Driving value: The advantages of distributing SOX activities across the three lines

Internal audit’s traditional role in SOX compliance

In 2002, internal audit was a natural choice to oversee SOX because of its independence, well-established procedures, and internal control competency. They possessed the expertise to impartially evaluate and document financial reporting internal controls. Internal audit also possessed a deep understanding of organizational operations, enabling them to efficiently identify and address SOX compliance concerns.

After 24 years, internal audit continues to play an essential role in overseeing the SOX program. According to the Internal Audit Foundation’s 2024 North American Pulse of Internal Audit report, several publicly traded organizations (around 69%) still rely on internal audit to manage the SOX program. Additionally, financial reporting, including ICFR, makes up a significant portion (averaging 31%) of the audit plans for these organizations.

Advancements in technology have transformed SOX compliance management, with automated workflows and data analytics reducing manual effort for internal auditors and stakeholders. As technology, including AI, evolves, it offers opportunities to reassess the management of SOX compliance and internal audit’s role.

Overemphasis on SOX compliance can reduce internal audit's agility in responding to emerging risks and changing business environments. The rigid nature of compliance work may limit the department's ability to quickly adapt to new challenges or opportunities. This reduced flexibility can hinder the organization's ability to proactively address risks and capitalize on potential improvements in a rapidly evolving business landscape.

The rationale for shifting additional SOX activities to the first and second lines

SOX compliance time loops plague many internal audit teams due to its historical ownership, which has created a sense of comfort and stability for management. The clear guidelines and measurable outcomes of SOX work often overshadow the more ambiguous and evolving nature of strategic and operational projects. To break out of this cycle, organizations should rebalance internal audit’s focus toward strategic and operational audits, risk management, engaging with stakeholders to align priorities, and leveraging technology to streamline audit, risk, and compliance efforts.

As organizations evolve and regulations become more complex, some SOX activities can be shifted to a department or process owner (first line) or a risk or compliance function (part of the second line) if a dedicated SOX program management function doesn’t already exist. This can increase efficiency, improve performance, enhance risk management, and lead to a more robust and proactive management of SOX controls; like the head chef delegating some of their tasks to their sous-chef and kitchen staff. This transition allows internal audit to focus on its fundamental role of providing independent assurance, as discussed in the updated Global Internal Audit Standards.

Enhancing efficiency through role realignment and technology

Shifting some SOX activities to the first or second line allows internal audit to focus on high-risk and strategic audits. The first and second lines can use technology, such as automated tools and data analytics, to streamline SOX control monitoring and maintenance. This technology enables more efficient and accurate tracking of controls and compliance activities. As a result, internal audit can concentrate on evaluating control effectiveness and providing independent assessments, rather than updating SOX narratives. This approach optimizes the SOX process, improves the control environment, and better utilizes resources across all three lines.

Leveraging specialized expertise for improved performance

Achieving greater expertise from the first and second lines involved and taking more ownership of some SOX activities can enhance overall SOX control management. It allows organizations to be more careful and smarter about managing risks and putting controls in place — keeping a closer eye on things and fixing problems before they get out of hand. This can increase SOX compliance reliability, reduce control failures, and improve overall operational efficiency. According to Deloitte's A Practical Approach to SOX Readiness, "the responsibility for effective internal controls reaches beyond just finance and accounting and into other areas of an organization, and training is an important component of communicating roles and responsibilities over SOX throughout the organization."

Strategic resource allocation for greater impact

By transitioning some of its SOX compliance activities to other lines, it also frees up internal audit to focus on other high-risk areas like ESG or the impacts of AI on cybersecurity. As the first and second lines take on some of the more routine SOX activities, internal audit can concentrate on risk assessments, fraud detection, and serving as an independent strategic advisor. Many organizations’ SOX programs may be outdated and need to be refreshed, rethought, and modernized, according to Deloitte’s SOX Modernization: Optimizing Compliance While Extracting Value. This includes defining stakeholder responsibilities in order to ensure accountability. A monitoring program should track the effective operation of controls, risk identification, and mitigation. Control owners should be accountable for both the controls and the risks they minimize. All of these could minimize compliance costs and ensure regulatory compliance.

Transitioning SOX responsibilities to the first and second lines

While the benefits of transitioning SOX activities to the first and second lines are clear, the process itself can be complex and fraught with challenges. Organizations must carefully navigate these challenges to ensure a smooth and successful transition. The following are just a few SOX activities, frequently carried out by internal audit, that may be easily transferable to the first and second lines:

1. Compliance documentation:
   • Responsibility shift. Maintaining and updating compliance documentation, such as control descriptions, process narratives, and evidence of control operations.
   • Internal audit’s role. Examine the completeness and accuracy of documentation, ensuring it aligns with SOX requirements and provides a reliable audit trail.
2. Control testing and monitoring:
   • Responsibility shift. Conduct ongoing monitoring and self-assessment control testing to ensure they are operating effectively and address any issues promptly.
   • Internal audit’s role. Focus on validating and verifying self-assessment test results to ensure independence and objectivity in the evaluation.
3. Issue identification and remediation:
   • Responsibility shift. Identify and address control deficiencies and compliance issues as they arise.
   • Internal audit’s role. Assess remediation efforts and the effectiveness of corrective actions taken.

The benefits of first and second-line involvement in SOX compliance

The involvement of the first and second lines in SOX compliance can yield significant benefits for organizations. These include:

1. Improved performance and efficiency. Leveraging the first and second lines’ expertise improves control management, reduces deficiencies, and frees internal audit to focus on strategic, value-added audits.
2. Enhanced risk management. Proactive risk management by the first and second lines can identify and mitigate risks before they become serious issues, making the organization more robust and risk-aware.
3. Strengthened internal controls. With the first- and second lines’ continual monitoring and oversight, organizations may strengthen internal controls, financial reporting accuracy, and stakeholder confidence.

Challenges and risks associated with transitioning SOX responsibilities to the first and second lines

1. Cultural resistance. Overcoming resistance to change is a major challenge as traditional roles in internal audit and the first- and second lines face uncertainty and pushback.
2. Skill gaps and training. The first and second lines may lack the expertise for SOX compliance, requiring targeted training and development.
3. Coordination and independence. Effective communication between all lines is crucial to avoid compliance gaps, while maintaining internal audit's independence to prevent role confusion.

Recommended strategies for a smooth transition of SOX responsibilities to the first and second lines

1. Stakeholder engagement and communication. Involve all relevant stakeholders early, including internal audit, first and second line functions, senior management, and the board. Clearly communicate the rationale and benefits to build support and mitigate resistance.
2. Training and technology integration. Invest in training programs and utilize advanced technology to enhance SOX compliance. Implement tech-driven solutions for skill development, compliance tracking, and reporting efficiency.
3. Defined roles and collaborative oversight. Clearly document SOX roles and responsibilities with established reporting lines and accountability. Foster collaboration through regular meetings, joint risk assessments, and shared reporting, while leveraging technology for real-time oversight and updates.

How technology makes this transition a reality

Solutions like TeamMate+ Controls not only make the transition of several SOX activities from internal audit to the first and second lines possible, they boost efficiencies for both internal audit and the other lines and ensure better resiliency by automating SOX compliance tasks, centralizing documentation, and streamlining processes. For instance, tasks such as updating controls and related SOX narratives, performing self-assessment control tests, and documenting and resolving control gaps, once solely the domain of internal audit, can now be seamlessly handled across all three lines.

Integrated solutions foster collaboration and transparency, while scalable, customizable workflows accommodate growing needs. This shift not only saves time but also enhances overall efficiency, empowering both the first and second lines to manage tasks like updating controls, conducting self-assessment tests, addressing control gaps with greater ease, and allowing internal audit to focus on strategic oversight and high-impact areas.

Embracing the shift to the first and second lines for enhanced SOX compliance and organizational success

Like that busy restaurant, navigating today’s ever-changing landscape is difficult and shifting some SOX activities to the first and second lines is a strategic move that can boost performance and add value. This transition enhances compliance, improves risk management, and increases efficiency. Though it requires careful planning, stakeholder engagement, and training, the benefits of a more resilient control environment are significant.

For chief audit executives and audit directors, this shift offers the potential for improved performance and organizational success. By utilizing the first and second lines effectively, while maintaining independent assurance, organizations can manage SOX compliance with confidence and achieve their strategic goals.