Protiviti’s surveys and reports are always worth reading. One I look forward to is their annual survey on SOX compliance.
Those of you who are responsible for the SOX program or SOX testing at their organization are likely to find the benchmarking info in the 2019 survey, Benchmarking SOX Costs, Hours and Controls of interest.
However, I want to share (again) a note of caution.
Protiviti and others are talking about the use of analytics and other tools, such as RPA, for SOX testing.
But, the purpose of the SOX testing is to:
- Confirm that the design of the controls relied upon to prevent or detect a material error or omission in the financial statements filed with the SEC are sufficient, if they are operated as designed, to address such a possibility. The likelihood of a material error or omission is less than reasonably possible.
- Confirm, with a reasonable level of assurance, that those controls are being performed consistently as designed.
The end product is an assessment as to whether the system of internal control over financial reporting is effective; that means that the controls are sufficient to provide reasonable assurance that a material error or omission would be prevented or detected.
What do these newer technology tools do for us?
For the most part, they provide some level of assurance that the…