Four Pivotal Actions SOX Leaders Are Taking in 2024

Four Pivotal Actions SOX Leaders Are Taking in 2024

What are forward-thinking SOX teams approach SOX in 2024? Over the past two months, I’ve interacted with 30 SOX program leaders spanning finance and internal audit, including 10 from Fortune 100 companies. I undertook a benchmark exercise aimed at identifying shared SOX strategies, reviewing SOX 2023 compliance, and understanding improvement areas for 2024. 

I’ve gathered four interesting takeaways from these discussions that I think will benefit internal auditors as they begin SOX work in 2024.

1. Anticipate Changes That Will Impact SOX Compliance  

Gone are the days for many organizations where SOX compliance is a standard, repeatable, process with no significant change. Two of the most common drivers of complexity for SOX leaders I spoke with included:

  • More and more companies are acquiring and merging businesses, and divesting other business lines. Changes in operations necessitate new processes being included in materiality thresholds. 
  • Finance’s tech stack continues to evolve. Disparate ERPs are being consolidated as others are being upgraded to cloud-based versions. Due to external auditors’ rigor on IPEs and key reports, more and more applications are now in-scope for SOX compliance.

These changes significantly impact SOX compliance. Forward-looking internal audit and SOX teams must be prepared to not only execute existing SOX procedures, but also to carry out SOX readiness strategies to help establish new controls and educate their colleagues on financial reporting risks, controls, and key SOX concepts.

Risk in Focus 2025: North America

2. Reassess SOX Roles and Responsibilities  

Responsibilities managing SOX programs vary across industries and are usually influenced by company size, industry, and past experiences and preferences of Finance leadership.

  • Smaller organizations may employ internal audit to handle the entire SOX program: working with control owners, maintaining documents, testing controls, managing issues, and coordinating with external auditors.
  • Some organizations have dedicated SOX PMOs in Finance and IT to manage SOX, but outsource control testing to internal audit.
  • Larger companies may have dedicated Financial Compliance teams handling all SOX activities, in addition to other compliance activities such as SOC compliance or data privacy assurance.

What is consistent, however, is that forward-thinking SOX leaders are reassessing how SOX responsibilities are delegated across their company. Two main considerations are driving reassessment. First, can delegating more responsibilities to the first line optimize control performance? Second, for SOX programs involving internal audit, can efforts shift to the business and free up internal audit to concentrate on other risk-based activities?

What does this look like in practice? Some CAEs with SOX duties I spoke with shared that they aim to delegate PMO tasks like scoping, control certifications, and issue management workflows to finance leaders. Other second line SOX leaders are reassessing control testing strategies to consider outsourcing control testing to third parties with access to international networks that can drive further cost efficiencies. Finally, many SOX leaders shared that they are contemplating increasing control owners’ SOX responsibilities — from updating documentation to liaising with auditors and peer testing other controls, to help enhance their understanding of the control’s workings and reduce deficiencies.

3. Leverage Automation and Analytics to Drive SOX Compliance

In years past, SOX teams avoided extensive automation and analytics, viewing SOX as a compliance exercise. The belief was that analyzing all transactions instead of a 25-sample set would identify more deficiencies, thus increasing remediation work.

These days, more and more companies are getting creative in how they’re leveraging automation and analytics for SOX compliance.

Controls involving a high number of transactions, such as identity and access management, are increasingly becoming automated. Having control owners monitor continuous exception reports or alerts for non-compliant transactions can help identify and remediate control problems before internal and external audit perform their testing — thereby reducing SOX deficiencies.

RPA and bots are also increasingly used in SOX programs. Many SOX leaders I spoke with are using bots to automate document requests for control evidence, saving time and reducing the potential for human error. Bots are also being used to drive efficiencies in testing efforts, such as validating that purchase approvals are in line with a company’s delegated authorities.

In 2024, challenge your SOX team to identify two, three, or four controls to automate to drive efficiencies and improve controls performance.

4. Position SOX Compliance Success to Enable a High Performing Internal Audit Functions

The most interesting observation from my SOX leader conversations was the correlation between successful SOX programs and respected internal audit teams.

Internal audit teams managing high-performing SOX programs — decreasing deficiencies, increasing external auditor reliance, and using SOX-specific technologies — saw improvements in internal audit’s reputation and a higher number of management requests.

Many leaders attributed internal audit’s success to improvements made to their SOX program. This is best exemplified by a CAE who joined a consumer goods company four years ago, and spent the first two years improving SOX compliance — ensuring only necessary controls were tested and advising the business on efficient and correct control execution. Due to her early good work with SOX, she was tasked with increasing projects and responsibilities, including streamlining information security controls, preparing for ESG compliance, and taking over the ERM program. Her success across these later areas led to her gaining even more influence — increasing audit headcount and shifting SOX PMO responsibilities to Finance, enabling her team to focus more on risk-based assurance and advisory work.

SOX Success in 2024 and Beyond

If SOX compliance seems challenging, rest assured you’re not alone. Successful SOX teams continuously seek ways to improve control performance and compliance costs, often by reevaluating their responsibilities and utilizing technology. By following this path, you may find more opportunities to lead and enable positive change through assurance and advisory work involving your organization’s top priorities.

Tom

Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.