It’s been 16 years since the Sarbanes-Oxley Act took effect in 2002, and companies are still wrestling with SOX compliance. Now, a new study shows they are paying more to meet the regulation’s requirements and have generally not done a good job of using technology to automate controls and ease compliance efforts.
The study of more than 1,000 public company finance and internal audit executives, conducted earlier this year by consulting firm Protiviti, finds that the cost of compliance with SOX and the number of hours that go into the effort are rising once again, particularly for larger companies.
For large accelerated filers (public float of $700 million or more) the average internal cost for SOX compliance increased by 17 percent from $1.14 million in 2017 to $1.34 million this year. More than a quarter (28 percent) of large accelerated filers and accelerated files now pay more than $2 million for internal SOX compliance, up from 18 percent of large accelerated filers and 10 percent of accelerated filers who spent more than $2 million last year.
The hours employees spend working on SOX compliance also increased sharply this year for many organizations, according to the Protiviti study. About half (49 percent) of large companies said the hours their employees spent on SOX compliance increased last year, and half of those said it increased more than 10 percent.
The study’s authors attribute the increased cost and time spent on SOX compliance to the difficulties companies have had with some new accounting rules and the increased pressure external auditors are putting on companies, as a result of the pressure those auditors are getting from their regulator, the Public Company Accounting Oversight Board.
“Many organizations are seeing their SOX compliance costs continue to increase. It is possible at least some of this can be attributed to the new revenue recognition accounting standard which went into effect this year. Organizations should expect further significant accounting preparation and SOX compliance program changes in the coming fiscal year, when the new lease accounting standard becomes effective,” Protiviti noted in the report.
External Audit Costs Rising, Too
Many companies are getting bigger bills from their external auditor for SOX-related work as well. Half of large companies say their SOX-related external costs increased last year, while 44 percent said costs held steady; only 6 percent reported a decrease in costs. Similarly, 23 percent of smaller companies experienced increases in external SOX compliance costs, compared to 71 percent who said costs remained the same, and 6 percent who enjoyed a decrease in external SOX costs.
“The big focus by the PCAOB and their desire to make sure there is a lot more rigor behind the reviews of internal controls over financial reporting has really caused companies to rethink what they are looking at,” says Keith Kawashima, a managing director of the internal audit and financial advisory practice at Protivity. “They are working with their external auditors who are getting a lot of pressure to focus on the most relevant parts of the control structure within an organization. Areas that didn’t get touched much in the past are now being looked at.”
According to Kawashima, the increasingly complex and digitized business world has added to the difficulties with SOX compliance. “I think a lot of companies started to take SOX for granted; it’s been around for a long time,” he says. “The risks companies face are evolving. Those risks include the way their business is moving toward a digital world. So as more and more information is captured on systems, and some of those systems are somebody else’s, we really do start to have a more complex environment. And the same controls that worked for the company five years ago may not work for them any longer.”
Some Bright Spots
There were a few positive nuggets in the results from the Protiviti survey. Internal costs for non-accelerated filers (with a public float of less than $75 million), for example, decreased by 20 percent to $561,000 from $700,000 in 2017. Those costs are down from $1.2 million in 2016, as regulators have sought to provide smaller companies with some relief from the more onerous provisions of SOX.
For smaller companies that did see increases in internal SOX compliance costs, they were generally more palatable than the hikes big companies experienced. For about half of small companies with an increase, those costs only jumped 5 percent or less, and 82 percent were 10 percent or less.
Respondents also said that Sarbanes-Oxley has generally improved the internal control over financial reporting structure at their companies. Indeed, 59 percent said that structure had either moderately improved (39 percent) or significantly improved (20 percent) since the company was required to comply with SOX Section 404(b), which requires public companies to have their auditor attest to and report on management’s assessment of its internal controls. Only 1 percent said the ICFR reporting structure had minimally weakened and another 28 percent saw no change.
A Failure to Automate
Among the most surprising findings of the survey is that companies are still behind on adopting technologies that would partly automate or streamline the SOX compliance process. Just 28 percent, for example, say they are using technology tools, like robotics process automation, to test controls, while 63 percent said they are not and 9 percent didn’t know.
Among survey respondents who said their organizations do not use automated tools, 23 percent said they plan to adopt new tools this year, and 20 percent said they were no such plans. Another 26 percent said their organizations will adopt more automation tools in 2019.
The use of technology tools for SOX work was fairly low across the board. Just 27 percent of respondents reported using continuous controls monitoring, 11 percent use robotic process automation, 8 percent use advanced data analytics, and 8 percent use visualization tools.
“Assessing our SOX Compliance Survey results over the past few years, there has been minimal movement in the percentages of key controls that are automated key controls. In addition, fewer companies indicate significant plans to automate a broad range of IT processes and controls,” the report’s author write.
Still, Protivity believes the use of technology and automation represents a significant opportunity for companies to reduce cost and increase efficiency in SOX compliance. “We hope as we move toward better ways to do our testing, that those costs will start to reduce,” says Kawashima. “The greater use of bots—If businesses start to use those robotic process connectors—we do think the testing of those activities will be a little easier and a little more straightforward, and hopefully ultimately result in lower costs of the compliance work that goes along with it.”
Joseph McCafferty is editor & publisher of Internal Audit 360°