Many enterprises rely on SAP applications to manage their e...
CFO Perspective: Reducing the Cost of SOX Compliance
By Mark Kissman, CFO, Pathlock Technologies
More than a dozen years after the adoption of the Sarbanes-Oxley Act (SOX), we would expect the effort expended by organizations to comply decrease over time. However, according to Protiviti’s 2015 Sarbanes-Oxley Compliance Survey, 67% of the 460 audit executives and professionals polled reported an increase in the hours that their organization dedicated last year to addressing SOX compliance.
Automation is the key to reducing the cost of SOX compliance while improving overall controls
throughout the year. As Protiviti points out, automated controls are an important part of a strong internal control environment. This is because they increase the efficiency of operations, improve accuracy and help eliminate fraud. Automated controls are more reliable than manual controls because they are not susceptible to human error or failure.
Automation efforts are on the rise. The poll showed a year-over-year increase in large organizations with significant or moderate plans to automate more IT processes and controls. In 2014, 40 percent of large company respondents reported having significant or moderate automation plans; this past year, 58 percent of large organizations described their automation plans as significant or moderate.
Savings from automation could be significant. More than half of all large organizations (58 percent) who responded to the poll spent $1 million or more on SOX compliance costs (excluding external audit-related fees) in their previous fiscal year, and 25 percent of all large organizations spent more than $2 million.
One area to focus on automating is Segregation of Duties (SoD) because it is a key part of achieving SOX compliance. Automated SoD analysis identifies users who actually conducted transactions that constitute SoD violations. The ability to determine who has the potential to commit an SoD violation vs. who actually committed an SoD violation helps to quickly prioritize the risks that must be addressed first. In addition, capturing SoD transactions in real-time enables organizations to put compensating controls in place and greatly streamlines and simplifies SOX audit prep and reporting.
Another compelling benefit of automation is that it not only protects a business from SoD violations throughout the year, it also exposes SoD risk in dollar values that the business can clearly understand and prioritize. A review of SoD for many organizations is a manual process performed once a year. Not only does this take a long time to complete but these companies have no visibility into what happens the rest of the year.
SoD automation brings tremendous benefits to virtually every enterprise. Such an approach can reduce costs and improve risk management by ensuring timely, thorough, and consistent reviews, while helping to ensure SOX compliance.