It has been 15 years since the Sarbanes-Oxley Act became law, and while many organizations have settled into complying with its requirements, the compliance process continues to not only be dynamic, but also a subject of ongoing interest.
Chief audit executives, chief financial officers, and other finance and internal audit leaders eagerly seek benchmarking data on costs, hours, control counts, and much more as they determine how and where to streamline compliance activities while addressing numerous regulatory and market changes.
These data points, and much more, can be found in the results of Protiviti’s latest Sarbanes-Oxley Survey. All results presented in this report are from publicly held organizations.
Overall Key Findings:
- Compliance costs appear to be trending down…or are they? – For some companies, SOX compliance costs show some decrease compared to last year’s survey results. This likely is attributable to organizations completing their work to implement the updated COSO Internal Control – Integrated Framework. However, costs are still on the rise for many companies – the percentage of those annually spending $2 million or more rose compared to last year. In addition, the data reflects the direct relationship between annual costs and the number of unique locations, as well as the complexity of the organization.
- Hours continue to go up – Time devoted to SOX compliance activities increased for a majority of organizations last year, and for two out of three of these companies, hours increased by more than 10 percent, underscoring that compliance remains a time-consuming exercise.
- Use of outside resources is on the rise – Significantly more organizations are relying on outside providers for SOX compliance activities, both on an outsourced and co-sourced basis. For some companies, this may be a factor in stabilizing compliance costs coupled with the fact that hours dedicated to compliance activities continue to rise.
- Control counts are up – Similar to costs, control counts have a direct relationship to the number of unique locations within the organization. We also see that, compared to our prior year results, the percentage of entity-level controls classified as key controls has increased – a trend likely resulting from implementation of the updated COSO Internal Control – Integrated Framework.
- Revenue recognition, cybersecurity and the PCAOB are influencing forces – SOX compliance efforts continue to be shaped by new and emerging influences, from the new revenue recognition standard and cybersecurity concerns to the PCAOB’s inspection reports on external auditors and the resulting effects on audits of internal control over financial reporting.
- SOX work continue to be viewed as having a positive effect – Overall, three out of four organizations report their internal control over financial reporting structure has improved since they begin complying with the Sarbanes-Oxley Section 404 requirement.