This is the first part of a two-part series.
According to Protiviti’s 2023 SOX Survey, a significant number of internal audit teams have substantial SOX-related responsibilities. In 2023, 71% of internal audit departments dedicate at least 50% of their time to SOX-related activities. These activities include collecting evidence, testing controls, collaborating with co-source partners, addressing and resolving deficiencies, and satisfying external auditors. All of these tasks consume a considerable amount of time for internal audit.
In 2024, this amount of work will likely increase. In Protiviti’s 2022 SOX survey, only 21% of audit teams experienced a decrease in year-over-year SOX hours annually, in 2023, only 14% experienced the same decrease. Considering increased scrutiny from external auditors and new cybersecurity disclosure requirements, the amount of time spent on SOX compliance will likely increase for many.
Many internal auditors dread activities related to SOX compliance, and it’s understandable. SOX tasks are often routine and repetitive. If an auditor has been involved in the same SOX program for more than 1-2 years, the work can become mundane and, more importantly, fail to provide new learning experiences for career development.
However, many of these internal audit teams also struggle to expand the scope of their work to other compliance or key risk areas. Perhaps internal audit doesn’t have buy-in from executive management, sufficient budget or resources to do more work, or an Audit Committee that fully understands how a contemporary internal audit team can help the Board with their oversight responsibilities.
However, the real issue may be more profound. Our approach to SOX compliance is often what hinders us. Executives may be reluctant to seek help from a group that simply fulfills the requirements without actively working to significantly improve their assigned responsibilities.
For teams with the proverbial “Seat at the Table”, Sarbanes-Oxley compliance goes far beyond evidence collection, controls testing, and deficiency management. These internal audit teams have experienced increased buy-in as a result of up-leveling their organization’s approach to SOX through six core tenets: educate, automate, delegate, eliminate, advocate, and increase reliance.
Even though SOX Compliance has been around for more than 20 years, control deficiencies are still experienced by many companies. According to Audit Analytics’s 2022 SOX Disclosures survey, the number of ICFR attestations by external auditors has been the highest since 2008. More scrutiny of IT controls by external auditors, changes in control ownership, and human nature when performing manual controls are contributing factors to control deficiencies.
There are several ways internal auditors can help educate control owners, and the business, to help prevent control deficiencies. An obvious start is to focus training efforts on those control owners with deficient controls. Walking through narratives, control matrices, and even internal audit testing approaches, can further cement an understanding of how to perform the control. Observing control owners perform their tasks can help you identify where they may trip up before the control is tested independently.
Another area of focus is to routinely identify changes in control ownership, and make sure new control owners understand what is required of them to carry out the control, and when. For new leaders, walking through key controls and necessary control tasks their teams are responsible for (e.g. certifications and narrative updates) helps ensure the appropriate oversight for controls to be performed more broadly through the organization. Depending on the size and resources of your organization, internal audit could partner with HR to help develop an onboarding program specific to new control owners.
Control training can be a great service provided by internal audit. Holding virtual or in-person lunch and learns, carving out time for training during audits, inviting control owners to participate in the SOX risk assessment, and connecting control owners with the same responsibilities at different corporate locations are all options. These additional training methods create more awareness of control responsibilities and improve the culture of compliance in their organization.
One of the biggest changes in many SOX programs in the past four years is the level of automation used to manage and test controls. For example, in Protiviti’s 2023 SOX survey, the number of internal audit teams leveraging a GRC technology for their SOX program more than doubled during the last four years, from less than 30% in 2019 to 63% in 2023.
I2024 can be the year to automate many of the routine tasks in SOX – including providing testing status updates, preparing reports, collecting evidence, and control certifications – by purchasing a GRC application for SOX compliance.
But just because you are using a GRC technology does not mean improvement opportunities do not exist. Pendo, a company helping software companies with product development, cites that 80% of an application’s features and functionality are rarely or ever used by a general application user.
Functionality such as allowing control owners to perform tasks (certify controls, provide evidence, and update narratives), granting access to managers for real-time status updates, and integrating with other source systems are functionalities commonly not leveraged to their fullest, but can have significant positive impact with time saved and the SOX program’s success.
It may be worthwhile to visit with your vendor’s customer success team to review how your site is currently used and identify areas for improved use. The review can highlight how to better use your current SOX application. Or if your needed functionality does not exist, it may also highlight the need to up-level your GRC application.
Speaking to those in your network and leveraging sites like G2 and Gartner Peer Reviews are ways to identify vendors and applications that should be considered in your shortlist to evaluate. And remember, those in your short-list should not only include current features for control testing and reporting but also streamline the control owners’ experience and have best-in-class solutions to automate other key second and third-line functions.
Delegating SOX-related work to others in your organization not only can free up time for internal audit to focus on more value-added activities, but it also offers opportunities to up-level the skillsets of your colleagues and help ensure controls are performed as needed. Data collection, control testing, and project management are areas ripe to be delegated to colleagues with additional bandwidth or up-and-comers in Finance, Operations, or IT.
One strategy cost-focused Accounting and Finance leaders employ to reduce spend on SOX is to have their staff and managers peer-test others’ key controls. For example, can your Accounts Receivable Senior Analyst test payroll or equity controls? Can an IT Manager of one Corporate entity test the access review controls of a separate in-scope entity?
Peer testing is a realistic strategy because many Finance, Accounting, and even some IT personnel were former auditors, and can leverage their prior experiences for current efficiencies. However, it will be wise for internal audit teams overseeing a peer testing strategy to have a quality control process to ensure testing results are documented and supported sufficiently and to the expectations of management and the external auditor.
Project management responsibilities, such as data collection, scheduling testing, remediation follow-up, updating narratives, and obtaining control certifications, are another opportunity for work to be delegated back to the business.
For those internal audit teams that incorporate these tenets to better manage their SOX program, they should find increased opportunities to expand their portfolio of work to help. Internal auditors can protect and enhance their organization against these new business risks, and position internal audit as both a trusted advisor and change agent in 2024.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares Internal Audit and Connected Risk strategies and tactics with the AuditBoard Community and customers to help improve the practice of Internal Audit and how 2nd and 3rd line functions work together.