Sarbanes-Oxley 20 Years Later and The Case For Modernization

by Lindsay Rosenfeld and Patty Salkin

©Ellenmck/iStock/Getty Images Plus

Enacted in 2002, Sarbanes-Oxley (SOX) has been called one of the most consequential governance developments in history. But 20 years later, something else just as consequential has unfolded—business itself changed. It’s a different world today full of new business entities that shoulder novel business risks. All things digital has become a ubiquitous business imperative, along with the rise of artificial intelligence (AI), cloud computing, and now—for some--fully remote modes of working. Indeed, the world has seen massive changes over the past 20 years, yet too many financial departments have neglected to adjust and modernize their SOX controls in response.

Based on our experience, we estimate that half of all businesses currently need some degree of SOX modernization today. With repercussions affecting everything from business risk to talent, the liabilities in this new world are very real. But so, too, are the opportunities to refresh and rethink SOX while optimizing operations through deeper insights and entirely new efficiencies. As always, the goal is compliance, but the opportunity is to create compliance while unlocking significant new value from powerful new capabilities achievable today.      

Is your monitoring framework stale?  

Public companies implemented changes 20 years ago when SOX became law. Over time, compliance became a “rinse-and-repeat” exercise with aging monitoring frameworks dependent on manual controls that can be a drain on resources, while impeding performance, accuracy, and increasing the cost of compliance.  

SOX programs can also be stuck in a cycle of layering on additional controls over time to address changing business risk. These new additions may have been implemented without proper consideration for existing controls that should have been modified or even removed altogether, creating an environment of too many controls or a lack of focus on the areas that matter most. This has the potential to create a cascade of unanticipated deficiencies.  

Additionally, many organizations still perform their SOX program management without taking advantage of powerful automation that’s possible today. Embedded governance, as well as risk and compliance tools, can enable companies to gain real time insights into SOX and business risks, create efficiencies in SOX governance, while driving ownership and accountability throughout the organization.

Let’s be reasonable about this. 

SOX Section 404(a) is clear: “Management is responsible for maintaining a system of internal control over financial reporting (ICFR) that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”  

In other words, the standard is reasonable—not absolute—assurance over financial reporting. Management is responsible for establishing and maintaining an adequate internal control structure to that end.  

Performing an effective risk assessment to determine “reasonableness” can help management pinpoint the areas with risk of material misstatement while helping to determine and prioritize which areas demand focus. 

The problem is that risk can be a moving and overly complex target. Risks evolve over time, entirely new risks have a habit of cropping up, and even controls can be caught off-guard. Like the underlying risks themselves, controls should be prioritized, as the ones with the greatest impact should be remediated first, root cause and all.    

Not just compliance. Accountability.  

A modern SOX program shouldn’t lose sight of the fundamentals. If the focus is on controls alone instead of risk, existing controls may fail to mitigate any associated risk. Consequently, it’s essential that a monitoring program should have active measures in place capable of knowing when controls are not being effective, but also capable of knowing when any associated underlying risks need attention.   

SOX affects far more than finance and accounting. Using workflow technology, developing strong change management and communication protocols, and pushing down ownership of the SOX program to the relevant business stakeholders helps drive accountability and ownership. This results in risk mitigation and efficiencies in the long run by avoiding surprises.

When the focus remains on the fundamental risk, stakeholders can drive deeper change more effectively while confronting any unanticipated deficiencies. This optimizes not only SOX compliance, but also the business itself.  

Sustainability. Consistently. 

Twenty years later, it’s time for businesses to consider SOX through the lens of today’s newest capabilities. Public companies and their accounting firms may achieve compliance through a new worldview made possible by one of the greatest economic transformations in history.  

The opportunity exists today to drive a more collaborative approach between compliance activities across an entire enterprise. A modern SOX program can break down silos, create more cross-functional dialog, and leverage data to identify trends sooner while gaining deeper insights. Now add automation to the mix and you have powerful new efficiencies that can drive both compliance and may help with the cost to achieve it.  

The current SOX landscape is full of manual controls, so capabilities like automation or AI open opportunities to create a more sustainable SOX program that can automate the testing of controls, the controls themselves or even entire processes.  

Not all controls can or should be automated, but highly manual processes that occur frequently can be strong candidates for automation. This frees people to take on more complex tasks, while reducing human error, time, and cost through measurable streamlining.  

Lindsay Rosenfeld is an Audit & Assurance Managing Director for Deloitte & Touche LLP and co-leader of the Governance, Risk and Controls Market. 

Patty Salkin is a  Deloitte Risk & Financial Advisory  Managing Director for Deloitte & Touche LLP and is the SOX Modernization Leader for the Internal Audit practice.  

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. 

Please see for a detailed description of our legal structure.