Sarbanes-Oxley turns 20 years old this summer. Jack Kristan of auditing firm Plante Moran wonders why many companies still haven’t modernized SOX compliance — and offers an object lesson in the power of technology-aided auditing.
When I first entered the workforce two decades ago, it wasn’t uncommon for financial analysts to be asked to cut large checks needing to be mailed immediately, without much explanation about what they were for and why they were so urgent.
That kind of money movement is pretty much unthinkable in a modern Sarbanes-Oxley (SOX) compliance regime. One of the most enduring changes of the law, which turns 20 this year, was to systematize business processes and authorizations, so you can’t have a 22-year-old write a check for $50,000 simply because a manager told him it was urgent.
Businesses now rely on software to track and manage internal spending. Some companies — particularly in healthcare and Silicon Valley — have been adopters of this technology, and their approach to internal controls has benefited as a result.
But others are still living in the compliance Stone Age. And that needs to change soon, because if they don’t catch up, they could miss accounting fraud and in doing so, run afoul of external auditors — or even the SEC.
The most transformative changes in compliance have been in automation. Companies and auditors can now use robotic process automation (RPA) to preprogram instructions for their compliance software, looking for certain suspect expenses and patterns. These can be tailored to the business’s specific circumstances or industry.
Robotic scripts can scan money movement with an efficiency humans could only dream of matching, especially in large organizations. Instead of pawing through the hay and looking for the needle, RPA is the equivalent of bringing a metal detector to the barn. Not all companies are using RPA for compliance, but the ones that are have seen positive outcomes, including improved risk mitigation, enhanced financial reporting accuracy, and maybe most crucially, a reduced burden on overworked staff.
For example, we began working with a client a few years ago and received a tip that a certain sales manager was reporting suspicious expenses. A closer look into business receipts revealed that instead of taking clients out to dinner, he had used company funds to buy personal items.
We then suspected that such brazen theft of company money might be happening elsewhere. We set up an RPA script with strict spending rules, ran three years of expense data through it, and subsequently identified another employee who was making personal purchases that did not align with the receipts submitted.
This system worked well in catching unauthorized expenses after the fact. But now we’re building an even more powerful artificial intelligence tool for this client that can flag irregular spending in real time.
While RPA has worked wonders for those who have employed it, AI promises to spearhead a true revolution in compliance tech. AI will be able to look at current spending and other key processes and see if they’re in line with what was forecast. If not, the system will be able to quickly spot a potential issue. And with each piece of spending data these systems take in, they get smarter, making them more capable of noticing irregularities with each passing day.
Also important: AI will reduce human error and misjudgment. When something is amiss, the system will automatically identify the transaction for further investigation, making controls and audits more targeted. That’s important, because in a lot of cases, personal relationships can cloud our judgment of whether something needs to be reported. And in other cases, simple human error can lead to issues being overlooked.
Making SOX compliance more intelligent will have positive benefits beyond efficiency and lower costs; companies automating audits are giving their accounting teams welcome relief. This doesn’t need to be a story of technology eliminating jobs but instead of limiting human error in menial tasks while freeing up overworked personnel to focus on analyzing the outputs of AI compliance systems, as well as other high-value work.
Among many current executives, there’s undeniable hesitancy over trusting AI to take over the entire job of spotting compliance issues. But with increasing regulatory scrutiny over ESG and cybersecurity issues — and growing complexity of businesses’ financial operations — CEOs can’t reasonably expect manual reviews to find needles in haystacks.
To overcome their apprehension, leaders should do two things. First, they would be wise to conduct a thorough cleanse of their existing data, so that they can be confident that the information they’re feeding into their AI systems is relevant and useful.
Second, executives should commission pilot programs to determine where they’re hemorrhaging cash. Good areas to start would be inventory, procurement and purchasing, and travel and entertainment. This will help convince them of the considerable return on investment they’ll get from deploying AI.
Leaders need to keep an eye on emerging technology in the SOX compliance space. They don’t just risk looking like technological dinosaurs; they might miss issues that could have devastating consequences for their companies’ reputations and valuations.
And software developers, for their part, should pay close attention to what businesses and auditors need. Companies planning to make major investments in new IT systems are going to expect their tech to do more than simply monitor expense reports. The AI systems that succeed in the SOX compliance world will need to show they can catch the multimillion-dollar errors and frauds.