Ever since the Sarbanes-Oxley Act passed in 2002, compliance with the law, known as “SOX,” has been a bit of a thorn in the side of many companies.
In earlier years, companies spent millions of dollars and hundreds of employee-hours each to ensure the sophisticated controls over financial reporting that the law requires are in place and working properly, and that they are in compliance with SOX’s many other provisions. Even now, 15 years after the law took effect, many companies still find the process demanding, costly, and complex.
In fact, a new survey on SOX compliance finds that the number of hours companies spend on it continues to climb, even as many have worked to adopt new technologies to aid their compliance efforts. And on the technology adoption front there is still much work to be done. According to the survey, conducted by consulting firm Protiviti, nearly half of the companies surveyed (47 percent) did not use automation or advanced technology tools in the testing of controls to comply with SOX.
“Seventeen years after the Sarbanes-Oxley Act of 2002, the challenges associated with SOX compliance continue to be pervasive for many firms,” Protiviti said in a statement announcing the results of the survey.
Counting the Hours
Among the most surprising results of the study, which Protiviti has conducted for the last ten years, is that most companies spent more hours on SOX compliance, and while the cost to comply declined for some—as we would expect to see so many years out from adoption of the rules—some groups saw increases in the cost of compliance.
For more than half of the companies surveyed (51 percent) the hours of work needed to comply with SOX increased, for 34 percent it stayed the same, and it declined for 15 percent of respondents. And for those companies that did experience an increase in needed hours it was typically a fairly big one: among companies that said they required more hours of work to comply with SOX, 59 percent said it was a jump of 10 percent or more.
“This increase reflects the amount of time internal teams and external auditors invest in compliance activities determined by a range of ‘beyond-SOX’ factors, including follow-on effects of Public Company Accounting Oversight Board inspections, new accounting standards, process and technology changes, and more,” Protiviti noted in the survey.
“It’s evident the majority of companies still have a long way to go in their journey towards a more efficient SOX compliance program”
—Brian Christensen, leader of Protiviti’s internal audit practice
Expensive SOX
Overall, costs to comply with SOX declined slightly, but for some groups it actually increased. The SOX compliance bill for the largest companies with more than $20 billion in revenues, for example, increased to $2.1 million in 2019, up from $1.8 million in 2018. For companies with revenues between $1 billion and $5 billion, compliance costs jumped from $800,000 in 2018 to $1 million this year.
“One of the more interesting trends we’ve seen in our SOX research over the past decade is that the level of cost and effort has not decreased in any meaningful way for organizations. This would certainly not be the expectation,” said Keith Kawashima, a managing director at Protiviti.
External audit costs also continue to increase for a substantial number of organizations, including a majority of large accelerated filers, non-accelerated filers, and companies with between $100 million and $10 billion in annual revenue. Furthermore, audit fees increased 10 percent or more for many organizations across different segments.
Slow on the Uptake
The survey results “further underscores the need for organizations to assess where and how they can leverage analytics, RPA, machine learning and more in their SOX compliance activities,” said Kawashimi. And respondents say they are considering adopting such technologies, albeit slowly, which is consistent with other recent studies that indicate that internal audit has been slow to embrace transformative technologies.
Indeed, the audit, compliance and finance leaders and professionals responding to the Protiviti survey indicated that their organizations are waking up to the fact that they need to automate their programs. Nearly half, (46 percent) reported they plan to discuss the topic with their external auditors during fiscal 2019. Though SOX compliance expenses have edged downward during the past year, the costs remain significant for many organizations, especially with respect to the value delivered beyond financial reporting processes.
“Looking back on the decade of information gathered since Protiviti first conducted the study, it’s evident the majority of companies still have a long way to go in their journey towards a more efficient SOX compliance program,” said Brian Christensen, executive vice president and global leader of Protiviti’s internal audit and financial advisory solution.
Among the survey respondents already leveraging technology in their organization’s SOX compliance process, data analytics is the most widely used tool (41%), followed by automated process approval workflow tools (38%) and access controls, user provisioning and segregation of duties review tools (36%).
“One of the more interesting trends we’ve seen in our SOX research over the past decade is that the level of cost and effort has not decreased in any meaningful way for organizations.”
—Keith Kawashima, a managing director at Protiviti
It might be more telling, however, to consider the technologies they are not adopting. Just 13 percent of respondents are using machine learning, up from 2 percent in 2018; 19 percent are using robotic process automation (RPA), up from 11 percent in 2018; and 24 percent are using advanced data analytics, up from 8 percent last year.
“The good news is that the technology required to ease SOX compliance processes is here. We recommend that audit and finance leaders identify the solutions best-suited for their organizations and commit to transforming to a next-generation SOX compliance program sooner rather than later,” says Christensen.
Additional Findings
Some other significant findings of the survey include:
- More organizations are leveraging outside resources: There has been a substantial increase among companies using co-source providers for SOX compliance activities related to process and IT controls.
- Cyber security continues to influence SOX efforts: Nearly half of all organizations were required to issue a cyber security disclosure in their most recent fiscal year, and among these companies, close to one in five reported a substantial increase in cyber security-related SOX compliance hours as a result
- Overall control counts are largely stable compared to control counts for the previous year, yet many companies increased in the number of controls that they test, especially when it comes to entity-level controls.
The Protiviti report, titled Benchmarking SOX Costs, Hours and Controls, is based on a survey of 693 audit, compliance and finance leaders and professionals at U.S. public companies, representing a wide range of industries. The survey was conducted, with the help of software firm AuditBoard, during the first quarter of 2019.
Joseph McCafferty is Editor & Publisher of Internal Audit 360°
Well, the PCAOB is putting such a heavy amount of pressure on the external auditors related to evidence – and almost absolute assurance of financial statement accuracy. The external auditors, in turn, are pushing their clients for absolute assurance rather than reasonable assurance of the financial statement accuracy and internal controls over financial reporting (ICFR) design / operating effectiveness. It’s almost as though it is easier for the external auditors to go straight to material weakness that to attempt to come to a reasonable outcome. This is most painfully true within the IT General Control space (and source documentation such as reports and queries). In my experience over the past 5 years, this external auditor approach has a direct impact on effort/cost increase. That said, there are definitely companies that do not strive to make any improvements even when given a chance to improve but those are a smaller proportion of the overall mix.