Man looking out office window


SOX compliance: A smarter way forward

SOXwise blog on SOX controls and automation

Just because it’s been more than 16 years since the Sarbanes-Oxley (SOX) Act, that doesn’t mean all organizations have been able to optimize their compliance programs. The reality is SOX isn’t going anywhere, so now is the time to modernize your approach in order to address the most common SOX challenges with greater efficiency while maintaining quality and reducing the total cost of ownership.

A blog post by Adam Nelson, Deloitte Risk & Financial Advisory partner

Still struggling with SOX

During the Deloitte Dbriefs webcast, "Risk and controls innovation: A smarter way forward," we polled 4,763 audience members about their biggest SOX compliance challenges in 2019. Largely made up of finance, controllership, internal audit, and compliance professionals, the audience was pretty evenly divided in citing three main challenges:

  • 31 percent – Process (poor control design or lack of standardized SOX controls)
  • 30 percent – Technology (lack of cost-effective, efficiency-driving SOX automation solutions)
  • 25 percent – Talent (SOX skills gap or personnel shortage)

More than 16 years after enactment of the Sarbanes-Oxley (SOX) Act of 2002, this is somewhat surprising. Shouldn’t those issues have been addressed?

crystal ball

Taking a closer look

Process. Regulatory complexity is another factor. The growth and complexity of the requirements are continual challenges as businesses aim to meet the needs of external auditors, regulators, management, and others.
Technology. Lack of innovation is an issue as well. Many technologies are coming on the scene that are designed to make compliance processes more efficient and shed new light on the vast amounts of data now available in most organizations. The challenge is tapping into those capabilities, given budget and resource constraints, and beating the ever-ticking clock as companies approach their next compliance deadline.

Talent. As the Dbriefs audience indicated, many companies struggle to find and retain the right resources and skillsets. It’s often a challenge because, many times, SOX compliance programs serve as a feeder to the rest of the organization. That’s great for the overall business, but it makes it difficult to align the right people, with the right skillsets in the most meaningful way.

split crystal

How to move forward?

After nearly a decade-and-a-half of fluctuating resources, ever-constricted budgets, and expanding compliance requirements, how can companies tap the insights that compliance generates to move the dial on cost control, compliance effectiveness, and even value creation? It’s time for a simpler SOX compliance model.

Three specific areas deserve attention:

  1. Process standardization. Although every company is unique and each has different processes and technologies, opportunities exist to standardize SOX compliance approaches, frameworks, controls, and processes. In a typical organization, roughly 20 percent of the environment might be considered high-risk, while a full 80 percent is medium- to low-risk. Much of the paperwork, testing, and reporting around that 80 percent can be standardized to create compliance process efficiencies. This would allow more resources to be focused on high-risk areas.
  2. Automation and analytics. As more compliance processes are standardized, opportunities arise to introduce robotic process automation (RPA), continuous control monitoring, analytics, and other technologies. These potential SOX automation tools not only can enable greater efficiency and cost reduction, but companies can also glean insights from the data, providing a fresh perspective on the compliance process.
  3. New sourcing models. As more of the low- and medium-risk SOX processes are standardized and automated, do you have the right people focusing on the rest of the program? Looking at compliance through this lens, you can start to consider the balance of internal versus external resources. Rather than a traditional in-house model, could a managed service model provide greater benefit to your organization? Such an approach might help companies close resource gaps by tapping into the staffing, technology, and knowledge capabilities of a capable service provider, as I’ve outlined in a new point of view.

SOX compliance isn’t going away anytime soon—it will continue to be an evolving mandate for public companies. But that doesn’t mean you can’t think differently about how to manage it. A good starting point is to challenge long-held assumptions about the people, processes, and technology that a well-run program requires. Then you can make effective decisions about what may be best for your organization going forward.

What if you could achieve SOX compliance with higher quality, greater flexibility, and reduced costs while executing more strategic decisions around your capital allocations? You can, with SOXwise.

Learn more about Deloitte's SOXwise Solution