There is good guidance on how technology can help an organization address SOX compliance needs, but there is also poor guidance.
Protiviti has shared both over the years. Their latest, Using Technology to Comply With Sarbanes-Oxley: Examining the Latest Trends, falls more in the latter category.
X
The most important error made by the author is to ignore the difference between (a) designing and operating a system of internal control over financial reporting (ICFR) and (b) evaluating and testing it.
X
Technology can be of great value when it comes to implementing controls that are both efficient and effective in addressing ICFR risks.
In my SOX training programs. I share a story about how I eliminated hundreds of detailed HR and payroll key controls, replacing them with three detective controls that used analytics to support a flux review of payroll expenses.
This is where technology can be best deployed for advantage, through analytics and related tools (like RPA and ML) used in detective controls.
When it comes to SOX, reliance can just as well be placed on detective as on preventive controls. (Other business risks may be better served with preventive controls or a combination of preventive and detective.)
X
But caution must be used in using that same technology (analytics, RPA,…