Protiviti just released its latest report on Sarbanes-Oxley compliance practices, and internal audit professionals may want to brace themselves. Costs are rising, manhours are rising, automation isn’t happening nearly as quickly as one might hope — and that was all the case before Covid-19 made everything more difficult.
The report surveyed 735 internal audit professionals across a range of industries. The survey itself was conducted in the first quarter of this year before Covid-19 struck, so every point raised must be considered with that caveat. Regardless, the primary conclusions remain true.
First, costs and manpower demands are rising. Across all categories of filers except for Emerging Growth Companies, average annual SOX compliance costs rose anywhere from 5 to 21 percent. The picture was more mixed with companies grouped by revenue, where the very largest and smallest saw costs fall, while companies with a few billion in annual revenue had costs rise by 20 percent. See Figure 1, below.
Meanwhile, hours devoted to SOX compliance rose for 51 percent of companies, and only 13 percent said they were spending fewer hours on SOX compliance.
Protiviti doesn’t devote too much explanation to why hours are rising, but other charts in the report suggest that the number of key controls is rising, while the percentage of automated key controls is staying flat. So internal audit winds up needing to do more extensive testing, which translates into more hours spent on SOX compliance. (We can also blame demands for more evidence and documentation from external auditors, which is an eternal reason for rising costs and manpower.)
The Dilemma on SOX Automation
OK, so costs are rising and staff hours are rising, and nobody likes that. The obvious answer is to automate more SOX compliance work. As Protiviti states in one part of its report, effective technology can be used to facilitate walk-throughs, conduct analysis on whole populations of transactions rather than a sample, and provide real-time analytics and data visualization.
Here in the real world, however, most companies are only slouching toward more automation, if they’re implementing any at all. For example, only 14 percent of large accelerated filers have plans for significant automation. Sixty-seven percent of non-accelerated filers — you know, the ones more likely to experience fraud or financial restatements, because they don’t have outside audits of internal control — have either minimal plans for automation, or no plans at all. See Figure 2, below.
The Protiviti report notes a few hurdles to compliance automation. First, robotic process automation (RPA), process mining, and artificial intelligence can do wonders to automate your compliance program — but audit firms don’t yet have much guidance on how to handle those technologies. So what’s the point of installing RPA or other advanced technologies, if the audit firm either doesn’t accept the results or starts auditing the actual source code of your AI and RPA tools?
The issue here is that the Public Company Accounting Board is still slow-poking along with a project to decide how to integrate data analytics and related technologies into auditing standards. Until such clear guidance comes from the PCAOB, audit firms won’t send clear signals about how they will address questions about technology. So therefore, why would a SOX compliance manager recommend a big IT investment that the auditors might not accept later? That’s one dilemma right now.
Another hurdle: data integration. Younger companies that are “born digital,” as Protiviti calls them, have easier access to data and can pour that information into whatever whiz-bang automation technology they like. Older, larger firms, however, need to extract and clean all that data from legacy IT systems — which means more time, money, complexity, and possibility of error. So sometimes you just stick with the devil you know.
And Here Comes Covid-19
The good news is that all of these challenges would be true no matter what. The bad news is that Covid-19 makes all of them worse.
Let’s start with that SOX automation dilemma. Making the business case for more investment in automation was already difficult based on the obstacles mentioned above. Now Covid-19 has added economic calamity to the equation, so most internal auditors will be making that argument just as CFOs are looking to preserve cash and cut costs.
As Protiviti phrased it:
Many organizations have expressed reluctance about embracing centralized control testing and increasing their use of automation. In some respects these can be significant steps to take, requiring up-front cost and time to implement correctly, not to mention a strong organizational commitment. But the long-term benefits will far outweigh the short-term Investments.
True, and automation will also help to manage compliance work remotely as we all do testing and auditing from our spare bedrooms. But when money is scarce, you need supremely persuasive arguments to win over senior execs who control the purse strings.
The second big issue with Covid-19 is its effect on risk assessments. You’ll likely need to do them more often; they will likely take more time, as you include more locations or processes in the assessment; and the assessment itself will be more difficult to do, thanks to the challenges of working remotely.
The Protiviti report did offer a long list of SOX compliance tasks such as journal entry review, and how you might do that work with solutions both short-term (video evidence of physical inventory) and long-term (automated bar code scanning). Those ideas will be important to consider.
Still, Protiviti only warned about access to data and systems. I’m also worried about access to people — which could be a pressing concern if your company is laying off employees quickly, without considering the implications for internal control.
Again, that could lead to more risks you need to assess, more often. So your workload could be piling up even more, just as budgets get tight and your daily routines to do compliance work are strained.