Introduction to SOX Control Automation
Sarbanes-Oxley Act (SOX) of 2002 is a law passed by Congress to help protect investors from fraudulent financial reporting by corporations. In particular, SOX Section 404 requires implementation of technical controls and continuous monitoring and auditing to ensure the reliability of data related to financial transactions.
SOX impacts many teams within a company including accounting & finance, IT, and executive leadership. Many claim SOX compliance to be extremely time-consuming and manual. So how do you modernize your SOX program with automation so that your employees can spend more time providing strategic value to the business?
In this blog post, we'll cover the basics of SOX controls and how your SOX program can benefit from automation.
Entity-Level Controls vs. IT General Controls
Entity-Level Controls (ELCs) are controls and practices in place that are applicable across the company. Some examples of ELCs include risk management policies, human resource policies, segregation of duties, and fraud prevention and detection programs.
IT General Controls (ITGCs) are controls over the IT environment and support the recording of financial transactions through systems. Examples of common ITGCs include control of user access to systems, control of access levels within systems, and change management.
Controls built into a system can automate and centralize both ELC and ITGC categories. For example, a company has a segregation of duties ELC with cash: the person collecting checks at the company, should not be the same person who deposits since they can deposit into their own account. We can ensure segregation of duties controls are in place by implementing an ITGC that restricts access to the person who collects checks. By having most controls built into a system, we're able to 1) automate controls and 2) for systems with SOC reports (more detail below), both internal and external audit can rely on the controls to decrease testing.
SOX Programs Can Benefit From Control Automation
Decreased control failures
According to the State of the SOX/Internal Controls Market Survey, in 2020, 65% of survey respondents reported control issues that led to deficiencies, significant deficiencies, or material weaknesses. In the same report, the second leading cause of control failure was human error.
Some of the most common causes of control failure include:
- Control not properly performed, enforced, or monitored
- Human error
- Control overridden or bypassed
- Poor control design
Automation can significantly decrease the amount of human intervention required in key controls. For example, a revenue recognition software, such as Leapfin, that does not require any CSV uploads or manual intervention is likely to decrease control failures. By leveraging an API-integration with Stripe (and other payment processors), Leapfin processes payment data and generates journal entries on a daily basis. End-to-end automation leaves no opportunity for fat finger mistakes.
Decreased control testing
Centralized management of SOX controls by financial statement line item (FSLI) such as revenue, fixed assets, accrued expenses, etc. can streamline the execution of the associated SOX controls. For example, if all revenue controls are centralized into one revenue sub-ledger such as Leapfin, then testing becomes much easier since auditors only need to audit that system instead of multiple tools that impact revenue.
Internal & external costs savings
In the 2020 SOX market survey, 31% of internal audit teams with SOX responsibility reported that they were spending more than 50% of their time on SOX. By automating controls, internal audit teams can spend less time auditing manual SOX process and focus on other value-add areas.
Control failures also generally require additional testing from external auditors, which can result in increased audit fees as well as time employees spend supporting the audit.
Reliance on SOC 1 Reports
SOC 1 reports address internal controls over financial reporting and are used for service organizations that manage financial data for their customers (e.g. revenue recognition software). SOC reports assure customers that the service organization has appropriate controls in place to protect their financial data.
There are two types of SOC 1 reports:
- Type 1: Officially known as “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design of Controls,” this report outlines the service organization’s risk assessment and procedures as well as the design of the controls to achieve the related control objectives as of a specific date.
- Type 2: Officially known as “Report on Management’s Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls,” this report contains the all the information from a Type 1 report. Because the Type 2 report addresses the design and testing of the controls over a period of time (most often six months) as opposed to the specific date used in a Type I report, it also describes the testing performed and the results.
Obtaining SOC 1 reports for service organizations can reassure you that internal controls within the service organization’s system are functioning appropriately and as intended. Generally both internal and external auditors are able to rely on the SOC 1 reports and decrease testing of internal controls related to the service organization's systems.
To receive a copy of Leapfin's SOC 1 Type 2 report, click here.
SOX compliance can be quite complex and time-consuming. It is important to recognize how SOX testing can affect employee morale and retention, as it is often an area that many accountants do not voluntarily spend their time on. Consider the benefits of automation such as decreased control failures, decreased control testing, and increase cost savings - the investment may more than pay for itself.