Transcript | The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates

This is Kevin Donahue, senior director with Protiviti, welcoming you to a new edition of Powerful Insights. Today, we’re going to be talking about all things, or maybe some things, SOX compliance. Specifically, we’re going to be talking about the results of Protiviti’s latest Sarbanes-Oxley compliance survey. The results of our research are featured in our just-released report, The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates. We’re going to jump right into my conversation with Andrew Struthers-Kennedy and Angelo Poulikakos. Both are managing directors with Protiviti. Andrew is the global leader of our Internal Audit and Financial Advisory practice, and Angelo is the global leader of our Technology Audit practice.

Angelo, thanks for joining me on the podcast today.

Thanks for having me, Kevin.

Andrew, as always, great to speak with you too.

Always great to be here, Kevin.

Andrew, speaking broadly, we see some trends that SOX costs may be stabilising a bit, but hours continue to move upward. That said, organisation size and complexity are the factors that are going to drive costs for most organisations. What are some opportunities for companies to manage costs and hours long-term?

It’s probably no huge surprise that the size and complexity of an organisation has perhaps the biggest influence on hours and, ultimately, cost — and I’ll comment in a moment about the bifurcation between those two. It’s also probably important to note that there’s no real one-size-fits-all when it comes to the specifics of an organisation and the solutions that can be pursued to help address rising costs and hours.

But there are themes that we see that we would either typically recommend and/or we’ve seen organisations be successful with. A few of those — looking at standardising controls as best as is possible across organisations locations, across product lines, and driving a more simplistic control structure — are almost always beneficial and almost always help to manage hours and costs. Taking a hard look around broadly enabling technology and how that’s being used and leveraged as part of the overall internal control programme that’s in the processes by the process and control owners and the operation of the controls.

Also in the testing of controls, and components of that, looking for or looking at governance risk and compliance GRC solutions that have proven themselves to be tremendously beneficial in any organisation with the basic or simple level of complexity when it comes to internal controls. And looking beyond that, at other specific tools that can be explored and adapted to the environment. That will drive efficiency. And a lot of times, we’re seeing the investment in those upfront — in any licensing costs, in implementation costs, which pay back multiple times over a fairly short period in the efficiency pickup that’s possible through the pursuit and implementation.

And then some good, old-fashioned challenging of scope. Oftentimes, that requires robust and ongoing discussion with external audit firms, which we always encourage to happen early, often and throughout the process. Looking at controls rationalisation, especially in the context of some of what I’ve just talked about. Standardisation of controls, pursuing and driving tech-enablement automation. There tends to be a lot of opportunity if you challenge the current state and look at that in the context of what’s been progressed to rationalise controls, drive down the controls count, simplify and pick up benefit from an hours and pricing standpoint.

The final point I’ll make is looking at the way in which the organisation is structured or organising itself related to the control environment and testing. That might be the pursuit of shared-services types of organisations or centers of excellence onshore or offshore for driving efficiency and cost improvement, especially as you look at the more mechanical aspects of a controls programme, information gathering, document gathering, testing and so on. Those are a few areas, Kevin, that we’re seeing organisations taking a hard look at — and a fresh look at, in some cases — that are helping them moderate hours and costs.
 

Angelo, my question for you is around automation and technology enablement. But first, anything to add to Andrew’s comments around some of the general trends we’re seeing around cost management and hours on a long-term basis?

Audit departments and SOX compliance teams are simply being asked to do more. What I would love to cover is just how automation could help streamline various efforts — not just with SOX compliance teams but also with all lines of defense to help create better transparency and awareness, which hopefully drives more efficiency in the process.

That’s great, Angelo. Let me pose my question to you around automation and technology. In our survey, we found that a growing number of organisations are investing in automation and advanced technology tools to support their SOX compliance activities. I think we all agree that’s great to see. What are some of the specific actions we see organisations taking, and why are these good things?

It’s true that many SOX compliance teams are focused on technology enablement, and we’re seeing that from the services that we’re supporting our clients with. We’re spending a lot more time reviewing our clients’ use of technology and providing them with roadmaps and recommendations on how they can increase that use. But if we were to dissect things from an advanced analytics perspective, internal audit departments and SOX compliance teams are now more readily equipped with access to the tools by leveraging what’s already in-house, whether that’s visualisation software like Power BI or Tableau, or analytics software like Alteryx or other Microsoft tools available.

Audit departments used to have to fight to get budgets for proprietary audit automation analytics software, whereas now they can use the same tools every other department is using. To add to that, it helps that many organisations at both an enterprise level and at individual business-unit levels are investing in building out data lakes, they’re building out data warehouses, they’re building out their own dashboards that give auditors more transparency as well as abilities to do more with analytics in a self-service-like manner.

The next trend we continue to see relates to the adoption of cloud-based solutions for SOX compliance, which have proven to be invaluable as it relates to streamlining the entire programme and process. Whether it’s related to requesting documentation, performing testing or providing status reporting, these cloud-based solutions are making it easier and easier for SOX compliance teams to do more. From a general coordination and communication perspective, a lot of these cloud-based solutions also make it easy to integrate with existing systems. For example, a control validation that would have required data from an ERP system or, say, another cloud-based system, like Azure or AWS, can now be automated via an API.

Finally, and what is most exciting, is all the talk we’re having now about generative AI. We are seeing some forward-thinking organisations think of ways they could leverage AI — generative AI and large language models, more specifically — to better pinpoint risk areas or anomalies. It’s ultimately going to help lead to a more proactive approach toward compliance. We are still fairly in the early days of this, but it’s moving a lot faster than ever before. It’s going to be just a matter of time until we see more SOX compliance teams leverage generative AI to do full population-based testing or to assist the auditor in being able to be more efficient and provide more valuable insights.

When you think of all three of those domains — the use of advanced analytics, the use of cloud-based audit management tools and SOX tools, and, finally, when you add AI into the equation — it’s all helping drive more efficiency, more scalability. And it’s hopefully providing a lot more joy to those SOX compliance teams in their day-to-day work. It’s helping them be a lot more data-driven and helping them provide more valuable insights compared to the traditional way of doing things, which may have not involved technology to that same extent.

A quick follow-up question for both of you: Are the talent and skill levels within internal audit functions where they need to be to capitalise on these tools and technologies?

The interest exists, but the talent is still lagging a bit, and it’s largely due to existing priorities, having to meet deadlines. Teams are very passionate to get hands-on with these tools, and there are many individuals on teams that often do. But we’re not seeing widespread adoption across the entire team. We’re not seeing the competencies across the entire team. There’s still a lot more room for upskilling.

The good news is, the training that is available is fairly straightforward and fairly self-service. It comes down to prioritisation and having some runway and perhaps a breather to help get smart on some of these tools and to learn how to apply them. The hardest part in our line of work and a typical SOX compliance analyst’s line of work is, it’s easy to resort to the way things were done in the past to leverage prior-year work to help inform the way work gets done for the current year. To use these tools requires a completely different approach and requires learning new things and applying those things that you learn, and that fundamentally looks different and often poses a challenge and a barrier.

I’m going to switch gears after that interesting discussion, and we have a lot more in our report around technology and automation and tools. Andrew, I want to talk about ESG. Our results indicate that more than one in three organisations already are disclosing ESG metrics and applying internal control over financial reporting processes to that information. Moreover, nearly half have plans to do so. How is ESG changing things for SOX and internal audit teams?

It’s an interesting kind of insight coming from the survey. We certainly see sustainability being on the agenda for the vast majority of companies, and many are already taking steps. That’s ahead of what’s widely expected and hotly anticipated to be coming from the SEC later this year, although the specifics of the final role are still to be determined. We’re seeing, ahead of that, many organisations already focused on this. It’s rare that we have a discussion with a client or another company in the market where sustainability isn’t a topic of discussion, so it’s no surprise to us that we saw the extent of the response rates on this particular topic in the survey. If anything, it’s a little surprising that the numbers weren’t higher.

There’s probably a confluence of factors that are driving attention to this from an ICFR and Sarbanes-Oxley perspective. Earlier this year, COSO released its guidance on how to apply the COSO 2013 framework to sustainability reporting. So that’s been adopted as internal control over sustainability reporting — ICSR — and that drove a lot of interest and discussion around the topic as well. And we’ve seen many organisations taking that guidance and looking to apply COSO 2013 to their sustainability-reporting activities.

I mentioned the SEC rule. The specifics of that rule will determine the extent to which ICSR is going to be brought into the scope of ICFR — financial reporting and broader disclosure controls or procedures. But I do expect that we’ll see some impact there and heightened expectations coming through from the PCOAB and external auditors. It’s the extent to which and the timing around which that will start to happen that there’s still uncertainty around. But before the end of the year, we are expecting and anticipating to see the final rule from the SEC.

From an internal audit perspective, we’re seeing a huge amount of focus around sustainability reporting. I alluded to this, but it’s worth noting that a significant percentage of U.S. public companies and larger private companies are already issuing sustainability reports, but the standard by which they are being issued is not consistent or has not been set yet.

But we are seeing a lot of activity in this space — internal audit functions focusing on controls over the reporting process, the data that’s fed into the reports, looking at validating calculations or the model that’s used for things like greenhouse-gas emissions, looking at the overall governance structure related to sustainability reporting and ESG more broadly taking a hard look at commitments and promises made through marketing activities or through sustainability reports. Those are all areas that are priority targets and focuses for internal audit activities and great candidates to be looked at from an audit and from a controls standpoint.

The final point I’ll make: With a few references to the SEC’s rule on ESG disclosures, the EU’s CSRD is essentially already in effect, and that’s going to be impactful in the near term for any U.S. company that has European operations. Even pending the SEC’s final rule, there are reg requirements in play for U.S. companies — in Europe, probably most prominently, but also in other regions globally. There is no pass right now on this topic for anyone, and individuals that are overseeing controls programmes, ICFR SEC reporting and internal audit activities should be keenly focused on ESG and the rapidly moving landscape.

And Andrew, you alluded to this, but on top of that, many, and a growing number of, major companies are requiring their suppliers to provide ESG data and reporting. And that can’t be just a subjective documentation. It has to have the data and analysis behind it, which I expect will be a role that internal audit has, or will play a pretty active role, in putting that together.

Yeah — 100%. And we see it even in our own business. Kevin, where, as we’re looking to renew long-standing relationships, enter into new relationships, this is a question we’re always getting asked. We’re getting asked about our ESG programmes, our sustainability reporting, and not just at a surface level, but at levels below that, with some expectation that we’re providing substantiation for the things that are included in our commitments, our statements and our sustainability reporting.

The same is true for many companies as they look at their ecosystem, their supply chain, their business partnerships. It is a common topic that is being probed and pushed on. And there’s an expectation — and there’ll be a heightened expectation — that the responses that come through those inquiries will have a level of assurance or substantiation associated with them.

Let’s pivot now to cybersecurity. Angelo, 41% of organisations were required to issue a cybersecurity disclosure during fiscal year 2022, according to the results of our study. How is the relevance of cybersecurity increasing when it comes to SOX compliance?

Cyber has become a topic that’s impossible to ignore from a SOX perspective. We know that cyber threats are evolving. They’re becoming more sophisticated, and we expect them to become even more sophisticated with the prevalent use of AI. But their impact on business operations and financial statements is real. And it’s not just an IT or cyber issue anymore, but it’s also a business issue.

Historically, SOX has been focused on ensuring the accuracy and reliability of financial reporting, with internal controls being at the heart of this regulation. And as we’ve witnessed, significant cyber incidents and events can have material financial implications affecting assets, liabilities, revenues and expenses. As a result, ensuring that there are robust controls over cyber risks has become crucial to ensure the accuracy and reliability of financial statements.

The new SEC cyber rules further accentuate this connection. These rules, which went into effect in late July, emphasise timely, transparent and comprehensive disclosure of cyber risks and incidents. Earlier, you mentioned 41% of organisations, based on our survey, were required to issue a cyber disclosure during 2022. We’re definitely going to see that number increase. The FCC’s view is that cyber threats and incidents pose an ongoing risk to public companies. It impacts investors, it impacts market participation, as evidenced by all the occurrences of attacks we’ve witnessed over the past several years.

As I mentioned, the sophistication of methods is increasing. Even I, as a cyber practitioner, at times have to look twice, three times, before clicking a link because they’re just so smart. And the ways of involving text messages, emails, phone calls, there’s just a lot of possibility for human error.

But back to these amendments, they’re ultimately aiming to provide investors with more information and more transparency around cyber risks and a company’s ability to identify and manage these threats and oversight that’s needed by a company to ensure that senior leadership and the board of directors are very much engaged in ensuring that the right controls programmes are in place to help ensure an effective cyber programme, but also, if there is an event, being in a strong position to assess the materiality of the event and, if deemed material, providing the public with that level of awareness.

To summarise, cyber is not just an IT issue. It is a financial reporting issue. When you think of SOX compliance at its core, it’s always been about having robust internal controls. As cyber risks have financial implications, controls around these risks now become part of the SOX purview — and now, with the new SEC rules on cyber disclosures that only further intertwine the world of cybersecurity and financial reporting.

In the past, it may have been acceptable to just look at some security administration and logical access controls around the financial reporting systems and subsystems. As time progresses, we’re going to see the scope of cyber-related procedures increase, driven by external auditors, and all of that will have a cascading effect to internal teams.
 

Andrew, let’s pivot back to technology. I wanted to ask you about an interesting development that we saw in our results: External auditors are increasingly reviewing source code for automated controls. This is particularly the case when it comes to large accelerated filers, where that’s happening for 64% of them. What does this say about external auditor expectations and, by extension, guidance from the Public Company Accounting Oversight Board?

When we think about automated controls, we could perhaps expand that to cover things like application programme interfaces — APIs — and other services that sit below the user-interface level that do support and play a critical role in the overall systems of internal control. And the realisation is that those need to be sufficiently interrogated and validated — in particular, in organisations that have expanding ecosystems of technology applications, increasing blends of third-party SaaS, cloud-type solutions, and in-house, on-prem and proprietary technologies. It’s increasingly complex and challenging to understand the technology landscape.

Let’s call it the good old days of being able to rely on, or identify and then rely on, automated controls or application controls that were native to large-scale ERPs, test those, baseline them and then rely upon the performance of IT general controls. I wouldn’t say those days are entirely behind us, but the expectation around the level of granularity that organisations need to go to give themselves comfort around the integrity of those automated controls and the related topics I talked about, that’s more what we’re dealing with these days.

In the general direction that we’ve seen the PCAOB pushing external audit firms and, by extension, management through the inspection process — certainly, what we’ve seen from external auditors across the board challenging management on and looking to add by way of additional procedures or even scope — this really isn’t a surprise. It’s certainly consistent with what we’re seeing as we’re engaging directly with our clients on this and related topics.

It perhaps goes back to a couple of points Angelo and I have already talked about: It’s always worth an organisation taking a fresh look at its control environment, engaging with its external auditor early, often and rigorously on topics, even those that most would say had long been put to bed right and been agreed upon. There are no sacred areas, and we’re increasingly seeing areas that had been agreed upon in years prior now being brought back up and being looked at through a contemporary lens.

Automated controls is perhaps just an example of that. And the additional procedures around validating underlying code or scripts or whatever it might be is just an example of the trend that we’re seeing around inspecting at greater detail things that perhaps had been agreed upon in the past.

It just goes back to, take a fresh look, take a hard look. You’ll see some efficiency pickups there. You might see some additional procedures that need to be performed. Hopefully, those net out favorably over time. But doing that hard look and challenging the status quo on the control programme is, in the vast majority of cases, going to result in improvements in the system of internal control and risk mitigation related to key financial reporting risks going forward.

Well, this has been a fantastic discussion. Thank you both, again, for joining me.

I have a final question. Angelo, I’ll pose this to you. Andrew, feel free to chime in as well. Angelo, this is something that you brought up a little earlier, and I wanted to get more of your thoughts around internal audit’s involvement with SOX compliance. Our results show that internal audit is engaged in SOX activities in 88% of organisations, and overall, that work consumes nearly half, 47%, of the internal audit function’s time. These numbers are pretty high. How can internal audit groups equip themselves to handle these demands while meeting other critical responsibilities they have?

It’s clear that internal audit’s role in SOX compliance remains significant. Many internal audit teams are still driving the SOX compliance programme. And oftentimes, I slip and just assume that it’s an internal audit department that is driving the SOX compliance programme, based on what I see at my clients.

The integration of technology does provide a lever. I don’t think it’s going to be the answer, but the integration of technology should help streamline processes, especially the use of cloud-based management and SOX compliance management solutions. That will drive efficiencies, but clearly, that’s not going to solve every problem. Longer- term, I’m fairly certain that the use of AI is going to help in streamlining the most time-consuming activity, which is control testing. We are not there yet, but companies are looking at ways of using AI in a thoughtful, responsible, compliant manner. There’s going to be plenty of developments in that space, so it’s an area to pay attention to.

The levers that Andrew mentioned earlier, though, in his commentary, around prioritisation, around risk assessment, around refining the scope -- not all areas require the same level of scrutiny each year. And by conducting a robust risk assessment, internal audit and SOX compliance teams, in coordination with their external auditors, can prioritise the tasks and allocate resources where they’re needed most.

Also, from a scoping perspective, refining the scope, as I mentioned, is definitely an area where there’s opportunity. We’re often engaged to look for opportunities to refine the scope, to help rationalise controls, to work very closely with both management and external audit teams to see where controls could be reduced, where control testing could take a more direct or refined approach. And that often does lead to opportunities. But it’s real that the scope of SOX is increasing, and that is taking away internal audit’s time from being able to conduct other operational and IT audits.

There are certain organisations I’ve worked with that do get creative here, though. For example, we talked about the cyber scrutiny that exists and how the new SEC disclosures are only going to increase that scrutiny. There are opportunities now for internal audit teams to think about what gets put into the audit plan that can not only help meet SOX requirements but also help evaluate other areas more broadly.

Cyber incident and response could be an example area where an internal audit team could lead an assessment, an audit, over the entire process. As part of that audit, they could evaluate management’s approach to assessing the materiality of a cyber event. They could assess management’s approach to communication, to escalation, to reporting, and they could extend into other areas around cyber detection, response, recovery capabilities that may go above and beyond what’s expected from a SOX compliance perspective, but in this manner, they’re able to make use of their time in an efficient way.

Of course, organisations are always able to consider cosourcing and outsourcing, and we do see many clients looking in that direction, especially as it relates to the most time-consuming aspect of SOX, which is control testing. We at Protiviti, and a lot of our competitors, have established centralised delivery models that help drive more efficiencies when it comes to the SOX testing. And that tends to free up a lot more time for the internal audit team to focus on operational and IT audits.

In essence, the demands on internal audit are high, and they will continue to be high from a SOX compliance standpoint. That’s a testament to their skills, their capabilities. There are certainly tools, strategies to help manage the load effectively, and it’s going to be through tech enablement, more refined risk assessment, prioritisation, refining the scope, potentially cosourcing, and, ultimately, finding creative ways of still addressing operational areas while also meeting SOX compliance obligations.

Let me take us back to the beginning, when we talked about hours and cost. Sometimes, that’s a way of masking a discussion around value and even relevance to a degree, although the relevance of and need for SOX programmes and ICFR is now well-established over more than two decades.

But the focus on value, and the ways to get the most value out of an internal audit function that perhaps is spending a significant amount of time on SOX activities, as Angelo just covered, is a good way to think about it: How can the internal audit functions, internal audit activities or SOX activities cover the other side of the profile as well? How can you get some synergy there for management of an organisation to take half a step back and provide some constructive challenge internally on, how do we get the most value out of our SOX activities? And with things like ESG creeping in, cyber, there are an increasing number of related but high-priority areas that there can be synergies found around.

The traditional SOX programme, and rolling it forward from year to year, that approach, for many reasons, is now an approach of the past. And lots of what we’ve talked about today will hopefully serve as some motivation or inspiration for listeners to take a fresh look, provide constructive and effective challenge, think about challenging the status quo and think about driving increasing value for the organisation and for those involved going forward.

Thank you for listening today. I hope you find the insights Andrew and Angelo shared to be enlightening. There certainly is a lot going on with SOX compliance, from technology enablement and automation to a number of factors that are injecting themselves into that whole process, including, but not limited to, ESG and cybersecurity. For more information, I encourage you to read our report The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates, which is available on the Protiviti website. And, as always, I encourage you to please subscribe to our Powerful Insights podcast series and review us wherever you get your podcast content.