“The more things change, the more they stay the same.” Future corporate archeologists may very well reach that conclusion after excavating and poring over early 21st-century evidence of Sarbanes-Oxley (SOX) compliance activities. Given the law’s extensive requirements, there will be no shortage of documentation to unearth.
As Protiviti developed its 10th annual Sarbanes-Oxley Compliance Survey report this year, we dug up our inaugural report, which appeared in June 2010, nearly eight years after the sweeping SOX rules were signed into law and just as businesses were striving to regain traction in the slippery wake of the global financial crisis. We conducted the research because we believed that the ongoing challenges of SOX compliance — still substantial then despite the years that had elapsed since the regulation’s initial submission deadlines passed — warranted a closer review of the strategies and tactics being deployed by organizations.
Ten years have elapsed since our first collection of analyses, and much of it remains relevant today. For example, we reported in our inaugural report that “organizations had come a long way in the past eight years” in refining their SOX compliance capabilities but pointed out that “Sarbanes-Oxley still has a high level of cost, effort and administrative burden for many organizations.” That was the case in 2010, and, as our findings in this year’s survey reveal, remains true now. Back then we promoted our research as a means of providing “valuable and important insights into how companies are complying with the internal control-related provision of this legislation.” We stand by that assertion today — confidently so, given that we’ve continued to conduct and refine our SOX compliance research in response to a sustained demand for this benchmarking information.
Refinements — to our survey instrument (and we’ve made many) and to SOX compliance strategies, structures and processes — are crucial in light of how much companies have transformed during the past decade. As business leaders continue to improve their SOX capabilities, it is important to keep in mind a handful of important takeaways we’ve gleaned from a decade of conducting surveys that yield benchmarking insights concerning compliance costs, control counts and other trends:
- Despite efforts and expectations to the contrary, the hours and level of commitment dedicated to SOX compliance have not decreased notably over the past decade.
- External auditors’ scrutiny of compliance capabilities continues to change and intensify, largely due to the PCAOB’s ongoing refinement of auditing standards and related oversight activities in service of its mission to protect investors and the public interest by promoting informative, accurate and independent audit reports.
- While it remains difficult to keep the SOX compliance burden constant — let alone reduce the hours and costs involved in the endeavor — the best opportunity to do so is through automation and the introduction of new SOX compliance approaches.
Our survey this year includes questions about the effect of cybersecurity disclosures on the number of SOX hours, the benefits companies have achieved by performing SOX compliance work, plus a few other nuances. I invite you to read the report, which you can download free from our website, and see how your SOX costs, hours and benefits compare to those of other companies.
The next decade of SOX compliance trends may be dictated by how well organizations transform their compliance practices and embrace “SOX compliance 2.0” Stay tuned for this upcoming discussion by subscribing and following our blog.