silver globe


Challenging the status quo of SOX controls and compliance

A new approach can improve compliance quality, add flexibility, and reduce costs

Sarbanes-Oxley (SOX) controls and compliance is a fact of life for public companies. That said, organizations have more options for managing it than many realize. So where can businesses start? First, they’ll need a willingness to challenge long-held assumptions about the people, processes, and technology that a well-run SOX program requires.

SOX internal controls compliance—still challenging, but why?

The Sarbanes-Oxley Act of 2002 has been around longer than smartphones, ridesharing, cryptocurrencies, and modern cloud computing. Babies born the year it became law are now old enough to drive.

So SOX controls should be well in hand, right? Not necessarily. Increasing demands, regulatory requirements, and changing market dynamics have made stable processes a moving target. Add corporate activity, such as entry into new markets, mergers and acquisitions, and digital transformation to the mix, and it becomes clear why SOX internal controls remain a costly, challenging endeavor.

But it doesn’t have to be. Although SOX controls are here to stay, organizations have the opportunity to challenge the status quo. They can reimagine their scope, process, and delivery model to achieve SOX compliance at a lower cost and higher quality, via a right-sized, risk-based approach. To better understand the marketplace demands, let’s look at the current internal controls over financial reporting (ICFR) landscape.

The state of SOX controls and compliance

Four market realities characterize the SOX controls and compliance environment today, all of which can build up complexity in SOX internal controls programs:

  • Regulations. Standard setters, such as the Public Company Accounting Oversight Board (PCAOB), are increasing oversight and mandating change at a steady clip. They then pass oversight along to external auditors, raising the amount of effort it takes for organizations to comply with SOX. These regulatory requirements are being applied with a very broad brush and often don’t take risk into account.
  • People. Effective SOX controls work demands strategic thinking, technical capability, and deep-seated SOX insights—a combination of skill sets that remains stubbornly scarce in a field some may perceive as having little upward mobility. Some basic compliance activities may be better suited for automation, therefore optimizing the use of highly skilled resources toward higher-risk activities. Alternative delivery models can help organizations fill the resource gap, drive greater capabilities, and align to the right priorities.
  • Processes. SOX controls processes and approaches have undergone few changes in recent years. They often rely on frequent changes and tight turnaround times that can prompt ad hoc adjustments via labor-intensive, error-prone manual processes. By standardizing processes, organizations can change the way they approach the SOX life cycle and drive to a more effective process.
  • Technology. Reliance on often disparate legacy systems for control testing and documentation means spending excessive time on managing information. Automation, analytics, and continuous control-monitoring tools can enhance the way compliance professionals work and drive insights and outcomes in the process.


It’s time for a new approach

Considering these market realities, a new approach to SOX controls and compliance can reveal opportunities to:

  • Enhance resources
  • Increase relevancy
  • Innovate
  • Gain economies of scale

Key to the new approach—taking the complexity out of the equation

The guiding principle of any SOX modernization initiative should be a simplification. One aspect of a refreshed view on SOX controls and compliance is to revisit the risk assessment. Performing a robust risk assessment and clearly aligning the risks of the organization around internal controls over financial reporting with the assertions and the controls can provide a simpler framework and a more streamlined approach.

For example, based on risk assessments performed in many organizations, roughly 20 percent of ICFR risks might be considered high-risk, while 80 percent are usually medium- to low-risk. A more efficient approach to compliance would focus time on the 20 percent by simplifying and standardizing the approach to the remaining controls.

High-risk areas (20 percent)
A control failure in a high-risk area is more likely to result in a material weakness or significant deficiency, which an organization would then have to disclose to the public or the organization’s audit committee. This could bring the negative perception that often accompanies financial restatements, additional scrutiny by regulatory agencies, or even potential fines. High-risk areas merit extra attention, a robust controls approach, and additional testing and monitoring.

Medium- to low-risk areas (80 percent)
Medium- to low-risk areas are the ones where failure is unlikely to result in a significant issue. For example, accounts payable transactions are similar in most organizations from a SOX controls and compliance perspective. An organization wants to confirm that transactions are complete, timely, accurate, and approved by an authorized individual. These transactions don’t require an extraordinary amount of testing or documentation, and they tend to look the same from one organization to another. As such, the controls around areas like accounts payable could in many cases be standardized to create a more streamlined approach.

Many companies approach medium- and low-risk areas with the same mindset as high-risk areas. This doesn’t have to be the case. Standardization can make shorter work of compliance by removing unnecessary steps from the process, while still maintaining high levels of compliance rigor and quality.

key icon

Managed services for SOX controls and compliance—filling in the gaps

Even if it is more efficient, reallocating resources to higher-risk areas can leave gaps in lower-risk areas that still need to be managed. A managed services approach to SOX controls and compliance can help public companies close resource gaps while reducing complexity by tapping into the staffing, technology, and knowledge capabilities of a capable service provider. The managed services provider takes on long-term management of the SOX program—including staying current with compliance mandates—while responding to the expectations of management, auditors, and regulators.

zoom in

Underpinning the approach—enabling technologies

Reimagining SOX controls and compliance through managed services can have additional positive impacts for the way the program works, the resources it needs, and how it evolves in the face of unrelenting change. But to unpack these implications, it’s necessary to understand the role that technology plays along with the interplay between technology and standardization.

Five reasons to consider change

Of course, there’s always a better mousetrap, even when it comes to SOX compliance. And as many organizations can point out, with some justification, they’ve been getting the job done for the better part of 20 years. So why change?

  1. Basic compliance can be costly.
    Many organizations don’t realize how much they’re spending on staffing, technology, external audits, and management overhead. A savings of 20 percent could free significant capital for the business to reallocate to higher-value areas or risks.
  2. Change doesn’t have to be radical.
    By and large, improving SOX controls and compliance is less about upending existing programs than about refining their approach, asset deployment, and use of technology. Small steps can produce significant results.
  3. Companies can learn from others’ leading practices.
    Specific challenges of SOX controls and compliance are often common across many companies, making effective practices more applicable than many might suppose.
  4. The value can be significant and multifaceted.
    Among other things, change can result in a lower total cost for SOX controls and compliance, a reduced risk profile, and a greater number of quality outcomes.
  5. It can align stakeholders, including management, external auditors, internal audit, and the audit committee.
    The change management process can improve communication, clarify roles and responsibilities, and articulate the compliance strategy in terms of better outcomes for the organization at a lower cost.


Retaking the reins of SOX controls

SOX controls and compliance is a fact of life for public companies. That said, companies have more options for managing it than many realize. The starting point is a willingness to challenge long-held assumptions about the people, processes, and technology that a well-run program requires.

Over the years, market realities have led to a growing complexity in compliance programs. Why not pause and take a critical look at where reactive processes may have become institutionalized and whether it’s worth thinking about them in a different way?

Looking at SOX controls and compliance through the lens of managed services can provide a fresh perspective. A key part of the exercise is to focus on simplification, based on the amount of risk each area presents, and then allocate internal and external resources in ways appropriate to the risk. All this helps to bring effectiveness and operational efficiency to the SOX compliance program while supporting the expectations of management, auditors, and regulators.

ship wheel