Compliance with the Sarbanes-Oxley Act has been an unexpectedly challenging 15-year journey for large accelerated and accelerated filer organizations.
Protiviti has been collecting data points and insights on all aspects of SOX compliance activities, costs and challenges for the past 10 years. The results of our decade of research make it clear that this groundbreaking law and the ongoing compliance activities it requires are anything but static and predictable. Numerous influences inside and outside of the enterprise (regulatory pronouncements and enforcement, external auditors’ recalibrations in response to the Public Company Accounting Oversight Board [PCAOB] mandates, a steady procession of new accounting and auditing rules, technological disruptions, cyber threats and their influence on the implementation of internal controls, digital transformation, and more) require internal SOX teams to adapt and improve continually.
Organizations have been adapting and evolving their SOX practices over the past decade to become more efficient, including the growing use of third-party/outsourced providers. But incremental steps may not be enough for much longer. Overall compliance costs have edged downward this year but remain significant in most companies. SOX hours and control counts continue to increase. Such findings, combined with Protiviti’s complete body of SOX-compliance knowledge, suggest SOX compliance programs have reached a critical juncture: In our view, they must pursue and perform the same magnitude of transformation and innovation rippling across most other functions in their organizations.
This report describes how some of these emerging SOX compliance practices are growing and how the cost, hours and control count factors generate the greatest attention. Key findings include:
SOX compliance costs are trending down, although they remain significant.
Overall, SOX compliance hours continue to rise, with some notably significant variations.
The use of automated controls testing is increasing, as is interest in deploying advanced technologies to enhance SOX compliance efficacy.
More organizations are leveraging outside resources.