Sarbanes Oxley Workflows Shift as Regtech Adoption Jumps

When Ernst & Young resigned as Super Micro Computer’s auditor in October 2024, the AI server maker’s stock dropped 30%. The auditor cited significant concerns over internal controls, board independence, and accounting practices. By February 2025, Super Micro disclosed material weaknesses in its Sarbanes Oxley internal controls over financial reporting, specifically citing IT issues, lack of documentation over manual journal entries, and insufficient controls to address segregation of staff duties. The company’s stock has dropped 23% since August 2025 amid the delayed disclosures.

The Super Micro case illustrates why companies are rushing to automate their Sarbanes Oxley compliance programs. When Enron filed for bankruptcy in December 2001, investors lost $68 billion and 9,000 employees lost their jobs. WorldCom followed seven months later, inflating its assets by approximately $11 billion. Congress responded with the Sarbanes Oxley Act of 2002, requiring CEOs and CFOs to personally certify financial statements and creating the Public Company Accounting Oversight Board to oversee auditors.

According to Protiviti’s 2023 Sarbanes Oxley Compliance Survey, 63% of respondents now leverage technology to enable their SOX compliance program, up from roughly 45% five years ago. Finance teams are abandoning manual spreadsheets and sample based testing for continuous monitoring platforms powered by artificial intelligence.

Material Weaknesses Persist Despite Rising Spending

Of the 3,502 annual reports filed in 2023 and 2024, 279 companies disclosed material weaknesses in their internal controls. Nearly 40% of organizations fail at least one Sarbanes Oxley control annually, despite more than half of companies spending over $1 million on compliance efforts every year.

Under Section 906, executives who willfully certify fraudulent reports face $5 million in fines or 20 years in prison. Companies may be fined up to $25 million and risk delisting from public stock exchanges. In December 2023, the SEC granted a $28 million award to seven whistleblowers.

Material weaknesses related to IT, software, security and access issues showed significant increases in 2023. Lack of accounting resources, segregation of duties issues, and inadequate control design consistently ranked as the top material weaknesses.

Traditional Testing Struggles With Technology Complexity

The traditional approach to Sarbanes Oxley compliance depends on sample testing and manual documentation. Finance teams pull transaction records from multiple systems into spreadsheets, validate data, and present evidence to auditors months later.

Today’s finance organizations operate across cloud platforms, multiple ERP systems, and dozens of integrated applications. A majority of respondents to Protiviti’s survey said the scope of SOX compliance has significantly or moderately expanded over the past two years.

The Public Company Accounting Oversight Board has increased scrutiny of automated controls, prompting auditors to examine the source code underlying automated controls.

Continuous Monitoring Replaces Quarterly Samples

Rather than testing 25 transactions per quarter after the fact, continuous monitoring systems analyze every transaction in real time. When a purchase order exceeds approval limits or an employee accesses financial records outside their role, the system flags it immediately rather than waiting for the next audit cycle.

Analytics tools process large volumes of data to identify patterns, visualize trends, and improve insights for better decision making. This continuous approach proves more effective than traditional sample based testing because it identifies relevant risks more efficiently and enables timely risk management.

Organizations with automated SOX compliance achieve 70 to 85% reduction in manual control testing effort and 90% improvement in control deficiency detection speed, according to industry research. Audit preparation time decreases dramatically through continuously maintained documentation and evidence. Finance teams spend less time gathering evidence and more time analyzing financial performance.

GenAI Transforms the Compliance Life Cycle

Deloitte’s Lindsay Rosenfeld, a partner who leads the firm’s governance, risk and controls practice, describes how technology is reshaping the profession. In a December 2024 blog post, she explained that GenAI capabilities now extend across the entire compliance cycle.

GenAI has the power to automate, accelerate, and generally improve many aspects of the SOX compliance life cycle, from risk assessment and controls design to monitoring, remediation, reporting, and testing.

Natural language processing allows the technology to read contracts, analyze email threads related to revenue recognition, and generate audit documentation that previously required days of manual work. Deloitte leverages GenAI to develop process flows from walkthrough transcripts, conduct audit and accounting research, and provide insights and reporting.

The technology cannot yet operate unsupervised. Human judgment remains essential for interpreting results and making decisions about complex accounting treatments. KPMG, which ranked first in quality in internal audit by Source’s Perceptions of Risk Firms in 2024, emphasizes that automation should complement rather than replace professional judgment.

IT Controls Present the Biggest Challenge

A single misconfigured permission in an ERP system can allow unauthorized employees to manipulate journal entries. The segregation of duties problem intensifies as companies grow. A small finance team at a newly public company might have one person who can both create vendors and approve payments, a classic control failure.

Platforms now provide integration to leading business applications including SAP, Oracle, NetSuite, Workday, and Salesforce. These systems monitor user access and transaction level activity in real time, blocking risky transactions before they complete rather than discovering violations months later during testing.

Baker Tilly emphasizes that effective SOX compliance relies on well controlled technology, requiring a deep understanding of how ERPs, third party solutions, data warehouses and reporting functionalities interact with business process controls. The firm offers IT solutions that integrate specialized skills for ERP configurations, access management, automated controls and cybersecurity risks affecting financial data integrity.

Newly Public Companies Face Steepest Learning Curve

In 2023, 44% of traditional IPOs disclosed material weaknesses. Between 40% and 58% of US based IPOs on NYSE and NASDAQ in the past three years disclosed material weaknesses in their regulatory filings. These companies often lack employees with recent Sarbanes Oxley experience and underestimate the effort required.

The root cause of most material weaknesses for traditional IPOs is lack of resources with sufficient knowledge to analyze complex transactions for proper accounting treatment. Private companies approaching IPO often discover their existing finance team cannot handle the demands of public company reporting while simultaneously building controls from scratch.

Large accelerated filers reported weak internal controls at a rate of 17%, more than five times higher than smaller reporting companies at 3.3%. The counterintuitive finding reflects the complexity challenge: larger companies operate more systems, subsidiaries, and locations, multiplying the number of controls requiring monitoring.

The Cost Calculation Shifts Toward Automation

CFOs face competing pressures. Compliance costs keep rising but boards resist spending millions on systems that generate no revenue. The average annual internal SOX program budget for a small public company under $25 million in revenue is about $181,300, while huge firms above $10 billion revenue often spend well over $2 million each year.

The math increasingly favors automation. Finance teams report they can complete quarterly close processes days faster when they eliminate manual control testing.

Auditors Demand More Than Sample Evidence

Auditors increasingly request evidence of continuous monitoring rather than sample testing. A company monitoring 100% of journal entries for unusual patterns receives more audit efficiency than one testing 30 journal entries per quarter.

When clients provide API access to financial systems, auditors can run automated tests on complete transaction populations rather than samples, benefiting both parties while avoiding disruptive information requests.

ESG Expands the Compliance Frontier

In 2024, the SEC adopted enhanced cybersecurity disclosure rules that require SOX teams to analyze larger volumes of structured and unstructured data, improve real time monitoring, and optimize the efficacy of testing programs. The expanded requirements push companies toward automated solutions capable of processing millions of transactions and log entries.

More public companies than ever are disclosing sustainability data, requiring companies to design and implement relevant financial reporting controls over ESG data, much of which is non financial data outside of the general ledger. As ESG reporting requirements expand, the same continuous monitoring approaches used for financial data will extend to environmental and social metrics.

According to Protiviti’s survey, 74% of organizations are seeking opportunities to enable automation further. The technology exists today to automate most routine Sarbanes Oxley testing. The barrier is no longer technical capability but organizational readiness. Finance teams must develop new skills in data analysis and system configuration while maintaining traditional accounting expertise.

Companies that successfully navigate this transition gain competitive advantage through reduced compliance costs and faster financial close cycles. The alternative, as Super Micro discovered, is to risk material weakness disclosures that destroy shareholder value and invite regulatory scrutiny.