Introduction to SOX Automation
Sarbanes-Oxley Act (SOX) of 2002 is a law passed by Congress to help protect investors from fraudulent financial reporting by corporations. In particular, SOX Section 404 requires the implementation of technical controls and continuous monitoring and auditing to ensure the reliability of data related to financial transactions.
SOX impacts many teams within a company including accounting & finance, IT, and executive leadership. Many claim SOX compliance to be extremely time-consuming and manual. Here are some of the challenges around SOX as explained by author and consultant David Axson:
So how do you modernize your SOX program with automation so that your employees can spend more time providing strategic value to the business?
SOX automation: the basics and its impact on companies in 2022
In this blog post, we’ll cover the basics of SOX controls and how your SOX program can benefit from automation.
Table of Contents
Entity-Level Controls vs. IT General Controls
Entity-Level Controls (ELCs) are controls and practices in place that are applicable across the company. Some examples of ELCs include risk management policies, human resource policies, segregation of duties, and fraud prevention and detection programs.
IT General Controls (ITGCs) are controls over the IT environment and support the recording of financial transactions through systems. Examples of common ITGCs include control of user access to systems, control of access levels within systems, and change management.
Controls built into a system can automate and centralize both ELC and ITGC categories. For example, a company has a segregation of duties ELC with cash: the person collecting checks at the company, should not be the same person who deposits since they can deposit into their own account. We can ensure segregation of duties controls are in place by implementing an ITGC that restricts access to the person who collects checks. By having most controls built into a system, we’re able to 1) automate controls and 2) for systems with SOC reports (more detail below), both internal and external audit can rely on the controls to decrease testing.
SOX Programs Can Benefit From Control Automation
Decreased control failures
According to the State of the SOX/Internal Controls Market Survey, in 2022, 55% of survey respondents said focusing on IT tools and cybersecurity was their main focus. 48% noted that control testing automation and continuous control monitoring was their second biggest priority.
Some of the most common causes of control failure include:
- Control not properly performed, enforced, or monitored
- Human error
- Control overridden or bypassed
- Poor control design
Automation can significantly decrease the amount of human intervention required in key controls. For example, a revenue recognition software, such as Leapfin, that does not require any CSV uploads or manual intervention is likely to decrease control failures.
By leveraging an API-integration with Stripe (and other payment processors), Leapfin processes payment data and generates journal entries on a daily basis. End-to-end automation leaves no opportunity for fat finger mistakes.
Decreased control testing
Centralized management of SOX controls by financial statement line item (FSLI) such as revenue, fixed assets, accrued expenses, etc. can streamline the execution of the associated SOX controls.
For example, if all revenue controls are centralized into one revenue sub-ledger such as Leapfin, then testing becomes much easier since auditors only need to audit that system instead of multiple tools that impact revenue.
Internal & external costs savings
In the 2023 KPMG SOX Report, the percentage of companies that spent more than 60% of total Internal Audit hours related to SOX dropped to 22% compared to a whopping 55% just 5 years ago.
By automating controls, internal audit teams can spend less time auditing manual SOX processes and focus on other value-add areas.
It’s no surprise, then, that executives of large enterprises considered SOX automation one of their biggest priorities in 2022.
Reliance on SOC 1 Reports
SOC 1 reports address internal controls over financial reporting and are used for service organizations that manage financial data for their customers (e.g. revenue recognition software). SOC reports assure customers that the service organization has appropriate controls in place to protect their financial data.
There are two types of SOC 1 reports:
- Type 1: Officially known as “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design of Controls,” this report outlines the service organization’s risk assessment and procedures as well as the design of the controls to achieve the related control objectives as of a specific date.
- Type 2: Officially known as “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls,” this report contains the all the information from a Type 1 report. Because the Type 2 report addresses the design and testing of the controls over a period of time (most often six months) as opposed to the specific date used in a Type I report, it also describes the testing performed and the results.
Obtaining SOC 1 reports for service organizations can reassure you that internal controls within the service organization’s system are functioning appropriately and as intended. Generally both internal and external auditors are able to rely on the SOC 1 reports and decrease testing of internal controls related to the service organization’s systems.
SOX compliance automation frees up your valuable time – here are your next steps to implementing it
SOX compliance can be quite complex and time-consuming. It is important to recognize how SOX testing can affect employee morale and retention, as it is often an area that many accountants do not voluntarily spend their time on. Consider the benefits of automation such as decreased control failures, decreased control testing, and increase cost savings – the investment may more than pay for itself.