A new study finds that companies are increasingly putting internal audit in charge of Sarbanes-Oxley Act (SOX) internal controls compliance, rather than departments such as financial reporting or legal.
The survey, conducted by the SOX & Internal Controls Professionals Group, finds that 46 percent of respondents report that internal audit is in charge of managing the SOX internal controls compliance function, a 5 percent increase from last year, and up from the 32 percent who said internal audit handled it in 2016. There is also an increase in the use of a dedicated SOX/IC compliance team. About a third of respondents say SOX is now headed by a dedicated team, up from 25 percent last year.
The SOX & Internal Controls Professionals Group released the findings of its “2019 State of the SOX and Internal Controls Market Survey.” The survey, which was conducted in partnership with Workiva, measures the costs, challenges, and priorities related to SOX compliance.
“Internal audit has increased its involvement in the SOX/IC function across the board compared with last year’s survey,” the study’s authors note. More than three-quarters of survey respondents report a steep increase in internal audit involvement in testing and roll forward to 77 percent from 52 percent, walkthroughs to 72 percent from 47 percent, and issue tracking and reporting to 66 percent from 46 percent.
The study also finds that more companies are turning to technology tools to help with compliance, as costs continue to rise. About a third of respondents report that they use a SOX-specific software tool in addition to desktop tools such as Excel. Meanwhile, more than half of survey respondents report slight increases in external audit fees related to SOX compliance.
SOX Survey Key Findings
The number of professionals who use a SOX-specific tool has more than doubled since last year.
- Even though legacy desktop software tools like Word and Excel are the primary technology tools for 75 percent of respondents, one-third of SOX professionals now report that they use an additional SOX-specific tool, which has more than doubled since last year’s survey.
Use of advanced technology for SOX compliance has increased.
- The use of data analytics for SOX compliance doubled from last year.
- More than half of survey respondents are considering using continuous controls monitoring, which automates monitoring and testing of internal controls.
Internal audit’s involvement in SOX and internal controls has expanded.
- Internal audit’s ownership of the SOX and internal controls compliance function has increased.
- One-third of survey respondents report that internal audit spends more than half of its time on SOX processes.
SOX and internal controls compliance costs continue to increase.
- SOX compliance costs rose slightly, and more than half of survey respondents report an increase in external audit fees.
- Additional Public Company Accounting Oversight Board (PCAOB) requirements, the adoption of new accounting standards and the demand for internal controls related to IT and cybersecurity are among the reasons why external audit fees are higher.
Cybersecurity and IT controls are top priorities.
- Cybersecurity and IT controls now lead the list of challenges and priorities identified by survey respondents.
Automating SOX
“SOX professionals often spend too much time just managing their information,” said Ruth E. Nouanesengsy, manager of internal audit at Lancaster Colony Corporation and an advisor to the SOX & Internal Controls Professionals Group, in statement announcing the results. “At Lancaster, when we switched from a manual process to an automated process … we reduced the time spent in testing SOX controls by 19 percent over the past 3 years, and we significantly reduced administrative time.”
See also, “Survey: Companies Still Struggle on SOX Compliance.”
“The SOX and internal controls market faces both challenges and opportunities from business process transformation and technology disruption,” added Nouanesengsy. “The SOX professionals who meet these challenges will create new opportunities for efficiency, speed and accuracy—and, most of all, improve their value across their organizations.”
“SOX compliance is a complex process because building, implementing and evaluating internal controls requires collaborating across multiple departments, often involving hundreds of coworkers,” said Hillary Eckert, vice president of product marketing at Workiva. “It’s not surprising to learn that companies want better tools for connected reporting and compliance.”
The SOX & Internal Controls Professionals Group surveyed 475 professionals from U.S. companies of various sizes and industries. Three-quarters of survey respondents occupy a role that includes the planning and execution of SOX and internal control functions. More than half of the survey respondents identified their title as manager or director, and an additional 14 percent hold a corporate officer title of vice president or above.
Joseph McCafferty is editor & publisher of Internal Audit 360°
It would be interesting to know The Institute of Internal Auditors position on the findings of this study. A growing number of respondents (46%). report that internal audit is in charge of managing the SOX internal controls compliance function. As stated in the arrticle ““SOX compliance is a complex process because building, implementing and evaluating internal controls requires collaborating across multiple departments.” It would seem the obvious question to be asked is one regarding non-audit functions (such as building and implementing controls) and their potential conflict of interest when asked to “evaluate the very controls they designed and implemented