article banner
Article

SOX internal control testing: automating for efficiency

Technology reduces the compliance costs and time burdens of UK SOX internal control testing. We look at the benefits of automation tools and highlight different solutions.

Internal control testing has traditionally been manual, repetitive and resource-intensive, relying heavily on finding exceptions using a sampling approach from disparate data sets.

The problem is that documentation is often captured primarily in spreadsheets and it's difficult to monitor the controls population and navigate to where control weaknesses exist.

For organisations preparing for UK SOX, the task of setting up internal controls and detailed testing schedules can be overwhelming.

The use of digital tools and automation can significantly change the way financial risks and controls are monitored.

Any SOX project needs to recognise that technology will reduce the cost and effort required to be UK SOX compliant.

What are the benefits of automation tools in UK SOX internal control testing?

You can look through the benefits of automation tools and the different solutions available in our guide.

Manage risk and compliance Efficient and effective approach Generate insights
Remediate control deficiencies more frequently Reduce testing time from hours to minutes and perform on a more frequent basis Determine root causes and focus on fixing underlying issues
Enable continuous monitoring of risks and controls so real time results are available to management Free up your personnel to spend more time on tasks that require judgment Identify trends and behaviours based on transactional data
  Test 100% of the population Identify potential risks using advanced analytics methods such as machine learning to predict control failures

purple icon depicting a laptop

Digital solutions

GRC and ERP specific tools - Most large ERP systems now have tools that will specifically help with Financial and IT controls testing, such as journal postings, user access, and segregation of duties.

list item with text on the right

Extract Transform Load (ETL) - ETL is the process to take system data and prepare it for analysis. There are many tools on the market such as Alteryx, Knime or IDEA that perform data ingestion and transformation. These are versatile and ideal for aggregating data together and cleansing the data into a usable format.

icon depicting three gears interface

Robotic Process Automation - Automation can make repetitive tasks simple and easy. Whether it’s through a scripted data query or specific RPA tool, end to end automation of workflows will save a significant amount of time, around c.70% compared to manual methods. Automation can cover a wide variety of SOX related tasks, such as extracting data, performing tests of detail, populating dashboards and exception alerting.

icon depicting a lightbulb

Visualisation and dashboards - Tools such as Power BI, or Tableau enable the creation of visuals that allow you to create monitoring solutions. They can facilitate continuous auditing for real time exception flagging. Dashboards can be published and shared with senior stakeholders to provide timely engaging and interactive reporting of the assurance process.

A purple icon depicting a clipboard with a check mark

Process mining– Tools such as PAFNow, Minit and Celonis allow effective mapping of end-to-end processes in a visual way to identify control breakdowns and optimisation opportunities.

icon depicting a conversation between two people

End-User Computing (EUC)– In-house and user developed applications or critical spreadsheets can be a significant risk to businesses as they are not subject to the organisations IT general controls. Tools such as those from CIMCON will allow you to discover EUCs across your organisation, how to log and manage them and deep dive into specific files to highlight exceptions and integrity risks.

Purple icon depicting a handshake

Platform as a Service/Software – Cloud services are available for all of the digital tools listed here which mean they can be deployed flexibly and licence subscriptions are based on usage. This avoids significant investment of internal IT resources needed for new hardware and software.

And, what are the challenges?

The biggest challenge is ensuring you have the correct strategy for using tools and technologies to modernise your SOX internal control testing. Any approach should focus on achieving quick wins by leveraging existing tools and skills to demonstrate value before progressing to long term transformation goals.

Asking a few big questions at the start can help you manage it.

What are the costs?

Tools and licences can be expensive to purchase and configure to your needs. Think about leveraging existing tools you already have in the business. The likelihood is that these may be enough to get started on short term needs or a pilot. Also, consider if you can utilise lower entry cost or open-source tools.

What's the return on investment (ROI)?

The time savings generated from automation are often underestimated and it’s also worth considering how less disruptive an automated approach will be to finance and IT personnel once established. There is less burden on the business as compliance activity is automated and employees can spend this saved time on higher value activities. Consider if other areas of the business may benefit from using these tools, as this will mean there is greater return on investment for the business.

Do you have the right skills and knowledge?

Most organisations will not necessarily have all the skills in the business to run all the tools they would ideally use. Training, piloting, recruitment, and external help are all effective ways to increase skills and knowledge.

What tools do you need?

There are numerous digital solutions on the market that can deliver automated compliance. There is no one size fits all solution, however, end-to-end digital auditing solutions exist that package together the necessary digital components for automation. These solutions are a good option for organisations with limited digital capabilities as it means only one investment, instead of bringing together multiple tools.

Investing in efficiency

Automated SOX solutions enable data gathering, control assessments, testing, signoffs, evidence, and workflow documentation all to be handled in one system. This means the management and review by external auditors are simpler and easier to demonstrate compliance and deliver assurance.