Our approach to SOX compliance: PwC perspectives powered by Workiva technology

March 2022

Court Maton
Partner, US Workiva SOX Leader, PwC US
Mike Giles
Director, Risk & Regulatory, PwC US

You don’t have to ask business leaders if they’d prefer to redeploy staff from Sarbanes-Oxley compliance to achieving strategic business goals. (We know the answer would be a resounding, “Yes!”) 

Especially in a dynamic business environment wrought with disruption, inflation, and resource shortages, stronger controls and better visibility into specific risks, issues, and outliers can help companies more readily spot both problems and business opportunities. This is where freeing up your staff from manual processes can reallocate their brain cycles to improve your company’s competitiveness.

But yet, companies until now have been careful about streamlining SOX compliance, as it certainly needs to be done correctly to effectively and efficiently manage risks.

For years, finance and SOX functions have been trudging the SOX compliance path knowing that the job simply had to be done, and done right. Some internal audit teams can find themselves consumed with SOX efforts, draining time and energy that could be spent on addressing emerging or strategic risks. Instead of gaining efficiency, many find their costs and hours for SOX compliance have expanded greatly over the years.

From where we sit at PwC, it appears a confluence of technologies has emerged that, if tied together with expertise and precision, can offer true relief. We see a tipping point, where decades of experience with SOX compliance and the emergence of cloud technology can help. 

At a time when remote and hybrid workplaces are settling in as the new way of doing business, the move to the cloud and automated capabilities can help save the day by providing enhanced insight and visibility into the overall SOX program, even productively bringing precise improvement to business models, despite the dispersion of staff. For instance, SOX requires both internal and external audits. Bringing all parties into a single collaborative environment, rather than manually sharing files, is an immediate win through time savings and enhanced consistency. Similarly, data that can flow through with automation rather than manual inputs saves considerable time, removes the potential for costly errors, and fuels discovery of SOX automation opportunities.

With that in mind, PwC has been constructing a full SOX compliance ecosystem, where PwC’s SOX methodology can be applied in part, or holistically, for SOX compliance transformation. The latest enhancement is the integration and development of a PwC-configured version of the Workiva platform’s controls solution.

Data-forward future, designed around you

PwC’s configured version of the Workiva platform creates a clear path to help smooth the SOX journey, while also putting in place the transparency, guardrails and reporting that allow company builders to know the job is being done right at every step.

The delivery ecosystem is flexible and can be customized to include a perspective on how to optimize Workiva for workflow management. It has also been designed to interface with PwC’s proprietary controls-testing solutions that offer automated controls testing or insights to further identify control automation opportunities. All of this is delivered with an emphasis on quality and efficiency.

The capabilities of the Workiva platform elevate and automate the job. Workiva is a connected reporting platform that enables ingestion of existing financial information and risk-assessment inputs from enterprise resource planning (ERP) systems, for instance. The connected platform enables integrated reporting across SOX compliance efforts, audit activities and enterprise risk management. 

This type of collaborative, cloud-based platform can then be enabled with linking capabilities, which helps reduce time spent manually updating risk and control changes in narratives, walkthroughs, flowcharts, testing templates, and dashboards.

Workflows can be developed to route requests, testing, and certifications to designated users. Control deficiencies can be evaluated and aggregated. Features can capture changes in controls and reporting for executive teams and audit committees can be automated.

PwC’s technology and experience, including risk assessment and scoping, control documentation and design, and control testing of operating effectiveness, are all folded in, further enhancing the value derived from Wdesk. 

These capabilities mean SOX compliance can be both simplified and trusted, and after 20 years, some relief and efficiency can finally be realized.

Say hello to tomorrow’s workflow

Please don’t just take our word for it, read below to see how our engagement teams feel after recently helping clients implement Workiva.

The ability for the collective team, including the external auditors, to operate in the same ecosystem is a game changer. The SOX scoping process was a quick and seamless process to confirm scope for the year, and update as necessary.

Workiva intakes a client’s existing trial balance files and forecast information, then the team breaks it down by financial statement line item for a risk assessment that helps determine in-scope accounts and locations. 

The PBC request and submission functionality, population and sample requests are assigned to individual control test sheets so we know what request goes where. When the request is accepted, it’s visible and available for us and the external audit team, as desired.

Another benefit is the linkage between the Risk & Control Matrix (RCM) and the individual test forms. That connectedness allows for updates to the RCM that automatically flow to individual test forms. This simple feature saves a lot of time for a preparer who historically would have made those updates manually, or a reviewer checking that those updates were manually incorporated accurately in offline spreadsheets.

Effort is reduced and time is spent on value-added tasks given teams can preassign testers and reviewers. Sample selections are tickmarked in the document viewer by the team member performing testing. As testing is completed, workflows automatically push files down the review queue. There are comments live on the test sheet and individuals receive email notifications for workflow movement and comments. 

Executive reporting happens at the click of a button. The reporting keeps key stakeholders informed of progress, communicates deficiencies and enables more timely remediation efforts.

Follow us