SOX Control Awareness and Communication Can Help Reduce Costs and Hours
Learn how better communication with business partners can raise control awareness within the organization to save SOX costs and hours in this article by Tom O’Reilly and Eric Groen, originally published on The Protiviti View.
Protiviti’s 2019 SOX survey shows that companies, with the help of technology, are finally beginning to make headway in the 15-year battle to rein in SOX compliance costs and rising control counts. A few weeks ago, we discussed some of the factors that contribute to the reduction in hours and costs, and we pointed to reducing and standardizing control counts as one of these factors. But a reduced number of controls is not a goal in and of itself; rather, the goal is to strengthen the control environment while making it easier to test the controls and meet the expectations of external auditors.
One of the more notable changes in recent years has been the effort to replace broad sample-based control tests performed at the enterprise level with more precise controls and tests of entire populations. This has had the effect of increasing, not reducing, control counts, but also is spurring automation and producing more valuable insights.
This increasingly granular level of control testing is raising the bar for internal audit and SOX leadership to communicate these new controls, and control deficiencies, to business partners. At the same time, communication can raise control awareness within the organization, cultivating support among control owners for control testing activities. Below we discuss some of the ways this communication can happen.
One of the most obvious approaches is to conduct “lunch and learn” sessions, in which external auditors are invited in to educate control owners on what they look for, what needs to be measured, why it’s important, and what control owners can expect. Some chief audit executives (CAEs) also use these sessions to teach new employees about controls and to teach control owners about COSO’s five components of internal controls.
Some CAEs have reported success with enlisting the help of their executive and management teams to communicate the value and importance of internal controls throughout the organization. These CAEs provide CEOs and CFOs with control information and snippets to share in town halls and team meetings to raise awareness of controls and deficiencies with examples of business failures that are in the news, and explanations of how their organizational controls actually help prevent similar problems within their own organization.
These communication techniques aren’t unique to Sarbanes-Oxley compliance. They have been shown to be effective in placing ethics and fraud controls in context, for example.
When control owners understand the logic behind SOX compliance testing, they are in a better position to share knowledge that might help auditors get the information they need, and ultimately achieve every organization’s goal of reducing the total number of hours spent on SOX compliance.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.
Eric Groen, CPA, CIA, is a Managing Director at Protiviti with almost 20 years of experience in compliance, internal audit, external audit, and risk management. Eric is the current president of the Phoenix chapter of the IIA.