How IT Impacts the Scope of SOX Compliance

‍ Sarbanes-Oxley (“SOX”) officially turned 20 in July of 2021. Over the past two decades, SOX has evolved into a highly detailed, complex process that focuses on establishing controls that make sense for public organizations while improving transparency and accountability in business processes and corporate accounting to restore confidence in public markets.

While SOX focuses on internal control over financial reporting — not necessarily technology — in today’s world, the two are often inseparable. Especially with the COVID-19 pandemic accelerating the move into virtual spaces, technology is increasingly defining how business processes function. In this way, the technology and business processes covered by SOX are so entwined that organizations thinking of going public need to recognize that IT systems will have a major impact on the scope of SOX compliance.

Consulting firms like Clearview Group will work with a company before and after an IPO or SPAC to understand their people, processes and systems and ensure they have the appropriate technical understanding and associated control activities to satisfy their SOX program year after year.

“We’ve seen a massive uptick in requests for public company readiness and pre-IPO readiness, which is indicative of the current IPO and SPAC market,” said Aaron Kerr, Director of Risk Advisory for Clearview Group. “We’ve been working with SOX since it came into law in 2002, and what is clear now, working with many companies across industries, is that the impact of IT on the scope of SOX programs has increased significantly.”

How The Role of IT in SOX is Changing and Why Companies Need to Keep Up

Today, Kerr says IT is critical to accurately define the scope of an organization’s SOX compliance program.

“When we go through the scoping exercise, you start by understanding the business, how it is structured, key process areas, the chart of accounts and define materiality thresholds, but as soon as you start to make those decisions, the next question is, what IT systems are in scope to support those processes? It used to be obvious, but now there are so many ancillary systems and tools that manage different aspects of the business, and external auditors have continued to push harder into which applications are in scope and whether they are consistent across the organization,” said Kerr.

Another sign of this technological advancement within SOX compliance is the increasing relevance of cybersecurity.

“In the past, cyber controls were significant operationally, but they didn’t have a direct tie to SOX,” said Kerr. “That is why cybersecurity was out of scope for the most part until it was included in the COSO 2013 framework. As cybersecurity has continued to be a hot topic in board rooms across the world, external auditors began to look into it more by determining what organizations were doing to assess risk or establish a governance program.”

Now, over the last few years, Kerr says external auditors are getting down to the tactical level, looking into how organizations organize their cybersecurity controls, the risks that are presented and how issues are managed.

“What auditors are asking for is more detailed, which is a trend that isn’t slowing down anytime soon,” Kerr said.

Some of the other SOX changes that have come up over the past five years, Kerr says, are about adding more technical systems into scope.

“If clients are using a product to assist with multi-factor authentication, for example, they will need to answer questions about governing access, walk through the workflow with how access is granted and revoked, etc., during an audit,” he said. “We advise clients to err on the side of caution with those tools because we never know if they will need to be prepared to answer questions later. These systems used to be strictly informative with external auditors, but now you have to demonstrate control over more ancillary systems.”

The Importance of IT When Building SOX for the First-Time

While established public companies need to keep up with SOX compliance and the changing role of IT, the trend is just as important for companies building a SOX program for the first time, Kerr says.

“We just kicked off a number of new projects, and as we are scoping and looking at the level of effort involved, we determine the percentage of our budget that is focused on IT. During year one, when companies are building up to the first external auditor assessment, our IT budget is between 50% and 60%,” said Kerr. “ This comes from the proliferation of key reports, application controls, configurations, end user tools and more. For companies going public, auditors expect certain controls to be in place and require a level of diligence to demonstrate they function as expected.”

Overall, Kerr says there has been an explosion in how many reports and application controls are in scope or are considered key, which generates more work on Clearview Group’s behalf to make sure public-readiness clients are fully prepared for SOX.

“That is what has driven that number up beyond 50% — the IT general controls haven’t changed much, it has become more about reports and application controls that sit between IT and the business controls,” said Kerr. “That is the biggest expansion of efforts.”

When it comes to what auditors are looking for specifically, Kerr says Clearview Group wants every prospect or client to know that there is nuance in every project.

“While we know most of what clients will be expected to do, each audit firm and individual partner is different,” he said. “That is why we want to over-prepare clients without taking it too far. We go in with a very transparent approach, and that is where the experience of the team comes in because we know what is consistently asked for, and we also know what could potentially come up as well. We prefer to start every year one SOX project with a small scoping project to give the client an accurate level of effort for the entire project.”

How Clearview Group Can Help Clients Ensure Synergy with Business Processes and IT Strategy

Through Clearview Group’s SOX Consulting Services, the firm helps bolster a client’s in-house team with technical experts to support the organization’s SOX needs — providing seamless support that can integrate with the internal team and drive a successful transition from a private to public company.

“A lot of firms will have several different teams — an IT SOX team and a financial SOX team — that will carve up different areas of the process,” said Kerr. “In today’s world, there aren’t many business processes that don’t have IT components, so there is no reason to carve it up into different teams anymore. We provide clients with a project team that collectively brings the skillets required to effectively deliver the project. Our clients need a team that has the knowledge and experience from both the IT and business perspectives and how technology enables the business processes. At Clearview Group, we understand that all teams should come together and work with the clients to show them how a majority of IT is connected to the business and how it will play a role in the audit process.”

Additionally, Kerr says Clearview Group helps keep clients stay up-to-date on all SOX best practices and works to ensure synergy amongst internal team members.

“Those team members who have spent time as an IT director with a public company in the past may think they have everything covered,” he said. “While the core SOX principles are the same as they were 10 years ago, the level of detail is becoming much more in-depth. As a result, we’ve had some challenging conversations because executives may be stuck on how things worked in the past. But we can show them what is expected today for any public company and how it evolves every year.”

Kerr adds that misunderstanding amongst team members is often the number one tech challenge clients face when they are establishing a SOX program today.

“Some folks are used to operating in public companies and understand SOX, while sometimes the IT directors may not have experience because they’ve only worked in private companies,” Kerr said. “That can be an enormous challenge and our role is to inform while also ensuring we aren’t burdening them. But that doesn’t mean it has to be painful. We want to show clients how having more control over these processes can support the organizations’ broader vision and strategy.”

How Clearview Group Leverages Workiva as a SOX Platform

Another way Clearview Group stands out from other consulting firms is through tech-driven tools to optimize the SOX process. While many organizations have worked to adapt their SOX programs, there are still some companies who do not leverage available technology to help automate and enhance their SOX activities. Clearview is a certified Workiva Implementation Partner, which means the firm leverages the Workiva platform to simplify the complexity of the public company readiness process. The Workiva platform is a tool that helps clients automate their most complex reporting needs by streamlining documentation updates, automating aspects of the document request and test processes and providing access to real-time reporting.

“When it comes to year one public company readiness, we realized years ago that we needed a technology platform that we could leverage to deliver SOX services to our clients,” said Kerr. “We landed on Workiva, and we were their mid-market partner of the year in 2020 and 2021 because we successfully demonstrated how much value we could deliver to clients through the platform.”

With SOX, Kerr says clients want scalability and the ability to repeat a seamless experience year after year. Without a purpose-based product like Workiva, clients will be stuck using a frustrating combination of Word documents and Excel files.

“The whole SOX process is tailor-made to fit into a tool like Workiva,” said Kerr. “Especially since you are working with both internal and external stakeholders, you need a way to interact with all the different groups easily. You don’t want to be messing around with version control problems or figuring out where the most recent file is. There is already enough to worry about with SOX, and Workiva helps streamline the process and ensure clients save time and avoid stress.”

For clients that are going through the public company transition process, Clearview Group provides the methodologies and expertise needed to implement or enhance processes in the complex and increasingly tech-forward world of SOX. With a trusted partner like Clearview Group, organizations can feel confident and prepare for a seamless transition from a private to public company.

For more information on SOX compliance, get started here.