ey asian business woman on a video call

How to unlock value from your SOX program beyond compliance

Related topics

Driving value in your SOX program begins with understanding the challenges happening today and transforming for what happens tomorrow.

There’s no question that the business landscape has changed significantly since the initial passage of the Sarbanes-Oxley Act (SOX) in the United States in 2002, and the pace of change and disruption in today’s environment is even more accelerated. Rapid convergence of industries, new business models, increasing regulation and an evolving workforce are all underpinned by advances in technology. Groundbreaking discoveries such as artificial intelligence and robotics bring about increased efficiency while introducing new and heightening current risks.

The global SOX survey conducted by EY examined how businesses manage SOX, what challenges are being faced and how technology is being used and is further discussed in our report Unlocking value beyond compliance in your SOX program (pdf). The survey results included over 300 respondents from a wide range of publicly traded companies of various sizes from around the world, of whom 80% have had to comply with SOX or similar legislation for more than five years.

Where we are today

By its very nature of being a legislative requirement, SOX is viewed as a compliance effort at its core. However, SOX can add value to a company if the objectives are focused in the right places: 42% of respondents have experienced an improved internal control environment, 28% believe they have better risk control, and 25% have streamlined control activities.

The EY survey uncovered three common themes and opportunities:

  • Importance of strong, connected governance and oversight
  • Responsive and risk-based operating model enabled by technology
  • Continuous program improvement

Where we hope to be tomorrow

If we do not transform our SOX program to keep pace with the business, it will remain a compliance exercise and fail to unlock the value the business deserves. Picture this scenario — we select a sample of 25 invoices for testing and find that one was not approved according to policy. We take that exception to the business owner and, while they agree it is an issue, they are not concerned. How can that be?


As we continue to discuss the single sample, they bring up a live dashboard used to monitor exceptions on a real-time basis. Of the 100,000 invoices processed by their function to date, they can pinpoint the sample we happened to select — along with four other examples of late approval. They also can provide evidence of follow-up on these samples to obtain the appropriate approval and provide coaching to the control owner. In this case, we must ask ourselves a couple of questions: how can it be that we are still testing a sample of 25 invoices when the business is monitoring 100% of its transactions? Are we even testing the right controls? If the business is that far ahead of us, how can we add value?


This is a simple example to highlight a complex issue. Transforming your SOX program is not a one-time, big-bang exercise, but an ongoing opportunity to do better and be better. The road map will not be the same for every program, but it is important to have a formal plan with targeted goals and action plans.


What can you do today to catch up to tomorrow?

  • Evolve your operating model: keep pace with the changes in your organization through a flexible and dynamic approach to managing and evaluating internal controls
  • Explore new ways to innovate through technology: consider enhancing automated capabilities across all aspects of SOX, such as digital risk assessments, automated scoping tools and analytic testing procedures
  • Upskill your workforce: look for new opportunities to cross-train on business processes and IT general controls; refresh control owner training and feedback processes
  • Build trust with the business: ask for feedback on the SOX program; consider using an impartial third party (internal or external) to gather feedback; develop a plan and take action
  • Challenge the nature, timing and extent of testing: ask whether you are doing too much in any area or not enough in another; determine whether control classifications are accurate and aligned to the appropriate risks (manual vs. automated)
  • Consider a facilitated visioning session: focus on governance structure, operating model, talent pool, use of technology and strategy


SOX programs will need to continue to innovate and transform to drive value, and keep pace with the business. While SOX may be, by definition, a compliance exercise, the benefits of an effective program can be wide-reaching.

About this article

Related articles