When asked whether artificial intelligence and blockchain will play a role in accounting and finance teams’ Sarbanes-Oxley compliance efforts in the near future, Brian Christensen said, without hesitation, “Absolutely.”
“The question is, how far down the road is that?” said Christensen, executive vice president of global internal audit and financial advisory at consulting firm Protiviti. “We’ve seen tremendous advancements as companies go through digital transformation, and accounting functions, audit functions, and review functions will also go through that transformation. We’re starting to embark upon an era that’s very exciting.”
How close management software is helping controllers address their SOX compliance needs. Read more.
That transformation will involve accounting and finance teams becoming more strategic and forward-looking instead of compliance-driven and backward-looking. An EY report puts it like this:
Today’s finance functions want technological tools that “connect” (e.g., software that allows them to scour swathes of data to identify trends and challenges), that “automate” (e.g., robotics that process expenses) and that are “smart” (e.g., advanced predictive analytics that model the future direction of the business). These tools allow finance functions to perform existing tasks in a more efficient and less time-consuming way than before and to undertake new tasks that they could never perform in the past.
AI and blockchain are two such tools, with AI as the “yin” and blockchain as the “yang,” according to a PwC report.
AI would be the creative one on the team, the abstract thinker and observer who studies the fuzzy complexities of the business environment, the unruly customer data, the tidal wave of social media, the complexity that needs to be abstracted, and the imagery and voice input that needs quick assessment. It provides the educated guesswork to make sense of a complicated business environment and suggest a path forward.
A blockchain by contrast would play the role of the truth teller, guarantor and mediator, the one bringing two parties together to forge and document an agreement immutably.
AI and blockchain’s potential in SOX compliance
Many corporate controllers say that as technologies like AI and blockchain continue to develop, organizations will look to consume their value, especially as it relates to SOX compliance.
“Research studies have already been conducted using AI models within SOX compliance processes,” said Debbie Smith, PMP, corporate controller of Phoenix-based BeyondTrust. “I believe big data helped pave the road for AI, resulting in large, meaningful data sets that can feed the AI algorithms. Additionally, blockchain has a complex and challenging implementation; however, it garners incredible value for SOX compliance: decentralization, inalterability of data, transparency, and in real time.”
Creating computer applications that are as smart and agile as humans is not a new concept, said Steve Rinaldi, CPA, U.S. corporate controller at InterSystems in Cambridge, Mass., but “the current increase in viability with pre-programmed knowledge and rule-based decision-making would make an immediate impact on assisting with SOX compliance.”
“Cost and resource reduction, error identification and resolution, and manageable routines can all be service-accelerated,” he added. “Blockchain technology’s ability to guarantee the accuracy of data makes it useful for a number of AI applications—both for feeding data into AI systems and for recording results from them. Aligning blockchain and AI technology is still emerging, but convergence is inevitable.”
Last week we reported on how SOX compliance has changed through the years, and Christensen singled out robotic process automation (RPA)—the automation of rule-based processes and routine tasks using software applications known as “bots”—as presenting tremendous opportunities for accounting and finance teams in the next generation of SOX compliance.
David Lloyd, CPA, vice president, corporate financial controller, and treasurer of Delaware, Ohio-based Greif Inc., believes that as RPA gets used more in shared-services environments, it’ll become the next big challenge in SOX compliance.
“If we can get everything right around those types of tools, they have the potential to save quite a bit of time on an overall basis, as testing any kind of automated control or process is generally going to be easier and less susceptible to error than a manual business process control,” he said. “However, it also increases the risk that if something goes wrong in the general IT environment, the effects could be much more far-reaching.”
What about security?
One such risk is a data security breach. In a recent report, PwC predicts that as AI advances, companies will face an increased risk of cyberattacks. Techniques like advanced machine learning, deep learning, and neural networks, which enable computers to find and interpret patterns, also can find and exploit vulnerabilities. For example, bad actors could inject biased data into algorithms’ training sets, according to the report.
Just as we expect AI to be a growing cyberthreat this year, we’re also confident it will be part of the solution. Already, scalable machine learning techniques combined with cloud technology are analyzing enormous amounts of data and powering real-time threat detection and analysis. AI capabilities can also quickly identify “hot spots” where cyberattacks are surging and provide cybersecurity intelligence reports.
Companies also are combining structured and unstructured data, such as social media and web monitoring, email messages, word processing documents, videos, photos, and audio files, to identify “rogue activities, patterns, and trends, and mitigate risks, such as fraud or cyber breaches,” wrote Craig Sullivan, group vice president of product management at NetSuite, in an article for CFO Magazine.
It’s much more difficult—nearly impossible, some experts say—to alter data or transactions secured in blockchain technology, as the digital ledger is distributed throughout a network of computers based in various locations within an organization. If there are any changes to the ledger, they immediately change in everyone else’s books and records in real time. The information in the ledger is cryptographically sealed, making it extremely hard to compromise without everyone else in the chain knowing.
Haskell Garfinkel, co-leader of PwC’s FinTech practice, explains in a little more detail how secure blockchain really is in this video on the firm’s YouTube page (starting around 2:12):
A slow migration to automation
But will companies that are continuing to use desktop tools, spreadsheets, and other manual processes for SOX compliance migrate to these emerging technologies? If recent data is any indicator, the answer is “no.”
According to the 2017 SOX and Internal Controls Market Survey from Moss Adams and Workiva, 69% of companies still rely on desktop tools that manage compliance requirements, such as templates, policy toolkits, checklists, and controls tracking.
And a 2016 article on AuditBoard.com stated that more than 98% of companies still manage their SOX compliance programs on Excel spreadsheets.
But more companies are starting to hop aboard the automation train. According to the Moss Adams/Workiva survey, 52% of companies indicated they use governance, risk, and compliance tools or cloud-specific software for SOX compliance.
And Protiviti’s 2017 SOX Compliance Survey revealed that 51% of large accelerated filers had either significant or moderate plans to automate IT processes and controls in fiscal year 2017. Only 11% said they had no plans to automate any processes and controls.
“There’s been increasing focus in recent years on key reports, IT general controls, and in verifying the accuracy of data used in the operation of regular business process controls,” Lloyd said.
Close management software’s role in SOX
With AI, blockchain, and RPA on the horizon, close management software can help corporate controllers address their SOX compliance needs today. But some controllers might be unaware of how close management software can positively impact SOX compliance.
“I think it’s because of a lack of education,” said Shivang Patel, director of sales engineering and operations at FloQast. “When I’m chatting with people, I tell them that FloQast alone isn’t going to get you SOX compliant. It’s only a tool that’s part of the process, and it’s really the culmination of your people, your processes, and your systems. But it’s another benefit or value-add to enhance your internal control environment and thus become SOX compliant. And once you do provide the education, people are pretty open to seeing what sort of key controls you offer and how that would work.”
Specifically, close management software can help controllers with their SOX compliance efforts by ensuring an accurate and timely review of all reconciliations, Patel said.
“All reconciliations would be prepared and reviewed and signed off, with evidence of that qualitative review, as well,” he said.
Because SOX regulations require companies to maintain activity logs related to the month-end close—not only to show who has authority to perform certain tasks, but also to identify any malicious behavior—FloQast provides auditors with an export log that tracks data on key user activities, such as user access role change, removing user, new user created, and when general ledger account attributes are changed, such as variance threshold.
“Auditors often cite overruns or additional charges to their clients due to a lack of receiving timely PBCs [prepared by clients],” Patel said. “With respect to our offering, we provide auditor licenses. So, for the corporate controller, it’s not just making sure your review is clean, orderly, there’s less paper, everything is soft-copied, and a little more streamlined—that’s just the operational benefit. If you fast-forward five or six months, now you can give your auditors access when they come on for fieldwork. With the combination of enhancing the internal control environment as it relates to reconciliations and SOX controls, coupled with providing auditors access to supporting schedules, our hope is to prevent discussions around increased audit fees.”
Don’t be left in the dust
Cheryl Kerr, CPA, controller at Denver-based Pursuit Collection, graduated college during the time of basic programming and paper-based audit support, and she’s amazed at how far technology has come since she started her accounting career 30 years ago.
“I literally started auditing using enormous green notebooks with green bar paper. As a staff accountant, you had to splice your work papers to add additional columns, and if you could line it up perfectly, it was impressive,” she said. “The progress in automation of manual accounting processes is pretty phenomenal. Today, the accounting profession is much more about process improvement, automation, controls, and risk mitigation. I think if we’re not looking to technology to improve our processes and to make our lives easier, then we’ll be left in the dust.”