• Dave Coderre

Sarbanes-Oxley (SOX) Cost Reductions through Data Analytics


According to the Protiviti report, ‘SOX Compliance and the Promise of Technology and

Automation1’ SOX compliance costs have shown year-over-year increases but are starting to level off. It also states that organizations are beginning to make greater use of technology and automation to support the compliance process. However, implementing automation in the SOX compliance process is difficult for many organizations. Understanding and defining requirements, getting stakeholder buy-in, and the investment cost are the main roadblocks. However, the benefits can outweigh the costs.


Most SOX-software focuses on the management of your SOX documentation and the linking of SOX procedures to risk. CTRLmatters focuses on a continuous program improvement approach that test internal controls by executing hundreds of analytics across multiple business processes on a regular basis. These analytics can provide direct support to a corporation’s SOX compliance activities and immediate remediation. By centrally managing the automated testing of internal controls you can reduce your SOX effort and cost, and more fully engage all three lines of defense. Companies that use analytical testing techniques can realize tangible benefits in their SOX compliance process. Some of these benefits include, reduced external audit costs, increased operational efficiency, and reduced SOX compliance costs.


An effective data analytics solution should examine both automated and semi-automated (IT-dependent) controls, as well as business process specific controls. The analytics increase assurance by testing entire transaction populations for compliance with financial controls and by examining IT-related controls and transactions to assess risk and Identify outliers in financial and IT activities. The following highlights a sampling of how the CTRLmatters analytics supports the detailed testing of controls required by SOX:


  • Accounts payable – analysis of duplicate payments, payment methods and terms, Purchase Order controls, invoice number practices, and user authorizations

  • ERP Overview – input and data entry controls, IT configuration, user authorizations, access controls, separation of duties, master data maintenance, and unusual GL accounts

  • Financial Monitoring – trial balances, GL transaction analysis, sensitive transaction processing by users, unusual transaction types, journal voucher analysis, losses/write-off/suspense account analysis

  • Contracting – unit price and quantity variance analysis, vendor-employee relationship analysis, contract date analysis

  • Payroll – duplicate payment, unauthorized employees


Looking at from a different perspective, we also support the analysis of:


  • IT general controls including separation of duties, user authorization, invalid users,

  • General Ledger controls – identifying unusual GL accounts, outliers to GL Accounts a variety of Journal Voucher (Journal Entry) analysis.

  • ICFR controls – suspense, loss and write-off, incorrect fiscal year, and prior period postings


Our analytics are supported by detailed visualizations and a health check report that shows levels of risk around SOX controls and compliance, for all key business process areas. The visualization provides drilldown capabilities to examine specific controls and tests; while the health check provides a simple language explanation of the condition observed, the impact, and the specific recommendation that should be taken.


In addition to reducing your SOX compliance cost, the use of data analytics can support organizations that are under review by the US Department of Justice (DOJ). The DOJ evaluation of corporate compliance programs includes factors that prosecutors should consider in investigating a corporation, determining whether to bring charges, and negotiating plea or other agreements. JM 9-28.300. These factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” JM 9-28.300 (citing JM 9-28.800 and JM 9-28.1000).


Having a strong compliance process in place can reduce the likelihood and cost of legal investigations and put the corporation in a better position to demonstrate their efforts to prevent and detect fraudulent activity.


A continuous data analysis monitoring program offers supporting evidence that the corporation:


  • provides compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions;

  • has systemic processes in place to detect the misconduct in question, such as reports identifying relevant control failures;

  • understands and addresses the root cause analysis of the misconduct at issue;

  • undertakes ongoing analysis to detect and prevent misconduct;

  • has policies or procedures in place, such as continuous monitoring, that should have prohibited the misconduct; and

  • has functions that own these policies and procedures, and can be held accountable


SOX compliance reporting has been a drain on the resources of organizations for too many years. It is time to let data analytics take some of the load and reduce the costs while improving the ongoing assessment of IT and financial controls; and possibly mitigating or lessening the impact of DOJ actions.


Dave Coderre

Senior Data Analyst / Co-Founder

WWW.CTRLmatters.Com


1. https://www.protiviti.com/US-en/insights/sox-compliance-survey