-person than they had even thought it was until they weren’t together.
Thanks, Chris. Charlie, I wanted to start getting into some of our survey results and ask you specifically about what we call internal SOX compliance costs. In other words, excluding external auditor fees. Over the course of our decade-long study, reported SOX costs have continued to trend higher, which is a bit of a surprise if you look back at expectations 10 or 12 years ago. From a finance perspective, what are some of the factors you see that are driving SOX cost increases?
Kevin, I’m happy to help with that. What we’ve seen, obviously, the SOX cost, the internal rising, is due to many factors. We see them split into two main themes, internal or organisational changes and then external impacts, either regulatory or environmental for the company. So, in regard to organisational changes or impacts, what we see is mergers-and-acquisitions activity and other organisational changes that might just change the control suite all in, and also making sure that the controls over the M&A process itself are reviewed, analysed and tested.
The move to digital transformation, obviously – moving from business process controls to IT controls – has increased the amount of change in the process and thus increased activity, and the movement to outsourced functions, including the evaluation of the third-party provider for whatever service is outsourced, and reviewing the internal control reports or the SOX reports produced by that entity and the robustness of that as well.
In regard to external challenges, there are a few things here to note – first and foremost, new accounting pronouncements, which have been significant from a volume and complexity and judgmental perspective over the last several years, if you think about counting changes in regard to revenue recognition, which affected most companies outside the financial services industry. Lease accounting, which affected all companies, some to a lesser regard than others – retailers most impacted, of course – and then the new credit laws provision, or CECL, which is affecting and impacting financial services companies pretty significantly. In addition, and similar to M&A activity, you’re looking at new process controls on the back end post-effective date, but you’re also looking for controls over the transition, which impacts activity and internal readiness as well.
The other item that impacts internal readiness is the regulatory environment that we’ve seen, frankly, in the past 18 years, with investment protection coming from the SEC, the PCAOB formation, which regulates a company’s external audit firms, and we’ve seen that manifest itself in two main areas: more detailed documentation, more testing – especially over judgmental and subjective areas and so-called management review controls – and the sufficiency of the review and the competency of the reviewer. We see that significantly.
Also, the completeness and accuracy of what’s called the information provided by the entity, therefore, and then the controls over that. If it’s used to execute or apply a control, how do they know that the information that is coming from that report is complete and accurate? So, those are key areas just on the scrutiny of the review that affects internal readiness. What we say to clients often, Kevin, to close off this question, is that many things have gotten added over the past decade, or past 18 years, of Sarbanes-Oxley, but nothing ever seems to come off the list.
Kevin, that’s a great question and a great observation. As Charlie noted, a lot of the extra work that companies are doing is the result of an imposition by the external audit environment in which they operate, and the external auditors themselves are likely responding to pressure from the PCAOB, which is the regulator and, as a result, the indirect regulator of public companies. As Charlie also noted, the reason for that is that all of the observations seem to be additive only. There never seems to be anything that comes off the list.
The second issue is that a lot of the work that goes on in the Sarbanes-Oxley testing thereof is not as automated as it could be. One of the lessons learned during this diaspora of finance organisations that’s been required by the pandemic as people work remotely is that companies are able to focus on the automation of tasks, where the finance organisation can automate tasks that are subject to testing, such as, say, reconciliations, where there are tools for that, or simply automated processes they can build themselves, whether it’s through robotic process automation or buying third-party tools that assist them in that regard.
Then, also, for those who do the testing to automate the testing. Naturally, automated testing is a lot easier when the process and the task itself is automated. So, the major opportunity there, Kevin, and I think companies have learned a lot about it, will be – assuming they can’t necessarily affect the external auditor environment in which they operate, or that even if they can with dialogue and planning and some of the things you can do to mitigate those impacts, that their major opportunity to become more efficient and even to make their own work more efficient and not just the testing, so that they’re focusing their leadership time on analysis rather than creation of data – is in the area of automating tasks and then automating the testing of those tasks.
Sure thing, Kevin. Happy to take that question on. The tools that we see most used in the workplace right now are data analytics tools, automated process workflow tools, continuous controls monitoring tools that are out there, advanced reconciliation tools that have been in the market for some time – we see their use – and then visualisation tools as well.
Great. This has been a terrific discussion. Thank you both. Just a reminder for our audience: You can find Protiviti’s full report on its Sarbanes-Oxley survey for 2020, SOX Compliance Amid a New Business Equilibrium, at protiviti.com/soxsurvey. I have a final question I want to pose to both of you. Chris, I’ll have you respond first. Circling back to the subject of the pandemic, what do you see as some of the long-term impacts on finance groups and how they’ll be performing their reporting and attestation work? Will there be increased migration to the cloud? Will more finance teams be set up to work remotely? What changes do you see happening?
Well, Kevin, the pandemic has not only been a period of crisis. It’s also been a period of discovery for finance organisations, and they’ve discovered a lot about what works and what doesn’t work in a remote environment and, perhaps, what may or may not have worked as well as it should have even when they were not remote. So, I believe you will see an increased migration to cloud or cloud-enabled services, where they have proven to be helpful, and to be helpful in a way that the control environment was either maintained or enhanced.
Finance teams, from our discussions with many companies across a number of industries and a number of geographies as they prepare to come back to work – maybe the last, or nearly the last groups back in the building – when you think about the needs to get, say, research and development back in or the scientific community back into the office because they need to work in labs, or other groups that need to work together, where the finance teams have found that they were able to work remotely, there’s an expectation that they will continue to do so for quite a while. As a result, the longer they work remotely, the more likely it is that some or many of them may continue to work remotely all or part of the time.
The other thing they’ll do as part of what they’ve learned during the period of discovery is be looking at whether to bring processes back the way they left. So, bringing an in-house process back to the office to operate the way it used to, or perhaps to operate a different way. If it was broken before, and it’s now been made remote possible, perhaps it will become an automated process before they bring it back either onshore or in office. So, a lot of what has been learned will, we believe, instruct not only how they come back to the office but also who comes back to the office, and when.
I agree with Chris. In regard to kind of the technology, we believe a lot of that is going to be additive, and it’s going to increase efficiency over time. Of course, we all want to get back to the office. We want to get back to serving our clients. There’s nothing better than a face-to-face meeting in an important item. However, things that can be handled remotely, I think they will continue to be handled remotely. It will increase efficiency. Folks may be working one day a week from home, lessening their commute but being more efficient. I think some of the things that have been additive or positive through the pandemic, I think they’ll stay with us.
Well, this has been a great conversation. Thank you both for joining me.
Thank you, Kevin.
Thank you, Kevin.
Thank you for listening today. Again, you can find our SOX compliance survey report, SOX Compliance Amid a New Business Equilibrium. I also invite you to subscribe to Protiviti’s Powerful Insights podcast series wherever you find your podcast content.