SOX Compliance

Automating SOX And Internal Controls

Without effective internal controls, organizations open themselves up to a wide range of potential risks and penalties, including theft, embezzlement, and careless accounting practices. For public companies, the risks are even higher. The Securities and Exchange Committee (SEC) can leverage a variety of sanctions for fraudulent financial reporting, including fines, criminal charges, permanently banning executives from serving as an officer or director of a publicly traded company, and removing the company from the stock exchange on which it trades.

The Sarbanes-Oxley Act of 2002, commonly known as SOX, requires companies to establish internal controls over financial reporting and regularly test their effectiveness. All SOX provisions apply to all publicly-traded companies and their external auditors. But many aspects of SOX also apply to privately-held businesses and nonprofit organizations.

SOX compliance automation can help organizations automate their SOX controls in order to improve the efficiency and effectiveness of the SOX compliance process. By automating SOX controls, a business can improve its overall compliance posture while also freeing up time and resources to focus on other areas of the business.

What Are SOX Automated Controls?

SOX impacts several areas of a company, including accounting and finance, IT, and executive leadership. The Act doesn’t prescribe specific controls. Instead, it requires organizations to design and implement their own controls that meet the regulation’s goals.

Those controls generally fall into two categories:

• Entity-level controls. These controls apply to the entire company. Some examples include human resource and risk management policies, fraud prevention and detection programs, and segregation of duties. 
• IT general controls. These are controls over the company’s IT environment that impact financial reporting. Examples include controlling who can access the company’s financial data, controlling access to sensitive data within the system, and controlling who can record financial transactions or make other changes to the system.

Companies can automate many aspects of their control environment to save time and improve overall compliance. Automated controls are performed automatically by the company’s enterprise resource planning (ERP) system or other related applications.

For example, the company might:

• Set up access levels within its ERP to control change management, preventing unauthorized users from making changes to financial data
• Have the ERP automatically reconcile invoices to the underlying purchase order and goods receipt
• Leverage robotic process automation (RPA) for monitoring the validity of customer credit information before authorizing a sale

The SOX Testing Process

SOX control testing is a process that is conducted by internal auditors and external auditors in order to ensure that a company is in compliance with the Sarbanes-Oxley Act. The process involves reviewing the company’s internal control procedures and testing those controls to make sure they are being followed and effective. If any issues are found, the company is required to take corrective action.

Control testing processes can be quite complex, and it is essential to have a good understanding of the requirements of SOX. There are many factors that need to be considered, such as the adequacy of the company’s accounting processes and procedures, the reliability of its financial data, and the effectiveness of its internal controls.

The goal of the control testing process is to help ensure that companies are accurately reporting their financial information and are in compliance with all applicable laws and regulations. By conducting regular tests, businesses can help protect themselves from potential financial scandals and penalties.

How to Automate SOX Compliance

Any system of internal controls must contend with the ongoing challenge of human error and the potential for fraud. This makes SOX compliance a daunting task for companies, but there are many ways to automate the process to make it easier and reduce risk.

The first step is to look at your existing technology and consider how its current features and functionality can contribute to your internal control process.

For example, most accounting software and ERP systems allow companies to set user access controls for different users. For example, you can use your existing system’s access controls to ensure that the user in charge of creating a vendor account in the system isn’t also able to pay that vendor. This segregation of duties eliminates the risk of fraudulent vendor accounts.

Of course, there are some aspects of the control environment that your existing systems might not address. In that case, it’s worth looking into other software solutions that integrate with your ERP or accounting software.

For example, reconciliations are an essential internal control tool because they help prevent and detect fraud. Most accounting software supports bank reconciliations, which helps identify accounting and bank errors by comparing the cash balances in the accounting records to the bank statement. However, relying on this system alone often isn’t enough. Many systems don’t support reconciliations for other types of balance sheet accounts, require sign-offs on completed reconciliations, or flag reconciliations that no longer tie out due to changes made to the trial balance. 

Adding SOX compliance software to your existing accounting and finance technology stack can provide an additional layer of internal control automation and help ensure SOX compliance needs are met.

How Automation Can Reduce SOX Compliance Costs

Incorporating automation into your SOX program might seem like a costly proposition—especially if it involves implementing new software. However, automation can actually reduce compliance costs on several fronts.

Reduced personnel costs

For example, personnel costs can be a significant component of SOX compliance. It’s difficult (and expensive) to attract and retain skilled compliance professionals who understand generally accepted accounting principles, financial reporting best practices, and the importance of appropriate controls. 

Without automation, SOX compliance teams may spend valuable time performing routine, manual tasks. These manual tasks might include reconciling data from multiple sources, ensuring that journal entries are authorized and properly documented, ensuring that vendor checks are accounted for in numerical order, confirming that supporting invoices and receipts are attached to all disbursements, or dealing with version control issues.

Instead of having your accounting team spend a week out of every month handling these and other time-consuming activities, automation can accomplish the same work in a fraction of the time. This allows organizations to realize cost savings on personnel or leverage those talented individuals in higher-value areas.

For example, when accounting teams don’t have to spend hours inputting data manually and managing spreadsheets, they can leverage data to help key stakeholders monitor relevant metrics and perform financial analysis. They can also use their increased capacity to look for ways to further streamline processes that help the business become more efficient or improve operating effectiveness.

Lower external audit fees

Another key provision of SOX compliance is that companies have an external audit to perform SOX testing over key controls and report on the reliability of their financial statements. This can be a costly process, especially for smaller businesses. 

Automation can help reduce the compliance costs associated with engaging independent auditors because auditors can rely on interim testing and year-end testing performed by the organization’s internal audit teams, meaning they spend less time on their own testing procedures during the year-end audit.

Compliance automation can be extremely helpful in reducing the cost of compliance while also maintaining or improving compliance with regulatory requirements. If you want to learn more about how to help your organization achieve and maintain compliance with SOX requirements, download our free SOX compliance requirements checklist.

Stefan van Duyvendijk

Stefan van Duyvendijk is the Accounting Operations Evangelist at FloQast. Previously, Stefan served as the Corporate Controller for Kodiak Cakes, a private equity owned, leading consumer packaged food company, and as a Controller for Skullcandy, a multinational headphone CPG. These positions followed his five years at KPMG. His experience includes ASC 606 implementation, reduction of financial close timelines, accounting operational improvements, business combinations, financial statement audits, SOX audits and implementation, management reporting, debt, treasury, and systems integrations/implementation.