It’s clear that internal audit’s role in SOX compliance remains significant. Many internal audit teams are still driving the SOX compliance programme. And oftentimes, I slip and just assume that it’s an internal audit department that is driving the SOX compliance programme, based on what I see at my clients.
The integration of technology does provide a lever. I don’t think it’s going to be the answer, but the integration of technology should help streamline processes, especially the use of cloud-based management and SOX compliance management solutions. That will drive efficiencies, but clearly, that’s not going to solve every problem. Longer- term, I’m fairly certain that the use of AI is going to help in streamlining the most time-consuming activity, which is control testing. We are not there yet, but companies are looking at ways of using AI in a thoughtful, responsible, compliant manner. There’s going to be plenty of developments in that space, so it’s an area to pay attention to.
The levers that Andrew mentioned earlier, though, in his commentary, around prioritisation, around risk assessment, around refining the scope -- not all areas require the same level of scrutiny each year. And by conducting a robust risk assessment, internal audit and SOX compliance teams, in coordination with their external auditors, can prioritise the tasks and allocate resources where they’re needed most.
Also, from a scoping perspective, refining the scope, as I mentioned, is definitely an area where there’s opportunity. We’re often engaged to look for opportunities to refine the scope, to help rationalise controls, to work very closely with both management and external audit teams to see where controls could be reduced, where control testing could take a more direct or refined approach. And that often does lead to opportunities. But it’s real that the scope of SOX is increasing, and that is taking away internal audit’s time from being able to conduct other operational and IT audits.
There are certain organisations I’ve worked with that do get creative here, though. For example, we talked about the cyber scrutiny that exists and how the new SEC disclosures are only going to increase that scrutiny. There are opportunities now for internal audit teams to think about what gets put into the audit plan that can not only help meet SOX requirements but also help evaluate other areas more broadly.
Cyber incident and response could be an example area where an internal audit team could lead an assessment, an audit, over the entire process. As part of that audit, they could evaluate management’s approach to assessing the materiality of a cyber event. They could assess management’s approach to communication, to escalation, to reporting, and they could extend into other areas around cyber detection, response, recovery capabilities that may go above and beyond what’s expected from a SOX compliance perspective, but in this manner, they’re able to make use of their time in an efficient way.
Of course, organisations are always able to consider cosourcing and outsourcing, and we do see many clients looking in that direction, especially as it relates to the most time-consuming aspect of SOX, which is control testing. We at Protiviti, and a lot of our competitors, have established centralised delivery models that help drive more efficiencies when it comes to the SOX testing. And that tends to free up a lot more time for the internal audit team to focus on operational and IT audits.
In essence, the demands on internal audit are high, and they will continue to be high from a SOX compliance standpoint. That’s a testament to their skills, their capabilities. There are certainly tools, strategies to help manage the load effectively, and it’s going to be through tech enablement, more refined risk assessment, prioritisation, refining the scope, potentially cosourcing, and, ultimately, finding creative ways of still addressing operational areas while also meeting SOX compliance obligations.