Home / Resources / ISACA Journal / Issues / 2022 / Volume 1 / The Role of Technology in SOX and ICFR Compliance Programs

The Role of Technology in SOX and ICFR Compliance Programs

The Role of Technology in SOX and ICFR Compliance Programs
Author: Nneoma Okorie, CISA, FCCA
Date Published: 17 February 2022

After several major accounting scandals, the US Sarbanes-Oxley (SOX) Act of 2002 was enacted in the United States to protect investors from fraud, improve reliability of financial reporting and restore investor confidence.1 SOX addresses the need for greater transparency, visibility and confidence in enterprises’ financial statements. As a result of SOX, audit quality has improved, and the severity of financial statement errors and changes to accounts has significantly decreased. The general consensus is that SOX compliance played a huge part in achieving this progress.

SOX-type legislation has not yet been enacted in the United Kingdom, but a UK framework for internal controls is imminent. This means that boards will be accountable for the effectiveness of internal controls over financial reporting (ICFR) and enterprises will need to improve risk assessment, process documentation and internal controls. Strong internal controls are required so that enterprises know they can rely on the numbers produced by IT systems to build trust with investors. UK enterprises should prepare now for the introduction of this type of framework to ensure a smooth transition.

Preparing for a SOX Program

Enterprises that are ahead of the game and have already implemented ICFR or SOX compliance programs have demonstrated that governance and IT integration are key to success. In fact, although the number of financial restatements has been reduced since SOX was enacted,2 organizations continue to report internal control deficiencies and material weaknesses with technology or general IT controls (GITCs), representing one of the biggest challenges contributing to material weaknesses.3

The growing complexity of IT systems is a key challenge to providing effective governance and oversight.4 While enterprises enhance their systems to match their growing businesses, legacy and redundant systems are not always being retired at the same rate. The customization of large enterprise resource planning (ERP) systems to meet specific business requirements makes it difficult to identify all relevant controls and leverage efficiencies.

In addition, governance, risk and compliance (GRC) tools; control monitoring tools; and standardization tools take a long time to identify, assess and implement. As a result, most of the work is being done manually in Excel spreadsheets, or tactical fixes are being implemented.

Two key themes are apparent:

  1. SOX compliance continues to increase in complexity as technology evolves. 
  2. Emerging technology is fast becoming the key to transforming the ICFR environment.5
There is a growing appetite for the use of technology to drive SOX efficiencies in the first, second and third lines of defense.

Therefore, when an enterprise is looking to implement an ICFR or SOX compliance program, it is important to plan for the role of technology, not only to minimize deficiencies in GITCs, but also to enable the SOX program itself.

Technology as Part of a SOX Program

There is a growing appetite for the use of technology to drive SOX efficiencies in the first, second and third lines of defense. The adoption of automation is increasing, whether it is the use of GRC technology to monitor the control environment, control automation tools such as Blackline, or SOX program management and data visualization tools such as PowerBI. These tools enable greater visibility and more control over the SOX or ICFR compliance program, not just for the enterprise but also for other stakeholders, such as external auditors.

There are four areas in which technology plays an important role in a SOX compliance program:

  1. Smart scoping and process understanding
  2. Project management
  3. Control optimization
  4. High-risk areas

Smart Scoping and Process Understanding

Technology and data analytics can support a compliance project in two ways:

  1. Smart scoping—Is an important aspect of planning an ICFR or SOX compliance program because it ensures that efforts and resources are focused on material risk factors. In scoping for an ICFR program, data analytics plays a significant role, such as in segmenting the business by geography, business division or significant accounts. This targets resources to areas that need to be covered, and, at the same time, it provides valuable information to convince auditors that certain areas of the business can be removed from the audit scope.
  2. Technology-enabled and data-led approach to process understanding—Technology can provide insights into what is happening with financial processes today, rather than what should be happening or what management thinks is happening. Activating digital enablers to augment process walkthroughs and control design assessments can inform management’s questions, focus on high-risk areas and reduce the impact on the business.

With the use of technology for smart scoping and process understanding, business data can be analyzed from different perspectives:

  • Processes—Data can be used to illustrate how a process works in an enterprise and highlight anomalies. Data analytics or process mining can be used to set process flow expectations.
  • Controls—Data provide clarity on how resilient the control framework is (e.g., the number of automated preventive controls vs. the number of manual detection controls in an enterprise’s SOX framework).
  • People—Data provide visibility to ensure the optimal deployment of resources to improve processes and controls (e.g., the number of people involved in the purchase-to-pay process or the overall performance of the finance function).

This type of data-driven analysis provides a better understanding of business processes and equips management to be able to avoid problems by shaping responses. It also helps management make informed decisions about current processes, risk factors, gaps and any unclear roles and responsibilities.

Project Management

When US SOX regulations emerged, enterprises battled with numerous Microsoft Excel workbooks and volumes of emails as they tried to move their project forward. Today, advanced technology has led to more efficient ways of managing projects.

Project management technology adds value to SOX programs in several ways:

  • Integrated scoping, control objectives and activity mapping—Control objectives are linked across different entities, business units or segments.
  • Categorization of different types of controls—For example, when the scope goes beyond SOX into nonkey financial controls or control objectives, technology supports the categorization of these other controls.
  • Clear accountability and governance of the program—The project management tool tracks accountability and responsibility for the execution of controls.
  • Conclusion and reporting—The quality of reporting is improved by using a data visualization dashboard to drive efficiency, communication and capability and focus on task management, deadlines and specific workloads.
  • Access security—Access within the project management tool can be restricted so that users can see only the information relevant to their areas.

When evaluating project management technology options, it is important to:

  • Assess the value of available features.
  • Engage with stakeholders to agree on the need for and benefits of individual technology solutions.
  • Invite suppliers to showcase their offers and obtain feedback from other enterprises using similar tools.
  • List key feature requirements, such as:
    • Location (e.g., onsite or cloud or with third parties)
    • Automatic control linkages
    • Integrated comments and workflow (to avoid excessive emails)
    • Deficiency management
    • Digital reminders and capture of assessment processes
    • Accessibility via mobile applications
    • Auditor access

There are many great technologies available to transform and add value to the SOX compliance process. Technology providers such as IBM, RSA, DELL, Archer platform and EY SOX VUE have released tools in the market to help practitioners. There are also cloud-based platforms for project management. Therefore, using Excel as a project management tool should be the last resort.

Control Rationalization and Optimization
The vast majority of enterprises that have implemented SOX compliance programs have subsequently reorganized and redesigned their compliance frameworks.6 This is often called a control rationalization project.

Early planning for the role of technology in a SOX program reduces the need for expensive rationalization later. Activities that can be performed at the outset include:

  • Embedding automated controls during the business process design
  • Switching on unused application-embedded control features within ERP systems
  • Moving from manual detection controls to automated preventive controls
  • Ensuring that the chart of accounts maintains its design principles and integrity
  • Removing duplicate control frameworks
  • Bringing additional technology into the financial control process (e.g., a month-end close process) to supplement ERP with digital solutions to add capabilities, such as tracing through balance sheet reconciliations
  • Implementing monitoring controls that verify the effectiveness of groups of underlying controls so that external audits can be set up more efficiently
Early planning for the role of technology in a SOX program reduces the need for expensive rationalization later.

High-Risk Areas
GITCs are one of the key factors contributing to material weaknesses in enterprises’ internal controls.7 A strong IT team and well-implemented and well-controlled systems are critical in ensuring internal controls over financial reporting. This ensures that financial information is appropriately safeguarded and accurately processed.

Gaps or material weaknesses have been found in several areas, including:

  • Poor management of privileged access to financial systems
  • ERP systems that lack the ability to change control programs
  • Poor management of access to data and end-user computing (EUC) tools
  • Cybersecurity issues or cyberattacks
  • Computer operations controls that were poorly designed or are not operating effectively
  • Integrity of information produced by the entity (IPE), a key problem area identified by audits
When an enterprise employs technology appropriately, it can design a program that mitigates the most significant risk factors and addresses compliance requirements.

It is important to focus efforts on areas where gaps have been found. Many of these deficiencies may be linked to the technology defining the underlying GITCs and can be checked and remediated. Actions that can be undertaken early in the process to put the program on a stronger footing include:

  • Developing SOX controls in cyberprocesses such as patching, security monitoring and privileged account usage
  • Using technologies powered by artificial intelligence (AI) that can scan large, complex spreadsheets for potential errors
  • Using solutions that can automatically clear down suspense accounts at the end of the month, making manual and administrative processes more automated and reliable. Identifying key spreadsheets and AI-driven risk analysis.

Conclusion

A great deal of information is available about the role of technology in SOX or ICFR compliance programs given the number of technology options on the market and the lessons that can be learned from enterprises required to report GITC deficiencies.

Carefully planning the role of technology before implementing a SOX compliance program can significantly improve the process and minimize IT control deficiencies. A well-planned SOX or ICFR project, driven by technology, pays for itself many times over by saving time and lowering the overall risk of noncompliance. When an enterprise employs technology appropriately, it can design a program that mitigates the most significant risk factors and addresses compliance requirements. Management and the enterprise as a whole can then obtain much greater insight from data and thereby drive improvements in their operations.

Endnotes

1 Wagner, S.; L. Dittmar; “The Unexpected Benefits of Sarbanes-Oxley,” Harvard Business Review, April 2006, http://hbr.org/2006/04/the-unexpected-benefits-of-sarbanes-oxley
2 Tysiac, K.; “Restatements Dropped After Initial Post-SOX Surge, Study Shows,” Journal of Accountancy, 24 July 2014, http://www.journalofaccountancy.com/news/2014/jul/201410628.html#:~:text=The%20number%20of%20restatements%20announced,for%20Audit%20Quality%20(CAQ)
3 KPMG, 2020 IPO Material Weakness Study, USA, August 2020, http://advisory.kpmg.us/articles/2020/material-weakness-study-2020-ipo.html
4 Ernst and Young (EY), EY Global SOX Survey Results: Unlocking Value Beyond Compliance in Your SOX Program, USA, 13 May 2020, http://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/advisory/ey-global-sox-survey-results.pdf
5 Ibid.
6 Ibid.
7Op cit KPMG

Nneoma Okorie, CISA, FCCA

Is an assistant director with the business consulting services of Ernst and Young LLP. She is a qualified accountant and has worked for 15 years with a broad range of clients on external audits and on advisory engagements, including global US Sarbanes-Oxley Act of 2002 (SOX)/internal control over financial reporting (ICFR) management attestations. Okorie specializes in IT risk management, audit and assurance, and SOX compliance and has a keen interest in the application of advanced technologies, including robotics and artificial intelligence. She can be reached at NCokorie@gmail.com.