SOX Compliance: The Past and the Future

The Sarbanes-Oxley Act turned 20 last year! It is significant to consider the Act's current state and recall the circumstances that led to its enactment. Even 20 years later, the fundamental effects SOX has on the business world are still relevant, even though adopting SOX standards may seem different now.

What is Sarbanes- Oxley Act?

The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. In reaction to significant accounting scandals that occurred in the early 2000s, such as Enron, WorldCom, and Tyco International, the US Congress passed the SOX Act as a response. These incidents caused severe financial losses among stakeholders. The act aims to create enhanced financial disclosures, safeguard consumers and investors from corporate fraud and accounting mistakes and ensure that scandals like Enron or WorldCom never occur again. The statute also tackles internal control evaluation, company governance, and auditor independence.

Companies must pass a SOX compliance audit to achieve SOX compliance, during which external auditors evaluate the organisation, its financial statements, and most critically, its internal controls. Meeting the criteria of SOX compliance is required by law and good business practice. Today, achieving SOX compliance is a highly scrutinized, intricate process involving cooperation between different departments and entities.

Numerous, more contemporary trends are influencing the reporting standards and control environments as firms explore going public and work to establish their own SOX programmes.

The following are some of the most notable new factors:

Technology, Data Analytics and Automation

Today, businesses use software to monitor and control internal spending. Some companies, particularly those in Silicon Valley and the healthcare industry, have adopted this technology, and as a result, their approach to internal controls has improved. Others, though, still stick to the olden ways of compliance. And that needs to change immediately because if they don't, they risk missing accounting fraud and getting in trouble with external auditors or the SEC.

Organisations concentrate on offering value-added activities in competitive labour markets. Businesses and auditors increasingly use automation and data to improve the effectiveness of current processes and controls and free up employees' time for judgement. Robotic process automation (RPA) and Governance, Risk, and Compliance (GRC) solutions can ultimately lower the overall cost of compliance.

Automation has undergone the most significant modifications in compliance. Robotic Process Automation (RPA) is now a tool that businesses and auditors may use to program instructions for their compliance software, searching for dubious spending and trends. These might be customised to the specific conditions or sectors of the firm.

RPA has been a godsend for those who have used it, but AI promises to bring about a true revolution in compliance technology. AI can examine current expenditures and other crucial activities to determine whether they are consistent with projections. If not, the system will be able to identify a potential problem right away. Additionally, as these systems learn more from each piece of expenditure data they consume, they become more adept at identifying anomalies.

Another crucial point is that AI will lessen human error and judgement. The system will instantly pinpoint a transaction for more inquiry when something is off, making controls and audits more focused. That's crucial because, frequently, interpersonal interactions can skew our assessment of whether something warrants reporting. And in other situations, a simple human mistake can cause problems to go unnoticed.

Beyond efficiency and cost savings, improving SOX compliance through intelligence will be beneficial; businesses that automate audits are providing relief to their accounting teams. It reduces human error in mundane chores and frees up overworked staff to concentrate on studying the outputs of AI compliance systems.

There is apparent reluctance among many present executives to entrust AI with identifying compliance issues. However, CEOs can't realistically expect manual checks to locate issues, considering the expanding regulatory scrutiny of ESG and cybersecurity risks and the complexity of an organisation’s financial operations.

Leaders can ensure that the data they feed into their AI systems is accurate and helpful, and they should thoroughly clean up their current data. CEOs should utilise trial projects to identify where they are losing money. Inventory, purchasing and procurement, as well as travel and leisure, might be good places to start. This will assist in persuading them of the significant return.

Leaders must monitor new technological developments in the area of SOX compliance. If they overlook the problems, then that could severely harm the reputation and value of their companies. Additionally, IT professionals must closely consider the requirements of organisations and auditors. Businesses considering significant expenditures in new IT systems will need more from their technology than just monitoring expense reports. The successful AI systems in the SOX compliance arena must demonstrate their ability to detect errors and frauds that cost millions of dollars.

Environmental, Social, and Governance (ESG)

Recently many comparisons between SOX and ESG compliance have been made. Environmental, Social, and Governance (ESG)-focused businesses are attracting the attention of corporate investors. The SEC put up regulations this year requiring registrants to identify climate-related risks that are conceivably likely to materially affect their operations and financial standing. Professionals are looking to SOX compliance procedures for assistance, considering these new requirements and the increased ambiguity surrounding other ESG regulations. It is critical to establish internal controls that can communicate the data appropriately and comprehensively as more ESG reporting requirements develop in future. Many businesses are starting to test their ESG-related data as part of their entire SOX programme.

Cybersecurity

Technology development has significantly influenced the development of SOX during the past 20 years. Companies must report on the following according to SEC guidance on cybersecurity disclosure requirements like critical cyberattacks and their effect on financial reporting, awareness of the board of directors about cyber risk management and competence and whether the business has put its cybersecurity rules and practices into action. To achieve compliance with these new criteria, cybersecurity controls are now evaluated alongside traditional IT General Controls (ITGC) during SOX testing.

Final Words

The development of SOX twenty years ago is a powerful reminder of the value of accuracy, completeness, and transparency in financial reports inside the capital markets. The specifications will change continuously, but the fundamentals won't. The effects of SOX on the corporate business environment have been made clear during the past twenty years. Corporate accountability, fraud prevention, and financial transparency have undergone a long-lasting transformation. Many of these modifications have spread from the public to the private sphere, and in some cases, they have slowed the development of the newly public firm market. As new business community demands, such as ESG activism and data privacy, arise, the policies, processes, and procedures included in and developed to comply with SOX are now being reevaluated and applied.