A View from the Outside

For the auditor’s perspective on the role of technology in helping companies to comply with Sarbanes-Oxley regulations, CIO Insight talked with PricewaterhouseCoopers partner Jacqueline Olynyk and director Sonny Sonnenstein.

CIO Insight: Three to five years from now, when we look back, how big an impact will Sarbanes-Oxley have had on new technology and new technology purchases?

Olynyk: A significant one, although it’s not that apparent yet. Section 404, which calls for companies to produce an internal controls report, is currently driving sales of workflow software. But these programs are reasonably straightforward and have more to do with automating the controls in financial systems than with monitoring or interrogating the data itself in order to make sure it is accurate.

The big leaps in technology will come as companies begin to understand the challenges of complying with Section 302, which requires management and auditor certification that quarterly and annual financial data is correct. To achieve this, there will be greater interest in technology that supports what is called continuous auditing—constantly monitoring financial information to provide continuous assurance about its quality and integrity. This will involve technologies such as artificial intelligence, neural nets and Extensible Business Reporting Language, or XBRL (which allows uncomplicated data exchange among disparate systems), to constantly analyze and explore the data for patterns and behavior that are in line with past activities, or at odds with them.

Sonnenstein: In fact, we’re already seeing some of these technologies in data-analysis applications from business-information software vendors. Some are using Web services and business-rules engines to do more directed searches on financial data, and to apply logic and mathematical theories to look for specific situations and occurrences among the data. In the next three years, as companies comply with Sarbanes-Oxley and better understand their control environments, they’re going to begin to leverage technology and techniques that make compliance more dynamic than simply documenting the process.

What about data- and document-storage requirements mandated by Sarbanes-Oxley?

Sonnenstein: Storage issues are going to drive a lot of new technology. We’re seeing clients look closely at their information-retention processes and how they’re managing different types of communications within the organization. Everything is being examined, from voice communications to data to documents to e-mail. And companies are very interested in new applications that can monitor and store all of these types of communications and data output.

How do auditors keep up with all the new technology companies install, and then make sure these new technologies can certify compliance?

Olynyk: Section 404 can mostly be handled by the companies themselves, because it’s about specific process controls and how they’re tested. That’s just the framework, not the data. But as companies move beyond that to continuous auditing, the auditors need to have a deep understanding of how companies are monitoring their data. Auditors also need a way to link into corporate data independently, as well as a separate set of tools to certify the data. All of these are new technologies that will become commonplace before long.

Even now, because auditors see a lot of different clients, we’re able to advise our clients quite a bit about the technologies they should consider for Sarbanes-Oxley compliance. So in that way, auditors are leading the charge for new technologies as well. Most companies have not yet acknowledged that there might be an upside to Sarbanes-Oxley, but as they go down the path to compliance, even with resignation, they’re seeing benefits. As it turns out, the technology that can be used for compliance monitoring is a very cost-effective way to have good internal controls—better than what most companies had before.