Using technology to enable UK SOX compliance

by Chris Wight Partner, PwC United Kingdom

Email +44 (0)7921 107090

In our last blog, we shared five priority areas and some key lessons to kick-start your preparations for the potential introduction of UK SOX. Technology was a key part of this, which is no surprise given its prominent role in business and compliance processes.

Most organisations we speak to are aware of the benefits of ‘tech-enabling’ their programme. Whether it’s reducing the effort in tracking control effectiveness and remediation activities, allowing real-time collaboration, or giving access to a shared control repository making control and remediation assignment clearer. You don’t necessarily need leading edge technology to implement or run a successful internal controls framework, but thinking about how you want to use technology early can set you up for success.

We see a wide range of approaches to technology with organisations using it in different ways. Some have tools and systems embedded, for example, enterprise-wide ERP (enterprise resource planning) deployments or GRC (Governance, Risk and Compliance) tools for Enterprise Risk Management and controls documentation. Other organisations find themselves with different point solutions, a wide use of spreadsheets and varying levels of technology adoption across the organisation.

Get the right technology for your SOX needs

There are five key things to think about in ensuring you have the right technology in place to support your UK SOX journey:

1. Consider the IT landscape supporting your finance processes

The scope of IT applications is often neglected when considering an internal controls framework. IT systems scoping should be done in two key phases: firstly, alongside financial scoping to bring in key applications that support relevant business processes, and secondly, to narrow down the scope of applications to those for which there is actual reliance as part of the finance process.

A central, coordinated approach towards IT governance will ensure consistency of control over what may be disparate systems. It should also result in better quality data and controls that will improve the organisation’s resilience and cyber security.

What can I do now? Gather an inventory of applications used in financial processes, and understand the IT controls you currently have in place (whether in business processes or over applications), and any gaps you may have.

2. Know your third parties - who has responsibility for controls?

IT controls often rely on third parties, whether Software as a Service (SaaS) or outsourced infrastructure such as cloud servers. There are direct and indirect risks to financial reporting from the use of third parties, from the potential of a third-party data feed failing overnight to privileged access to key financial data.

Consider who is responsible for operating the controls over the systems - you or the third party? If it is the third party, how do you get confidence in the controls they operate? For example, do they have a Service Organisation Controls (SOC) report that you can review?

What can I do now? As you gather your inventory of applications, include third-party supported applications and identify those where SOC reports exist already.

3. Use the opportunity to increase reliance on IT systems in business processes

When documenting business processes and key controls, look for an efficient blend of automated and manual controls. Increasing reliance on automation will free up employees’ time for more productive activity, and lead to a more efficient testing regime and potentially reduced compliance costs.

What can I do now? As you build your vision for your internal controls framework, set yourself a target for controls automation.

4. Consider the use of new technologies

New technologies can be used to enhance controls, but can lead to gaps in control or control evidence, if poorly implemented. Hot topics include Robotic Process Automation for finance process, the use of Agile and DevOps processes in IT, and more general migration of services to the cloud. Ensuring that these are robust enough to withstand testing under an internal controls framework such as UK SOX is not always straightforward. This shouldn’t stop adoption, but careful consideration of the risks to financial reporting and the appropriate controls is key.

What can I do now? Gather information about the use of these technologies in finance processes, and identify who is responsible for their operation, and consider if and how you might want to use these technologies in developing your controls framework.

5. Think early about GRC technology, but don’t let it control the programme

The benefits of using a central GRC tool as a repository for risks, controls and testing documentation are clear: a single source of truth; automated progress monitoring and dashboards with key metrics on controls and deficiencies. Sophisticated GRC tools can do even more.

If you have ambitions of using or setting up GRC technology to support UK SOX controls, now is a good time to start thinking about it.

What can I do now? As you map out your route to a UK controls attestation, consider your requirements for a GRC tool, and how it would support your organisation.

Technology can be a powerful enabler, with robust, automated, intelligent processes contributing to a strong and efficient internal control framework. However, every business needs to consider the right level of technology to fit their organisation’s needs.

Future posts will begin to unpack some of these areas in more detail, but for now, if you have questions about navigating any of these issues or developing a technology roadmap, please get in touch.

by Chris Wight Partner, PwC United Kingdom

Email +44 (0)7921 107090