State of the Market: How SOX Compliance Teams Are Really Doing
To kick off Season 3, hosts Steve and Catherine are joined by Matt Kelly of Radical Compliance, the blog devoted to corporate compliance, audit, and risk management issues. Matt picks through clues in the latest State of the SOX/Internal Controls Market Report to decipher how SOX compliance teams fared through the pandemic.
S3:E1 - State of the Market: How SOX Compliance Teams Are Really Doing
Steve: Hello, and welcome to Off the Books, where we're surfing the uncharted waters of accounting, finance, risk, and wherever else the waves take us. This episode and this season is brought to you by Workiva, the risk, reporting, and compliance platform that simplifies your complex work, so you can finally clear out that Christmas tree that's been dead now for weeks. Check it out at workiva.com/podcast. My name is Steve Soter, accounting enthusiast, Diet Coke aficionado, and today's host. I'm looking forward to debiting a great conversation today, and I'm very glad to have you hanging 10 with us. We are back with season 3, and I am so darn excited, I might just burst into a puddle of Diet Coke. We've got drama, intrigue, career advice, ESG, accounting memes, and movies, and a brand new host that I am so happy to have with us, Catherine Tsai, who will be joining us this season. Catherine, I am so glad you're here. Can you please tell the fine folks who you are?
Catherine: Well, I'm not an accountant or a Diet Coke aficionado, but I like asking questions, learning new things, and writing about them later. So I'm here to learn.
Steve: Well, Catherine, thank you so much for joining. So good to have you with us. What's on the docket for this first episode of season 3?
Catherine: Well, Workiva is a national sponsor of the SOX & Internal Controls Professionals Group, which is a community of audit, risk, and SOX professionals. And this past fall, in partnership with KPMG, they issued the sixth annual State of the SOX Market report, which summarizes their findings from a large annual survey of their members. There's a lot of good and even surprising insights this year, so we brought in the industry expert Matt Kelly, founder and CEO of the Radical Compliance blog, to break it down for us.
Steve: Well, Matt, welcome to the podcast. Before you share your insights on the state of the SOX market survey report, what does our audience need to know about you?
Matt: Sure, Steve, thanks for having me on. And I think probably the defining thing for me is that I am not an auditor or compliance professional or internal controls expert by trade. I used to be a newspaper reporter many years ago, drifted into writing about business and technology and then regulatory compliance. So I've been writing about this stuff for a long time, but always from the perspective of an outsider. And I do have a weekly newsletter and a blog.
Steve: Well, I'll do a plug as a recipient of that newsletter. It's called Radical Compliance and would highly recommend that to our audience.
Catherine: Steve, I know you had a chance to look at the report. What was the first thing that stood out to you?
Steve: Well, I was really surprised at how well the auditors did during the pandemic, and that's for two reasons because for so long, I mean, I was an auditor a long time ago. It was really uncommon for auditors to be able to work from home, let alone audit from home. And the second reason why I was surprised is I had actually wondered if companies might have used the pandemic as maybe an excuse to cut down on overhead cost, including their audit staff. I was definitely wrong. Here's how Matt explained the report's findings.
Matt: 48 percent said their businesses enacted layoffs or furloughs during 2020, so that's roughly half of all internal controls and SOX people. Your company went upside down. You know, radical change in how people work, layoffs, which are always going to be disturbing, and a lot of stressors. At the same time, 62 percent said that their own SOX compliance teams didn't suffer any loss of headcount or layoffs, and they generally said COVID-19 didn't make most of their compliance tasks or their SOX compliance tasks that much harder. There was no change really around status reporting or certifications or working with your risk control matrix, issues management, evidence requests. SOX compliance teams weathered this quite well. It was very versatile of them, despite enormous disruption to our personal lives and our work lives in our companies. The work they actually did - that seemed to be OK.
Steve: Catherine, this all makes sense, and I suppose for people working in the industry, this wasn't all that surprising. But I really thought the pandemic might be a huge step backward for the profession, but it really seems like just the opposite. I mean, what stood out to you?
Catherine: The report mentions that the number of key controls seems to grow with revenue. I wasn't sure what to take away from that, because it seems like ideally you'd want to have the number of controls maybe stay the same even as your revenue grows. So I asked Matt to explain it to me.
Catherine: So as a refresher for our audience and also for me, since I don't have an audit background, can you explain what key controls are first?
Matt: Key controls: the formal definition would be that they are the controls used to govern accurate financial reporting. They're meant to catch the mistakes or the weaknesses that could lead to a material misstatement. So as the name implies, key controls are important. But that said, at a high level, they are the controls that are in place to keep the big screw-ups from happening.
Catherine: So if the number of key controls increases with revenue, what is that saying? What does that mean for organizations? Can they scale their revenue?
Matt: I think it really means that your key controls are going to scale upward with the revenue. I don't think that would be shocking news when you sit down and think about it for a while because typically, as revenue comes in more and more, there's more business. That means there's more complexity. There are more products being sold, there's more people processing transactions. So unless you're in a really simple, straightforward business like, I don't know, commodity sales of something, unless you're really in that, most businesses, as their revenue increases, that means they're gaining in size and complexity. I was very curious and we don't yet have a clear read on the downward part. If you run this in reverse, in theory, very small businesses would have little revenue and no key controls. Now that's not accurate. There has to be some minimal level of key controls that any business would have, even if its total revenues are like $2 a year. We don't necessarily know what that minimum scale is or the minimum number of key controls, but it does have to exist.
Steve: Catherine, did that answer your question?
Catherine: Yes, but he brought up a great point about controls scaling backwards. What do you think is the minimum number of key controls needed at any level of revenue, including if you have none?
Steve: Yeah, to be honest, I don't have any idea, but I think on the subject of scale, the state of the SOX report revealed that SOX teams were way behind on adopting technology and analytics. So, you know, technology could be used to manage your SOX or internal control program, and analytics can be used to examine large sets of data, maybe to reveal any trends that might indicate something's wrong. I mean, the big auditing firms, Catherine, have been doing that for years, but not so much with SOX teams. So we asked Matt about it, and this was his reaction.
Matt: I think we should never underestimate the power of inertia in large corporate organizations. The data in the state of the market report showed that still most companies use Microsoft Office tools for most tasks, and that's probably because we have all been using Microsoft Office tools since time immemorial, and it can be very difficult to break through that logjam. One thing that was interesting, I also looked up what the efficiency pain points were. That's the actual phrase that was used in the survey. We asked respondents what were those efficiency pain points? And I looked at it, and so they were saying the top pain points were delays in obtaining evidence for testing, receiving incorrect or incomplete evidence. And then a bit further down was another one that jumped out at me: too much copy and pasting between different systems. So there's still a lot of inertia there, and you know, there's a lot of improvement that could be made. But it does tell me that SOX professionals are still managing technology rather than really using it to the fullest. You could probably break through the inertia by making a really compelling business case to invest in more advanced analytics technologies. I'm a big fan of that because I think it can help with tasks like risk assessments. It can help with testing. It can help keep you in this really quasi arms race with your audit firm because if they're using analytics and you're not, they're probably finding weaknesses and issues faster than you are. And then you're on the back foot about how to either mitigate them, or maybe you want to make an argument that, no, this actually isn't significant deficiency, but the audit firm is going to say, yes, it is. You could maybe marshal the right data to push back against that if you want. But if you are still too busy copying and pasting data or chasing down evidence from somebody in the first line of defense somewhere, that's going to be harder.
Steve: Arms race with your auditors. Matt, I've never heard that term before, but I can't think of something that's more adequate and representative of what it's like.
Matt: We all know it's true. We all know that's what you want. You want a magic bullet to tell the auditors, "No, you're wrong. I'm right." It's data analytics is how you're going to do that.
Steve: Catherine, I still love that term arms race with your auditors. I must say I've both won and lost those races, and winning, I can tell you, feels a lot better.
Catherine: On that note, this podcast will keep winning with our sponsor if we take a quick commercial break. We'll be right back with Matt Kelly.
Drew : Today's episode is brought to you by Workiva. In case you haven't noticed, we're all working from home, and our kids are shooting Nerf guns at us while we're presenting to the audit committee, and we've reorganized the pantry like 14 times since we're out procrastinating on the real things that need to get done. Do you really need work to be another stressor? I don't think so. Workiva helps risk and reporting teams work collaboratively by housing all critical documents, spreadsheets, and presentations in one spot. No more shared drives or buggy VPNs. Everything you need is right there, so you get more time to organize your sock drawer again or beat your kid in the game of Stratego for the 10th time this week.
Steve: And we're back talking with Matt Kelly about the sixth annual state of the SOX market report, which came from a large survey of members of the SOX & Internal Controls Professionals Group. Catherine, you had a great question for Matt about the job satisfaction of these individuals, right?
Catherine: That's right. The survey showed that almost half of the respondents said they were extremely satisfied with their jobs, and I wondered if that had anything to do with the pandemic. I wondered if the pandemic was meant for auditors. And here's what Matt had to say.
Matt: I would answer that in a couple of different ways. Like I mentioned earlier, I think that auditing is a job that was well-suited to withstand the shocks of the pandemic. You could do a lot of your work from home. You could shift to work from home rather easily. That is not true of all professions, but you can accommodate some of the demands that COVID-19 put upon people personally. And that is a big influence on whether you like your job, compared to, say, a grocery clerk or a meatpacking factory worker where they had to go and take a virus risk every single day throughout 2020 that most professionals wouldn't have to do. You could work remotely. I also think let's not forget that a lot of compliance teams said we didn't have layoffs in our division. That certainly is good for you psychologically, and that all feeds into people saying, I'm happy with my job because I have a job still and accommodating the pandemic wasn't so terrible. But there's a second half of this that I personally, you know, I haven't quantified this myself, but I think a lot of auditors also find that the what we're trying to do here is really interesting. Like I mentioned before, there's a Rubik's Cube of challenges you're trying to solve with Sarbanes-Oxley compliance. And that's interesting stuff under the best of circumstances. But COVID-19 really posed a lot of challenges. You had new risks you were having to solve, and you had to try and solve them under unusual conditions. If your business suddenly started to sell, I don't know, personal protective equipment, you might have to think about risks of fraud that were never really for you before. Because, you know, now suddenly your company is selling goods that might get fenced off the back of the loading dock if you're not careful. Well, what are the anti-fraud controls you'd have to put in place? You know, I bet there are a lot of auditors out there who didn't have to think about that before, but did now. And if you like auditing, that's quite the professional challenge to try and think through. How would we do that? How are we going to make sure that we are spending the PPP loan money that we get the right way so that we're not going to get hung out to dry on an SEC or Justice Department fraud case in two years, things like that.
Steve: Matt, if I could expand on that and maybe if you're OK with me asking you to prognosticate a little bit. It seems like in the pandemic, so much was made of well, we got to audit things differently. And in my head, I picture auditors with these Oculus headsets, you know, auditing in the metaverse or whatever. Do you have any sense for how real that world might be at some point in the future? Even something as simple as, hey, I need to go observe this inventory in a warehouse. I'm not going to be there, but maybe there is a drone or something, and I'm kind of watching the live footage. I mean, do you see a world where that just becomes commonplace?
Matt: You know, I'm not sure how commonplace that will be, but I know that the drone thing has already happened with some businesses. They even were starting to do that before the pandemic. But it is a good, interesting way to try and think that through. I'm not as gung ho on the Metaverse and the Oculus goggles as much as Mark Zuckerberg and some of the other enthusiasts out there. But I do think that there are a lot of ways that technology is challenging what we do for risk assessment and, you know, policy development and controls, control design. That's challenging it, and it's helping it at the same time. Like if you were, say, in financial services, the rise of cryptocurrency - that has got to pose all sorts of like really issues that would drive you nuts. But at the same time, like if this is what you like to do, then it's a glorious time to be alive because technology is posing hundreds of new problems we've never really had to think through before, and you kind of do have the tools out there to think it through. But you know, it's the thinking it through that's going to be a challenge. And like I said, if you like thinking about risks, trying to assess risks, you like trying to assess whether controls are designed efficiently and effectively or not, there's an awful lot of stuff to chew through now. And so sure, I think that this is going to be a very interesting time for internal auditors.
Steve:A great day to be alive. That's both the title of a country song and the new mantra for auditors in this post-pandemic world. Matt, we want to thank you for the insights, and I am hoping that our listeners have a better appreciation for their SOX and audit colleagues. And if that's the case, we'd encourage them to give a hearty fist bump to those audit teams the next time they see them. But this actually brings us to the closing question of the day, and this is a little random, but it occurred to me as I was thinking about this episode, and so I'll ask, if you could choose any kind of greeting gesture to become universal, what would it be and why? Is this a fist bump? Is this a handshake? Is this a bow, a salute, a double bird? Matt, I'm wondering, what would that greeting be?
Matt: OK, so as nutty as this question is, which I think we can all agree, this is pretty nutty, I actually, once upon a time met a technology company in suburban Boston that had an official company greeting gesture. It was, I guess, maybe kind of like the Three Stooges, where you put your hand out in front of you between your eyes, and then you would just say hello like that, like a shark fin that you are resting up against the bridge of your nose between your eyes and kind of salute everybody like that. And I thought, these people are crazy. They later got acquired for a billion dollars, so maybe they weren't. But I will stick with that old technology company putting their hand right in between their eyes and then kind of like pushing it out to everybody a little vertical salute that you put right between your eyes to say hello to everyone. It's weird and it's nuts, but it worked for them. And if if I could get acquired for by a billion dollars, I would do that too.
Steve: Well, I wasn't expecting that. Catherine, what's your take?
Catherine: Wow. Now I'm kind of curious what the company is. I'm going to try to guess. But you know, my gesture, since this is a podcast, I'll just say snaps.
Steve: Hey, there you go. There you go. A snap. I like it.
Catherine: Steve, what's yours?
Steve: You know, I I honestly was going back and forth between the fist pump and the salute. The fist bump because it's very practical, right? It's quick. You can do it. Whatever. If you're a germaphobe, then of course, that's going to be probably a little more appealing. But the salute, there's always a little bit of you know, that kind of makes you feel a little more official, right?
Catherine: With that official salute, this episode is officially over. Big thanks to Matt Kelly from Radical Compliance for joining us.
Steve: And big thanks to you, dear listener, for surfing along with us. I'm Steve Soter. That was Catherine Tsai, and this has been Off the Books. Please subscribe. Leave a podcast review. Tell your buddies if you like the show, and feel free to drop us a line at firstname.lastname@example.org. Surf's up, and we'll see you on the next wave.