Alteryx is a powerful tool to automate SOX testing. With the right governance framework, leveraging Alteryx empowers business process owners to design and implement automated controls in their areas, reducing risk while saving costs and time. By providing a well-governed platform, Alteryx also enables an important process change: It allows shifting responsibilities for designing, implementing, and testing SOX controls from centralized compliance teams to where the business expertise lies. This makes the overall process better controlled, less risky, and more efficient.

This post outlines how. We first cover the basics of SOX controls, then outline a playbook on how Alteryx can help automate and transform the process.

Introduction: What is SOX Compliance?

The Sarbanes-Oxley (SOX) Act of 2002 requires all public companies to establish rules to prevent and detect errors in a company's financial reporting process. Specifically, Section 404 of the SOX Act stipulates all annual financial reports include an Internal Control Report. As per this report, management is responsible for building and maintaining an “adequate” internal control structure and assessing the effectiveness of internal controls over financial reporting (ICFR). In addition, registered external auditors need to attest to the accuracy of the assertion that internal accounting controls are in place, operational and effective.

Typically, SOX audits focus on firms’ capabilities along four key control dimensions:

• Access Controls, including both physical (e.g. locks) and verifiable electronic access controls (e.g. login policies, provisioning/de-provisioning, testing that users’ access rights are limited to what they need to do their jobs, and routine audits of permissions).
• Change Management, including defined processes for making any changes to databases or applications that manage financial data, defined processes for adding users or installing software etc.
• Data backup, i.e. the mandate to maintain off-site, encrypted backups of all financial records to prevent tampering and data loss.
• Security, e.g. implement systems to detect signs of a security breach, generate meaningful alerts, and automatically update an incident management system.

Taking The Pain Out Of SOX Testing With Alteryx

When looking at internal control frameworks, auditors need to be comfortable with both the design and effectiveness of SOX controls.

Testing the effectiveness of controls can be time-consuming, with teams logging evidence in spreadsheets or Word documents, which are sent to compliance teams. Compliance teams then manually track responses and catalog evidence of control performance and appropriate approvals. Lastly, external auditors independently test controls, review evidence, and form an overall opinion on the efficacy of the controls.

Leveraging Alteryx for SOX processes presents several opportunities to streamline the documentation, evidence collection, and control testing processes. Automating the performance of SOX controls, as well as compliance teams' testing of these controls, saves SOX teams time and money. 

What’s in it for me? Transformation and Empowering Business Users

Through automation, Alteryx can reduce cost and risk, empower business users, and improve the overall effectiveness of the process. In the first phase, we recommend automating existing controls and processes. But, in a second phase, additional benefits can be reaped from transforming the process by re-assigning responsibilities to business users. Along the way, we recommend proactively connecting with independent Audit teams, walking them through the plans, and getting their buy-in to avoid any redundant work.

This is how to do it.

The first step is to examine the process and identify rules and key controls to ensure SOX compliance. Processes need to be consistent and controlled, with users following established procedures. Upfront work includes defining system security roles, certifying and securing data sources, and ensuring proper segregation of duties. Once completed, the framework is summarized in a controls matrix, which lists each control and its description, nature (manual vs. automatic, preventative vs. detective or corrective, etc.), frequency, risk, performer, and owner.

The second step is to automate evidencing controls, ensuring that data cannot be manually manipulated. As users follow established processes, controls can be embedded into these processes and workflows to generate log entries and audit trails. As an example, if a process step involves an Alteryx workflow to manipulate data, embedded controls could evidence when the workflow was run, that it completed without errors, that data quality checks within the workflow were satisfied, etc. This evidence can automatically be collected and stored in a database, allowing real-time monitoring in compliance dashboards. These automated controls remove the need for manual Excel spreadsheets to track evidence, reducing cost and ensuring data integrity.

Example: ACME Cooperation’s accounting system for client invoicing data is not fully integrated into the General Ledger. In this case, it is important that users cannot manipulate the financial information when merging data from different systems. Scheduled Alteryx workflows on the server can transmit and join data between two certified databases without user intervention, and the workflow can verify that data matches (e.g. by checking that all accounts are mapped and that the number of records matches across input and output files). A failed test displays an error in the results windows; a successfully completed test can store the output to a log file (along with metadata on the workflow, such as time/date when it was run) as evidence.

Once workflows are built, reviewed, and approved (usually in a development environment), deploying them to a production environment in a controlled and secure way is key. Alteryx’s secure platform makes this possible: Through API calls, Alteryx offers ways to automate and govern the deployment process. Separate login credentials for gallery admins and server admins, access controls, change management logs and pass/fail statistics prove that workflows are not tampered with and perform as expected. We recommend running these workflows in a secure “production environment” with a dedicated version and access controls. We also recommend a review, sign-off, and automated promotion process for workflows between environments (see our “best practices” guide for governance).

The third step is to document the workflow and the steps to secure it. The documentation should answer Audit’s questions of where the data comes from, how it was transformed, how the completeness and accuracy of the data can be ensured, and how the integrity of the workflow is preserved. Several possibilities exist for writing documentation efficiently, including leveraging the free Auto-Documenter Tool, the Workflow Summary tool, or the Workflow Admin Manager (WAM) from our partner Capitalize.

Once these steps are completed, and the control has been deployed securely, the control only needs to be tested once (unless modifications to the workflow are made), reducing audit hours and unlocking cost savings. If modifications are made, the same steps can be leveraged to re-deploy the enhanced control while reducing the time needed to re-documenting the control by simply re-running the documentation tools listed above.

From Automation to Transformation

The steps outlined above automate the existing process. Longer-term, an even more important benefit is that Alteryx allows transforming the process.

Benefits from automation include reducing risk and cost, as well as enabling real-time monitoring of control effectiveness on dashboards. Reducing manual work and eliminating copy-pasting information between spreadsheets can dramatically increase employee satisfaction.

But the real benefit of leveraging Alteryx for SOX controls is that it empowers business users to take ownership of their controls. Business owners, who know their process, are typically best suited to design effective controls. Traditionally they lacked the tools to implement them, as manual processes usually do not follow a traditional Software Development Lifecycle (SDLC) process – plain and simple, it is not always straightforward to evidence that spreadsheets meet the standards of being well-controlled and governed. That is the underlying reason why implementation of SOX controls is often left to centralized compliance teams, who manage controls for the Enterprise.

If SOX controls are owned by centralized teams, the risk is that changes in business environments may render controls outdated or ineffective. Processes to update them can be time-consuming and costly. With the right governance framework, Alteryx workflows are well-controlled and well-governed.

Transforming SOX controls puts business users in charge of designing, implementing, automating, and monitoring controls. A change in the tax code necessitating an update to a control of workflow? Previously, sharing the need to update and communicating the required changes to a central SOX team may have taken weeks; now, business owners can update the control, review, perform testing and implement. Where controls are ineffective or outdated (e.g. because of a system change), business owners can leverage Alteryx’s easy-to-use platform to remedy the deficiencies themselves, all in a well-controlled platform tracking updates and with proper access and change management controls. Aligning responsibilities for SOX controls with the business expertise ultimately shapes the control mindset of business users: They now have ownership of and responsibility for the process – and every incentive to get this right.

Summing It All Up

Leveraging spreadsheets to ensure SOX compliance can be manual, costly, and frustrating. In this post, we outline steps to automate and transform the process. By giving business users a well-controlled, easy-to-use platform, Alteryx empowers business users not only to automate SOX controls but also to transform the process and “own” it. Aligning business expertise and responsibilities for control design, implementation, and testing is where the real power of using Alteryx lies.

Acknowledgements: Kelley Sinnock (@KelleyS) and Sam Johnson (@alteryx_SFJ) provided extensive feedback and constructive suggestions on earlier drafts.