Automating SOX Controls Testing

Every year, KPMG surveys teams in charge of the Internal Controls over Financial Reporting (ICFR) and/or Sarbanes-Oxley (SOX) at 100 organizations from different industries and sizes, specifically to the teams in charge of the Internal Controls over Financial Reporting (ICFR) and/or Sarbanes-Oxley (SOX). The results were recently published in the KPMG 2018 Internal Controls Survey

With ERP systems, such as SAP and the Oracle E-Business Suite (EBS) at the core of your business, these systems also must be a focus of your SOX audit. Business-critical applications including your financials are supported by your ERP systems and issues can easily become findings with potential disclosure requirements. As a result, it is necessary to stay up-to-date regarding what different industries are doing to protect the integrity of financial statements while reducing the costs of implementing and testing the internal controls.

Some of the most important conclusions of the KPMG report that I want to highlight here are automating controls and minimizing the cost to test controls. I will also discuss how this relates to ERP systems.

  • 71% of surveyed organizations are looking to control automation
  • 60% of those surveyed state that minimizing the cost to test controls is a main priority 

Testing Controls

Controls can be manual or automatic. Most of the time, automatic controls are implemented by ERP systems and the remaining manual controls are usually related to subjective tasks that need a human’s criteria.

In either case, controls must be tested by auditors or (in this case) SOX teams as well. Testing ICFR is the most demanding task of the overall ICFR assessment. This is performed annually by independent external auditors. However, internal teams usually take a more proactive approach and assess ICFR at least quarterly.

According to the 2019 North American Pulse of Internal Audit Report, publicly traded companies allocate 30% of their audit plan only to ICFR. Additionally, Protiviti states in its Benchmarking SOX Costs, Hours and Controls report that testing key controls for operating effectiveness is that most time-consuming. The KPMG survey results coupled with These sources help back the KPMG survey claim that “testing ICFR remains the most time-consuming activity across most organizations.

The Focus on ERP

Your ERP systems are probably the most important asset to be assessed as most of the key controls are in these systems. Therefore, most of the testing of ICFR is performed manually in, for example, your SAP system. Depending on the type of control, auditors may be able to test it on their own, or they may need help from other teams such as IT and information security, who have access to specific data and have the SAP understanding to retrieve and analyze it properly. 

This is not only a set of burdening manual tasks but also a set of very repetitive tasks. Most key controls are tested quarterly for ICFR. And this doesn’t include other compliance regulations or internal initiatives that are based on the same or very similar controls. This pain-point becomes even greater when you have a complex organization with dozens of ERP systems under the scope of SOX. You can do the math…the hours add up!

The Need to Automate

If we dig deeper into this problem, ICFR can be separated by business process. KPMG also surveyed these organizations on the average number of controls by process (e.g. Fixed Assets, Order-to-Cash, Procure-to-Pay, HR & Payroll, Treasury, etc). The result of this question highlights the importance and criticality of the technology we use across the entire organization.

ITGCs* (IT General Controls) have the highest number of key ICFR controls across all organizations.

*ITGCs usually include Security (encryption, patch management), Access Controls (password policies, access to sensitive applications and data, etc), Segregation of Duties, Change Management, and Data recovery controls.

ERP systems are the main foundation of all core business processes. Thus, ITGCs become much more important, not only from a quantitative perspective, but also from a qualitative perspective. 

Currently, the testing of ITGC in ERP systems is a very tedious task. Auditors (and often system administrators as well) have to repeat specific steps, taking screenshots and pasting them into word documents as proof of valid steps. 

It seems counterproductive that we are still doing these manual steps in 2019. There is enough evidence in practice to understand that a set of screenshots pasted in a word document is not a reliable process. It is even more worrisome to think that this type of “evidence” is even accepted when probing a public company financial statements. The ultimate goal of SOX is to ensure that the reliability of each public company adds-up to the reliability of the entire U.S. financial markets.

Management should focus on automating the testing of ICFR controls, and even more for ITGCs. It is a win-win situation as it does not only reduce the costs of manual work, but it also allows auditors to execute more value-added activities and it increases the reliability on financial reporting of public companies.

How Does Onapsis Help

Onapsis provides a leading ERP security and compliance solution that is able to help management and auditors automate the process of testing and validating controls. The Onapsis Security Platform automates the assessment and analysis of data from your ERP systems. We help you reduce the amount of resources and time involved in the manual testing of ICFR controls — eliminating human errors and giving you more accurate results. 

There are so many benefits of automating your audit process for ERP systems. Join us on our upcoming End SOX Audit Fatigue with Automation webinar to learn more.