Nearly 20 years after the passage of the Sarbanes-Oxley Act, SOX compliance continues to put onerous demands on many public companies. Amid the impacts of the COVID-19 pandemic on companies and their employees, manual SOX-compliance processes such as those involving Microsoft Excel have become even more difficult. This exposes the long-overdue need for SOX automation, which is emerging as a remedy in the new pandemic environment.
This was the focus of a Toppan Merrill webinar in October 2020: SOX and COVID-19: Navigating Year-End Compliance in the Midst of a Global Pandemic. The event featured insights from a panel of audit and compliance professionals who have been working in the new normal of the SOX-compliance landscape:
- Jeanne Abundis, Partner, KPMG
- Chris Champion, CAO, Occidental Petroleum
- Elizabeth Epler Jones, Partner, AXIA Partners
- Jennifer Pierce, Director of Internal Audit, Penn Virginia
- Mike Schlanger, Vice-President of Solution Sales, Toppan Merrill
“It has been almost 20 years since the SEC required companies to create an internal control process,” Mike Schlanger noted in his introductory remarks. “It’s still a challenge to manage your SOX process. Add in the COVID-19 pandemic and its impact on every business process, and we’ve got some real issues that all of you are dealing with.”
One 2018 survey by Protiviti, a global consulting firm with expertise in internal auditing, found that 63% of the responding companies are still not using technology tools in the testing of their controls to comply with SOX Section 404. The survey also revealed:
- An average of 33.3 internal hours spent per control just for documentation and testing
- 156+ process-level controls at 57% of companies with three or fewer locations
- Over 59% of companies increased hours spent on SOX compliance by more than 10%
- Companies with annual revenue of more than $500 million typically spent at least $1.06 million on internal SOX compliance
- Over half of all SEC filers report increases in external audit fees
“What COVID did,” Mr. Schlanger noted, “is exacerbate the already existing challenges and then expose that maybe there are some processes you operate today—that have been in place for 10 years, 20 years, 30 years—that are not meeting your needs in this new reality. And it might be time to review the need to have a more robust automated platform.”
What are the top SOX-compliance management challenges that the pandemic has exacerbated? The webinar participants noted a few:
- More time needed to conduct external audits
- Time management (work/life balance for employees)
- Communication and collaboration
- Corporate fatigue at all levels of the organization
- Re-engineering the organization with the new work-at-home reality for most employees
- Cybersecurity: access to records, data, audit support, original evidence
- Rethinking the cost/benefit test of physical site visits
- Visibility to internal management, to the audit committee, and ultimately to shareholders
At the same time, the importance of audit activity is more critical now than ever. The SEC is not offering a temporary free pass on SOX compliance, noting how important it is for companies to be transparent and disclose the impact of COVID on their business in all areas. As Sagar Teotia, the SEC’s Chief Accountant, observed in a June 2020 statement: “In these times of rapid change and increased uncertainty, the need for the oversight role that audit committees play is as critical as ever.”
How are companies and auditors trying to maintain SOX compliance in this environment? They may, for example, be reassessing business travel and rethinking long-held beliefs around the necessity and benefits of site visits, leaning instead toward enhanced technology to fill these gaps. As companies adjust to the demands of remote SOX-compliance management, processes seem to take longer. Companies must plan for more time in the adequate documentation and testing of their SOX controls.
SOX compliance in pandemic times: Views on the new normal
The webinar’s panel of audit and compliance professionals provided insights from their experiences out in the wild of the new pandemic normal.
“What I am starting to see is what I would call corporate fatigue,” began Jennifer Pierce of Penn Virginia. “You begin to forget what people look like.
You don’t have that ability to drop in. You are very tied to your [Microsoft] Outlook schedules. People are working long hours because they are incorporating their work/life balance [at the same time] they are trying to add in homeschooling ... Things like that have impacted the SOX organization.”
Chris Champion of Occidental Petroleum concurred. “[The challenges are] really around maintaining an engaged employee base ... All of a sudden we had people that were doing their professional job and also homeschooling at the same time. And so it quickly became about being able to be flexible as an employer ... in order to maintain the continuity of what we need to do.... So you try and try to get a process in place where employees know when to turn it off because work and [personal] life were happening at the
He also pointed out the awkwardness of employee management in the pandemic work environment. “How do you onboard people, how do you maintain culture and tone at the top? How do you maintain training and talent development? The critical element of SOX is having people properly trained.”
“Go back to the basics,” suggested Elizabeth Epler Jones of AXIA Partners. “Get your controls executed and make sure you’ve got the right amount of documentation. Step back, and let’s look at your risk. Let’s reevaluate.” She warned that, as when your company is going through a retraction, “all of a sudden, everything becomes more material” and things you did not have to worry about in the past “all of a sudden become relevant.”
The sudden onslaught of new online communication tools has raised other obstacles, Ms. Pierce indicated. “For my organization, our employee base is a little bit older, and so the technology was very hard to accept.” In the beginning of the pandemic, few knew how to work with Zoom, whether downloading or logging in correctly.
How can some of the in-person experience be instilled into the current digital workflow? Leadership can model that in action and attitude. “We went through an enterprise risk-management process, and it was very important to [Ms. Pirerce] that executive management did it via video. ... And it was amazing, because once the executives bought into it and once they began doing video, they began demanding video.”
Given that tone at the top, the employee base took to video conferencing as well. “I think it’s important that executives take the lead on this technology, and ... once you do that, it does permeate throughout the organization and it makes a lot of processes a lot easier.”
Ms. Pierce extolled the benefits of switching from a spreadsheet-based process to an automated SOX compliance process. “Now, when a file is put out and my corporate controller says ‘Who gave that information to you?,’ I go to a website, I can print a screen, and I can show you exactly who gave it to her. Then she can make a judgment call on whether that was the correct document and she can work within our own department. In addition, it’s allowed for some great visibility with my audit committee.”
For external auditors, the new normal presents novel problems to be solved by auditors and their clients’ audit committees. Just as companies’ internal SOX processes take longer, the external audit also takes more time. Nonroutine transactions made by a company due to pandemic demands can increase its risk of a control failure. All the while, remote communications have changed the way the external auditor and the company’s audit committee function and interact.
Jeanne Abundis of KPMG discussed some of the unexpected challenges that have arisen for external auditors in the switch from in-person to video meetings. “The auditor/client relationship can be naturally an adversarial role,” she noted, “and we try our best to make people feel comfortable whenever we have meetings with them. [But] it is more challenging to generate that comfort level with our client.”
Moreover, she pointed out, video meetings can deprive external auditors of the body language that they naturally read during in-person meetings. “We gather information from [body language] whenever we are having in-person conversations. You don’t really realize the impact that has until it’s gone.” So the auditors ask clients to turn on their video at the start of the meeting.
Ms. Abundis then took up the theme of the tone at the top, but from the auditor’s perspective. “That’s a crucial item that we consider whenever we are looking at the company’s [control] environment and thinking about those principles.” She encourages filers to “think about materiality now” and whether it has altered the company’s risk profile. “Now that your company may have had economic impacts from COVID-19, do the controls need to be augmented? Do additional controls need to be put in place as a result?”
The PCAOB, explained Ms. Abundis, “is always interested in any nonroutine transactions and the testing of internal controls around those nonroutine transactions, so I would expect that there would be additional scrutiny and inspections this year on any nonroutine transactions that companies have.” The first recommendation is to make sure you have robust control structures around those.
“Engage your external auditor early and often,” she concluded. “If you are experiencing some sort of external or nonroutine transaction, get them involved as soon as possible, so you can work out the risk assessment.”
Ms. Jones provided similar advice about enhanced harmony between companies and auditors. Remedies that were easy to implement in the past may be more complicated now.
Rethinking SOX compliance management
For many companies, managing SOX on a spreadsheet is now impossible, Toppan Merrill’s Mike Schlanger concluded. Specific key concerns include:
- Ensuring documentation (narratives, flowcharts, and RCM) is accurate
- Ensuring changes are carried through to testing
- Staying on top of control execution and document requests
- Effectively managing any deficiencies discovered
When making the move from a spreadsheet process to an automated SOX solution, companies can realize both tangible and intangible benefits:
- Better overall communication and collaboration
- Time savings and measurable cost savings (overall hours)
- Increased agility
- Increased visibility and focus on true risks to the company
- Workflow management/visibility into the process: knowing what your people are doingReporting: internal management and audit committee
The benefits of SOX automation technology are significant. All business locations, processes, risks, and controls are maintained in a single software-as-a-service (SaaS) platform. Through dashboards and reporting tools, the process is more transparent than ever.
Automation also offers ease of collaboration, wherever employees are working. Compliance professionals can seamlessly capture changes to their control environments. Workflows can be configured, leading to more streamlined processes. Through role-based permissions and access control, managers are provided with visibility and flexibility.
To assist with proper compliance, especially in this COVID-impacted time, Toppan Merrill offers a SOX automation solution, which can mitigate the risks of failure at each SOX program stage gate.
To read the full article in Dimensions Vol. 2020, No. 5, click here.
Reach out to jump start a partnership that will bring speed, security, accuracy and efficiency to all of your complex content and communication requirements.