Four Thoughts from KPMG: Where SOX Compliance Is Headed in 2021
Just a few months before its 20th birthday, the Sarbanes-Oxley Act still reigns as a monumental hurdle (or opportunity, if you’re the glass-half-full type) for public companies nationwide.
Arguably, there’s been no time in SOX’s history that has put as much pressure on compliance professionals than the past 12 months, with a seismic shake-up to the world of business brought about by COVID.
In anticipation for their webinar, “Baking Flexibility into SOX Planning: Planning, Risk Assessments, and Scoping for the Real World,” Ernest Anunciacion of Workiva and Sue King of KPMG met for a quick, no-punches-pulled discussion about where the SOX compliance function is headed in the months to come.
Here’s the highlight reel:
Shifting SOX into 2021
Ernest Anunciacion: How do you see SOX programs changing as we enter into 2021? What do you think that impact is going to be?
Sue King: It depends. Different industries have been impacted really differently—just look at the impact on Amazon versus the impact on more traditional retail or the hospitality industry. Then there’s a geographic element, as different states and countries have been impacted by COVID differently.
So really, the impact is that everybody needs to be agile and be reactive. It feels like every day we learn we’re doing better or worse with the pandemic, which means you’ve really got to be agile as you think about your scoping and your risk assessment, and how that impacts your SOX program.
Resetting SOX vs. making tweaks
EA: What are the variables that determine whether companies need to think about fully resetting their SOX program, or just making a few tweaks?
SK: Again, it depends. If your company has surged, then your processes have expanded. If you’re on the other end of that, you’re dealing with furloughs and permanent reductions in workforce. Whether you're growing or contracting, it really drives change in process.
So, how have those processes changed ICFR? What are the SOX impacts? If you think about two of the things that the PCAOB is concerned about with processes—risk assessments and estimates and assumptions—both of those were impacted by the pandemic.
Certainly last year did a number on everybody's estimates and assumptions. You pretty much couldn't take anything for granted. I think really looking at all of the data underneath estimates and assumptions is critical.
For example, if you take something like the lease accounting standard, right. It requires people to think about how long they are going to have a leased asset or this location under a lease? And people made assumptions when they implemented ASC 842. Last year, we had to revisit all of those assumptions. There's a lot there, but continued focus on risk assessments, estimates, and assumptions are the variables in question.
Changing channels with remote (internal) controls
EA: I'm interested to get your perspective on what impact has remote work had on the SOX planning process. How do you manage the challenges of being virtual?
SK: I think this is a super-interesting question. It's amazing how resilient we all have been. Most people that I have talked to say that it's somewhat easier in this remote environment. You haven't got people traveling, so it's easier to get on people's calendars. In some ways, it's easier to pull people together to say, “let's really make sure we understand this process.” In terms of kind of the logistics of doing the planning and getting time with people, the vast majority of people are actually saying that getting access to people has been easier in some ways.
But planning for best-case and worst-case scenarios is still the hard part, which I think comes back to the importance of agility. Teams will likely need to revisit planning, scoping, and risk assessment multiple times this year.
The one step to become more agile
EA: Is there anything tangibly that you would recommend to SOX teams to become more agile?
SK: I think my main words of kind of recommendation would be to start on the data analytics journey. I really do think that data and analytics are the way forward.
If you end up with an imbalance where the auditor is taking much more of an analytical approach and you're still taking more of a manual approach, then there is going to be a larger and larger disconnect, which may expose you to risks and issues.
A good example here is journal entry testing. We all know that auditors have been doing journal entry data analytics for a long time, so I think we're going to continue to see a disconnect if you're not able to keep up with that analytics journey.
We're dealing with not only a COVID environment, but also seeing this explosion in technology. We've got to make sure that as a SOX function, we're really keeping up with that and making sure that we're embracing the use of tools.
Need more guidance? Want more advice on SOX agility, analytics, and making the most of 2021? You’re in luck.
- View the on-demand webinar “Baking Flexibility into SOX Planning: Planning, Risk Assessments, and Scoping for the Real World”
- Check out these four quick SOX process modifications to help with COVID-19 planning
- Subscribe to the Workiva blog for even more goodness
The KPMG name and logo are registered trademarks or trademarks of KPMG International. Amazon is a trademark of Amazon Services LLC and/or its affiliates.