How to improve SOX efficiency in 2017
Don’t die of shock here, but SOX compliance teams will need to wring even more efficiency from their compliance processes in 2017. At least you know that going into your planning for next year.
Alas, we may not be able to say much else about exactly how to achieve those increased efficiencies. In the 2016 State of the SOX/Internal Controls Market Survey released earlier this year by the SOX & Internal Controls Professionals Group, 80 percent of respondents listed more efficiency as the top priority in the coming year. So clearly, that's a goal everyone wants to achieve.
Dive deeper into the SOX survey, however, and several different story lines emerge about what your other compliance concerns are and how they relate to the quest for more SOX efficiency. For example, 64 percent of survey respondents also said changing requirements from their external audit firm will be their biggest challenge in the coming year; 45 percent cited a focus on cybersecurity and IT controls. Another 58 percent say their audit fees rose last year. 54 percent outsource or co-source at least some of their SOX testing and reporting.
That’s a lot of diversity in practice. Yet, we can deduce a few universal truths about how your SOX compliance will unfold next year: things must happen or conditions must be created, if you hope to increase efficiency at all.
Let’s start with the question that captures the minds of CFOs and board directors everywhere: audit fees.
The best ways to hold the line against audit fees are to keep the scope of the audit tight and to provide easy access to ample evidence. Those tactics should (in theory) reduce the hours necessary to perform the audit, and that is the best way to keep fees in check.
But remember to view all this from the auditor’s perspective. The Public Company Accounting Oversight Board has stepped up its demands for firms to bring more skepticism to audits. The Securities and Exchange Commission fined Ernst & Young $11.8 million in October for its failure to find accounting fraud at one of its clients. The pressures on audit firms to do better are real.
Still, we can make a distinction here: auditors’ demands will be going up; that’s not the same as their hours going up. Very often the two do go hand in hand, which is why the SOX audit can be so frustrating to the client paying the fees. But they are not the same thing, and that gives the SOX compliance team one goal: to streamline your processes and controls to create the most amount of useful evidence with the least amount of work.
Now, the truth is most companies have been trying to achieve that goal for years. Sometimes co-sourcing is the best strategy; sometimes it’s adopting new compliance technology that simplifies control testing or certification; always a company should be examining business processes to consolidate key controls whenever possible.
So what’s new?
Increased demands for evidence might be the biggest pressure SOX compliance officers predict for next year, but that’s still just an increase in the volume of what you do. The SOX survey also offers some glimpses into the new types of work you’re likely to do—and if you want to increase efficiency, you’ll need to consider how you can handle those new substantive challenges amid the auditors’ demands for more across the board.
The two biggest substantive changes in the coming year were a focus on cybersecurity and IT controls (cited by 45 percent) and a focus on risk management (cited by 38 percent). When you peel back the onion even further, you find this: two-thirds of survey respondents said less than 25 percent of their control testing related to cybersecurity or IT controls. And while 86 percent said internal audit is involved in SOX compliance somehow, most of the time internal audit does not help with risk assessment or scoping the SOX audit.
Consider all those statistics altogether: increased importance, but relatively little attention or collaboration. Places like that are where efficiencies can be found.
Cybersecurity controls in particular cry out for a joint assault by compliance and internal audit, because cybersecurity threats are all about unauthorized access: outside hackers, employees with privileges they shouldn’t have, or the like. Strong cybersecurity is a process question, whether the question is how you determine a user’s authenticity or how you provision the correct access that person should have.
Process challenges play to internal audit’s strength; examining and refining a business process to avoid risk is what internal auditors do. Moreover, internal audit usually knows the broader enterprise better than compliance, given the freedom it has to do its own enterprise risk assessment and pursue its own projects. So it can be a valuable ally as compliance works with IT security, HR, or other functions to understand who has access to what data and which cybersecurity controls deserve attention.
To my thinking, the most important findings of the state of the market survey are on pages 6, 8, and 9. That’s where you’ll find data about how internal audit does—or does not—work with SOX compliance programs, and the pressures that SOX compliance officers expect to change in the coming 12 months. They are the guide posts along the way, that you can use to benchmark your own company’s challenges.
What pressures is my audit firm facing that will lead them to be more demanding on me? How does my internal audit team work on SOX compliance, and could a different type of assistance translate into a different SOX experience with our external auditor? Are we paying enough heed to the right types of controls?
Those are the questions you want to answer. Gaining more efficiency in 2017 won’t be easy, but the State of SOX/Internal Controls Market Survey gives you a few good places to start looking.
About the Author
Matt Kelly is an independent compliance consultant who studies corporate compliance, governance, and risk management issues. He maintains a blog, RadicalCompliance.com, where he shares his thoughts on business issues and speaks on compliance, governance, and risk topics frequently. Kelly was named as "Rising Star of Corporate Governance" by the Millstein Center for Corporate Governance in the inaugural class of 2008 and named to Ethisphere’s "Most Influential in Business Ethics" list in 2011 (no. 91) and 2013 (no. 77). Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Mass., and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.