Read Time: 5 minutes
Over two years, a global technology and commerce solutions provider reduced its SOX IT controls by nearly 50%, from 342 to 130, while fully insourcing SOX IT testing and saving approximately US$750,000 annually. The initiative offers practical lessons for organizations seeking to modernize their IT control environments without compromising compliance.
Why the Control Environment Became Unmanageable
As the organization grew through acquisitions, divestitures, and system upgrades, its SOX IT control environment expanded organically rather than through a unified, risk-based strategy. By 2023, more than 340 controls covered access management, change management, configuration, backup and recovery, job scheduling, and system interfaces. Individually valid controls had become collectively fragmented, redundant, and resource-intensive, with testing consuming significant resources without proportional risk mitigation.
A Risk-Based, Two-Phase Approach
The rationalization initiative began with a comprehensive review, mapping each control to specific financial reporting risk and assessing relevance, redundancy, and alignment with material risk.
Key actions included:
- Consolidation: Centralizing user access reviews and password settings at the directory service level
- Retirement: Removing controls tied to decommissioned systems or unused interfaces
- Tool-level governance: Unifying backup, batch processing, and restoration controls
- Simplified configuration: Merging configuration reviews into a smaller, risk-focused set
Phase 1 reduced controls from 342 to 253, a 26% decrease, and generated approximately US$400,000 in annual savings. Phase 2 deepened this work, reducing controls further to 130 (a 49% cumulative reduction) and completing the transition to fully insourced SOX IT testing.
What Made the Initiative Work
The case study highlights several factors behind the result:
- Focus on risk, not numbers: Every reduction decision was guided by risk alignment, not simplification for its own sake
- Cross-functional collaboration: Internal audit worked closely with IT, compliance, business process owners, and external auditors throughout
- Rigorous documentation: Risk analyses, impact assessments, and version-controlled records created a defensible audit trail
- Early external engagement: Involving external auditors early reduced resistance and strengthened outcomes
Turning ICOFR Compliance into Operational Efficiency
For banks in Indonesia, POJK 15/2024 introduces mandatory internal control requirements over financial reporting. As organizations build out their ICOFR frameworks, the same risks apply: control environments can quickly become fragmented, redundant, and resource-intensive if not designed around material financial reporting risk from the outset. Crowe supports organizations through ICOFR advisory, helping assess control environments against material risk, identify redundancies, and design a structure that meets regulatory requirements while remaining efficient to maintain and test.