Sarbanes-Oxley (SOX) Legislation - Sixteen years and counting

Lynn Fountain's Profile

It has been 16 years since the SOX legislation was passed by Congress.  The legislation itself has not changed, however, the evolving changes in business, culture and technology have impacted the way organizations and auditors approach their compliance work.

The original auditing standard (AS2) released after the legislation was passed provided guidance to companies on how to comply with the legislation.  In 2007, it was clear that clarification on that guidance was required.  AS5 was released in 2007 and provided further guidance on considerations such as materiality, significant deficiency, documentation and testing. This standard has remained in place since 2007 which has been 11 years now.  Should AS5 be reviewed and updated given the vast changes in business and technology impacting internal controls over financial reporting (ICFR)?  Let’s visit a few of the most dramatic business changes that may have impacted ICFR.

Cyber security and information technology

The advancement of information technology and the emergence of the cyber security age has placed a renewed focus on the impact of general and application controls on the SOX process. Technology has changed at lightning speed since 2002 and original thoughts surrounding the possibility of a deficiency in IT controls manifesting (or not) in a material weakness has also changed.  Technology is no longer a back-office function.  It controls every aspect of our lives.  This includes how businesses market their product, conduct their work, process their transactions and create their reporting.

The increased cyber threats that exist it today’s world have gained the attention of companies regarding how a cyber-attack could impact their processes around ICFR.  General controls and application controls have become a focus not only around ICFR but for business in general. It has become imperative for businesses as a whole to properly understand aspects of cyber security, how attacks can impact their overall business processes as well as business and financial reporting.  Many refer to cybersecurity as “the new age fraud”.  SOX was passed on the heels of major corporate frauds.  If cybersecurity is indeed the “new age fraud”, organizations must place a stringent focus on ensuring they properly identify their critical assets, protect those assets, determine how to detect incidents when they occur, respond to those incidents and then recover from those incidents.  This process is referred to as a framework for cyber risk assessments.

Big Data

Along with the cyber age has come the prevalence of big data.  Big data is a term that describes the large volume of data – both structured and unstructured – that inundates a business on a day-to-day basis. The importance of big data revolves around what you do with it. You can take data from any source and analyze it to find answers that enable cost reductions, marketing focus, time efficiencies and decision making. Big data can now be utilized within SOX testing processes It allows organizations and auditors analyze more information and greater certainty.  Some of the benefits of this utilization of big data during SOX compliance include being able to determine root cause failures and issues and defects in near-real time.  It also has vast uses in helping to detect fraudulent behavior within an organization. In short, big data allows professionals to analyze more information on a real-time basis, with fewer resources and greater reliable results.

External Service Providers
The business of outsourcing aspects of a company’s day-to-day process has become commonplace in today’s business world.  In the early SOX years, companies relied on SAS70 reports to obtain assurance on internal controls within an external service providers organization.  Many companies receiving these SOC reports accepted the information and assumed all internal control requirements were covered. Now organizations understand they must critically evaluate the information in these reports to ensure they cover the controls that are important to their company.

SAS70 has evolved and been replaced by other standards including SSAE16 and now SSAE18.  These standards place additional focus on various types of outsourcing arrangements.  They include providing guidance on how to evaluate outsource arrangements that involve information technology processes that may have an impact on ICFR.  Companies utilizing service providers must re-visit their procedures for understanding and evaluating the service organization control reports (SOC) obtained from these providers.  In addition, it has become important for organizations to understand the new SOC reports, the various versions and their relationship to cyber security and ICFR. 

Expanded globalization of business

In May 2013 the COSO foundation released an updated framework for internal controls. Although the framework maintained its basic five core components of: control environment, risk assessment, control activities, information communication and monitoring. The framework added 17 principles that companies are required to affirm. The transition to COSO 2013 took a bit longer than many companies expected.  The original intent was to have companies take a fresh look at their key controls and determine if they had appropriate processes in place to meet the COSO principles. Many companies reached this goal in spirit while other companies mapped current controls to the principles. This process is still being refined in many areas.  

The updated framework also placed a spotlight on fraud.  It highlighted the need for companies to critically consider a holistic fraud risk. In 2017 COSO updated their enterprise risk management framework. The update focused on tying risk to organizational strategies.  However, it also placed focus on potential for fraud within an organization. These developments are not a surprise since the reason for the SOX legislation was due to the many miss-doings that occurred in corporate America back in the early 2000’s.

The evolution of the COSO 2013 will continue to impact companies. Organizations are continuing to evaluate each of the 17 principles in light of new and changing business conditions and increased cyber threats that impact our financial reporting process. This undoubtedly will continue to be an important component for complying with SOX.

Summary

The debate on the value of the SOX process continues as organizations look at cost vs. benefit.  However, most experts agree that the rigor required by the legislation has improved ICFR and provided investors with a stronger level of comfort.  Organizations and auditors must continue to monitor the evolving business landscape and appropriately right-size their control evaluations and testing efforts.  As we said back in 2002 – SOX will not go away.  Here we are 16 years later, and it certainly has not gone away. 

Learn much, much more in Lynn's SOX courses and her world-class SOX Certification on Illumeo.

***

Former Chief Audit Executive for two global companies, expert in leadersihp, SOX, COSO, ERM and corporate governance frameworks. Nationally recognized trainer, speaker published author.