Earlier this week I attended a webinar hosted by KPMG about the current state of Sarbanes-Oxley compliance, since 2023 is coming toward a close and audit professionals need to start thinking about the SOX compliance season that will start up early next year. We have lots to go through here.
For starters, SOX compliance does need improvement, because indicators of good SOX compliance are moving in the wrong direction. More companies are receiving poor marks for internal control over financial reporting (ICFR) from their audit firms, including large accelerated filers and accelerated filers — that is, companies that should have strong financial reporting systems in place. See Figure 1, below, taken from the KPMG webinar.
OK, that’s troubling. Then comes the next question of which internal control issues are driving that increase in poor ICFR. Figure 2, below, shows the top five ICFR issues for each of the last five years and how they’ve changed over time.
Figure 2 is a good chart to study because it raises several issues internal auditors and SOX compliance teams need to consider as you plan for your next SOX compliance audit.
For example, non-routine transactions fell from the top problem in 2018 (cited by 64 percent of filers) to fifth place in 2022 (cited by only 14 percent). But is that trend likely to continue this year? Non-routine transactions could include layoffs, debt restructuring, or related one-time charges that tend to happen in turbulent times — and last time I checked, 2023 has been mighty turbulent. We might well see a jump in adverse ICFR opinions next year due to non-routine transactions; is there anything in your company’s recent past that might put it on that list?
Disclosure Control Challenges
We could raise similar questions about poor disclosure controls. The number of filers citing trouble with disclosure controls went from 20 percent in 2018 to 40 percent in 2022. To a certain extent, that makes sense; we’ve seen the Securities and Exchange Commission fault numerous companies in recent years for poor disclosure of cyber, ESG, and other non-financial risks. For many companies these are new issues and your processes for collecting information about them might not be solid.
“You need to be looking at your disclosure controls,” Sue King, a partner at KPMG and head of its SOX practice, said on the webinar. “A lot of companies have found that they do have inconsistency in the methodologies they use, or that the metrics that they use don’t exactly tie” to the data the company includes in the 10-K filing.
Take something as supposedly simple as disclosing the ratio of male versus female employees. Do you report the average ratio across the whole year, or the ratio as of an exact date? Are you including part-time employees? What about contractors? What about non-binary employees? How do you assure that what you disclose in the 10-K mirrors whatever you might need to disclose to the Equal Employment Opportunity Commission?
As we move into a world of more non-financial reporting, an ability to solve questions like that — to develop reporting processes that anticipate them, really — will become crucial for successful SOX compliance.
“You need to broaden your perspective and be taking a look at the processes and controls around disclosure of some of that data,” King said. Given the new SEC reporting obligations coming as soon as next year, such as expanded disclosure of cybersecurity risks, her point is well taken.
The Big SOX Compliance Issue: IT
The primary theme in the webinar, however, was the importance of IT risk management to successful SOX compliance.
Go back to Figure 2, above. Notice how IT issues have become much more prevalent in the last five years, cited in 39 percent of adverse ICFR opinions in 2018 to cited in 55 percent today. That shouldn’t be a surprise. Companies have embraced digital transformation and cloud-based technology services over the last five years. From operational and financial perspectives, that’s great — but digital transformation puts your internal controls through the wringer, too.
For example, changes in your IT infrastructure will often lead to new workflows. That could threaten the completeness and accuracy of the data you use for financial reporting. You might, say, have a new general ledger system that hives off old journal entries into a separate archive. If you don’t know that about the ledger, you might end up working with incomplete data.
“You really have to understand how that data is flowing so that you can get your arms around completeness and accuracy,” King said.
Digital transformation also drives up the importance of IT general controls, and especially change management controls: the controls that govern who can make a change to your IT system, and how.
Think of it this way. Once you transform a business process from the manual to the digital, it will remain a digital process forever. That means the process itself will be “more transformable” in the future, because all you need to do is implement more software. And implementation itself gets easier all the time, especially with advances like generative AI that can write new code instantly.
So how do you control a process so digitally fluid? What change management controls will work in that environment? What management reviews, multi-factor authentication protocols, and other measures will you need?
I don’t know, but I know that answering those questions correctly will become much more important in the future.
Indeed, King said digital transformation will even change the skills a good SOX compliance professional will need. “It needs to be somebody who understands the business process, but also someone who understands IT and can really get into understanding the data flows,” she said.
I agree 100 percent. The SOX compliance season that starts up in January should be quite something.