Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
On this page
On this pageinpage
The ITGCs Imperative
SOX requires IT General Controls (ITGCs) to operate almost flawlessly and be subject to periodic testing.
This is because ITGCs underpin finance controls. Performing and generating evidence of each controls’ iteration for testing purposes is laborious and time consuming. Auditors are increasingly finding weakness in ITGCs, which are one of the most common reasons for organizations receiving an adverse audit opinion. Organizations are looking for new solutions to strengthen their ITGCs in a cost effective and efficient manner, as the cost and resource burden required to comply with SOX is significant and only increasing.
Key components of SOX IT Requirements –
Figure 1: Key SOX IT requirements
Impact of adverse ICFR
The consequences of receiving an adverse audit opinion on Internal Control over Financial Reporting (ICFR) can be serious.
It is a signal that the organization does not have internal controls that are either designed or operating effectively, increasing the risk that the financial statements are materially misstated. As this is public information, stakeholders will lose trust in the organization, impacting their ability to raise capital, increases the risk of fines and even imprisonment of those charged with governance in the most severe cases. It is therefore imperative that the organization complies with SOX to the standard enforced by the regulator (Public Company Accounting Oversight Board).
Rising costs/resource required for SOX compliance
Despite SOX being around for over 20 years, the cost and resource to an organization to remain compliant has only increased. It is not uncommon for the average annual SOX compliance costs to be between $1-2.5 million depending on the size and complexity of the organization. This has increased to such a degree that compliance has become a burden to the organization; the cost paid to SOX practitioners is going up, and the operational resource that needs to be invested is going up too. IT departments are becoming overwhelmed by juggling their business-as-usual activities with their obligations to comply with SOX ITGCs. Organizations are now looking for ways to minimize this cost and resource burden of SOX compliance.
Compliance challenges
Achieving ITGC SOX compliance encounters various challenges.
Complying with SOX ITGCs is demanding, with IT departments operating a continual cycle of ITGCs and testing of these ITGCs that satisfy the key components of SOX. That includes conducting risk assessments, designing and executing test attributes, satisfying sampling criteria, complying with Information Produced by the Entity requirements, retaining evidence, evidencing review, enforcing segregation of duties, remediation of deficiencies, etc. Many of the ITGCs are manual and laboriously intensive. The controls must not only operate effectively at a very high level of accuracy, but each instance of the control operation may be subject to inspection and testing by both internal and external auditors. The IT department are therefore required to invest time and resources to cooperate with these audits, which is a further burden on them.
Key ITGC requirements typically expected in an enterprise environment are as below -
Figure 2: Key ITGC requirements
This burden is compounded even further for IT departments when they are managing high numbers of legacy applications and systems. The numbers increase with every merger and acquisition with no relief in sight. The complexity of the modern IT landscape means it is not uncommon for a large organization to have hundreds if not thousands of ITGCs spanning all their key IT systems, which is the reason why IT departments are so stretched and commonly faulted for control failures leading to material weaknesses and adverse audit opinions.
SOX compliance relief
The burden of SOX compliance can be reduced by leveraging technology and partnerships solutions, which have advanced considerably in recent years.
Automation and Artificial Intelligence (AI) technology solutions can be used to reduce the level of human input required in the operation and testing of ITGCs, especially for repetitive and non-judgmental activities. Partnerships can be used to free up organizational resources from the burden of SOX compliance, so that they can concentrate on business-as-usual and more value-adding activities, whilst the SOX compliance activities are managed by a highly specialized SOX service delivery center (SDC).
These solutions have existed for a few years now, but organizations have been resistant to adopting them for several reasons:
- Those charged with governance cannot outsource accountability of SOX compliance and so were hesitant in outsourcing the processes underpinning compliance.
- Concerns over the security of automation and AI tools; uncertainty around their ability to access sensitive data and how secure they were.
- Perception that the automation and AI tools themselves were highly complex and thus would be solving one problem but creating another for the organization.
- The perception that the costs of adopting external and automation solutions outweighed the benefits derived.
However, these concerns/misconceptions are no longer barriers for adopting external and automation solutions because:
- The cost of SOX compliance has risen to such an extent that organizations can no longer maintain the status quo. They have been forced to explore more innovative solutions and alternative delivery models.
- Partnerships and technology solutions have advanced to such an extent that the benefits derived can no longer be ignored.
- External partners have become so specialized that their SOX delivery capability has achieved a level of quality and compliance that even the organization would struggle to match.
- There is increased awareness of the actual value and impact, partnerships and automation solutions have on the SOX delivery model. The concerns putting them off have reduced due to increased media exposure on these topics (e.g. AI currently being a hot topic), trends in the industry moving towards this delivery model, and most of the large consulting firms offering these services in some form.
- Technology advancement has also helped assuring organization that they will not lose control over quality when using external or automation solutions; there are now powerful monitoring, reporting and communication tools that allow them to track and maintain quality standards of delivery.
The value-driven approach
The cost of SOX compliance from both a financial and operational perspective is significant and is only increasing. Organizations are now seeking ways to minimize the financial and operational burdens of SOX compliance without compromising on quality, which can be achieved through partnerships and automation plus AI solutions within the SOX compliance model. This has led to more and more organizations adopting these hybrid SOX compliance models. It is not uncommon to find as much as a third of an organization’s SOX compliance costs now attributed to external solutions. Organizations that do not follow suit will find their SOX compliance costs spiralling out of control or find it increasingly difficult to remain ITGC compliant to the required quality standard.
