Two Issues on SOX Compliance

More than 1,700 audit and compliance professionals have gathered in Nashville this week for Workiva’s annual user conference and the annual meeting of the SOX Professionals Group. Yours truly is on the scene, trying to capture all the good insight and latest news on SOX compliance. Here’s what we have from Day 1.

Tuesday was the SOX Professionals Group meeting, where more than 500 people spent the afternoon talking SOX shop. Jeanette Franzel, former member of the Public Company Accounting Oversight Board, gave a review of current issues in auditing and financial reporting: everything from new auditing standards (or the lack thereof), to the rise of data analytics in auditing, to the introduction of Critical Audit Matters in corporate audit reports coming in 2019.

Let’s start with Critical Audit Matter (CAMs), since they are the issue that will hit your auditing and financial reporting function first. CAMs are part of the new auditor report format the PCAOB approved in 2017. Audit firms will need to start disclosing all the potentially troubling issues they discuss with the audit committee.

CAMs could be anything from creaky old ERP systems that might not track financial transactions reliably, to balance sheets heavily dependent on goodwill, to allowances for loan losses (to name only a few examples). Almost all companies will have at least one CAM, and most companies will probably have several.

The problem: not enough companies are preparing for this. In one panel discussion I moderated, we polled the audience on how much CAMs prep work they have done. Fifty-one percent chose “Good thing this is anonymous, because we’re way behind.”

Get CAM Cracking

Compliance and audit executives could be in for an especially rough ride in the first year of CAM disclosure because you’re also dealing with new accounting standards for revenue recognition (went into effect December 2017) and operating leases (going into effect December 2018).

Both standards are significant changes from the old, and lots of companies are still improvising new processes to implement their requirements. But remember what a CAM is: (a) relates to accounts or disclosures that are material to the financial statements; and (b) involves especially challenging, subjective, or complex auditor judgment.

Well, revenue and leasing costs can both be material for lots of companies. And if you’re improvising new processes to implement the new standards, that can increase the amount of especially challenging, subjective, or complex judgment auditors will need to use to analyze them. Blammo! Your CAM concerns just shot up.

Franzel noted that some CAMs will be inherently risk, with no easy path to reduce subjective or complex judgment and therefore eliminate the “critical part.” For example, you could be a highly acquisitive technology firm picking up startups with a hefty goodwill premium; good luck trying to reduce the subjective judgment around that.

On the other hand, Franzel stressed, other CAMs can be modified — and that’s where audit and compliance executives want to strike. For example, if your company has no consolidated system to track operating leases, that can be a material risk and therefore a CAM.

But the company can also fix that problem with better policy and document management systems, and eliminate the subjective or complex judgment. Once you do, the CAM concern goes away even though leases might still be material.

So look for those risks, Franzel said, and get cracking. “This is a great opportunity to ask for some funding, and take care of those things you know you want to take care of.”

Analytics and Auditing

Franzel also raised the subject of new technologies such as artificial intelligence and robotic process automation — which clearly can reduce compliance costs, and will be a disruptive force in SOX compliance and auditing.

We just don’t know what the proper audit response should be for compliance functions using AI or RPA. Auditing standards are nowhere on this issue, and consequently nobody knows whether, or how, AI-driven audit work should be allowed.

For example, could an audit firm use AI to read all your contracts related to lease costs? Could you build one and use it to provide evidence to the firm? How would we audit the effectiveness of that AI, for completeness and accuracy of reports? Or could your audit firm reject all that effort and do its own work using tried-and-true statistical analysis — even if that might be less effective than AI that theoretically looks at everything?

“This is an area I’m worried about,” Franzel said. “You’re going to see these types of conflicts enter the financial reporting and auditing world as this technology evolves.”

Even better: In theory, auditing 100 percent of all transactions with AI would be great. In practice, you’re handing over 100 percent of your data to an outside party. So the cybersecurity of your audit firm becomes critical. How should we inspect that? How should we inspect that if your audit firm uses third-party tech vendors?

Nobody knows yet. Franzel is right that this is an important question, especially because companies and audit firms are investing in AI, robotic process automation, and other technologies anyway. The sooner we find an answer, the better.