SOX 2019: Keeping Compliance Costs in Check

Eric Groen, Managing Director Internal Audit and Financial Advisory, Protiviti
Tom O'Reilly, Director Internal Audit Practice Leader, AuditBoard

Sarbanes-Oxley Act compliance has been a challenging 15-year process for most companies. Over the past 15 years, SOX teams have had to navigate a constantly changing landscape of regulatory pronouncements, enforcement and accounting practices. Adapting to these changes has proven to be costly and time-consuming, and although 2019 SOX survey data shows that companies have begun to make some headway toward reducing compliance costs, SOX hours and control counts continue to increase.

We discussed these findings with more than 2,000 participants in a recent webinar, which we will be addressing in a series of posts on The Protiviti View. This post examines trends in compliance costs and offers insight into some of the ways companies have found to keep those costs in check.

In 2019, more companies than ever before said that their SOX compliance costs were trending downward. This is very good news, and consistent with the increased effort companies put into cost containment. Most of these decreases could be attributed to one of two main drivers: reduction in the total number of controls, and the efficiency and effectiveness of SOX teams.

Reducing Control Count

With so many changes occurring in SOX compliance, control counts can escalate quickly. This is especially true when SOX teams are in the habit of carrying over rather than updating risk assessments from year to year and adding new controls along the way. This can lead to an accumulation of redundant and unnecessary controls.

SOX leaders have found that they can reap significant efficiencies with annual risk assessments, which can identify and eliminate redundancies as well as uncover opportunities to standardize controls and perform them across processes and in multiple locations. Once a control has been standardized, it can be tested at a higher level, rather than having to perform individual tests for every instance in which that control has been applied.

SOX Team Efficiency

Companies are coming up with all kinds of creative ways to improve the effectiveness and efficiency of their SOX teams but, generally speaking, all fall into one of four categories.

  • Increase emphasis on SOX competency — Following the time-tested management principle that “what gets measured gets done,” chief audit executives have been adding SOX-related competencies to performance evaluations including, for example: identifying control rationalization opportunities; developing testing regimens that don’t create process disruptions; raising business user awareness of their internal control responsibilities; and assessing and evaluating the SOX compliance impacts resulting from changes to the business or external auditor’s approach.
  • Evaluate co-sourcing options — Good resource managers know when to ask for help. We’ve seen an increase in the number of companies pulling in SOX subject-matter experts to test both new and existing business process controls. Benefits of co-sourcing include the added perspective on what other organizations are doing. Recent examples of this include the implementation of controls related to new lease accounting rules and the documentation of critical audit matters.
  • Automate aspects of the process — Given that a significant driver of change these days is technology, it only makes sense that SOX teams would look for ways to apply modern tools, such as advanced analytics, robotic process automation (RPA) and machine learning to SOX processes. Automation has already proven to be useful in such areas as testing reviews, document requests, control certifications and status recording.
  • Deploy an appropriate GRC Tool —SOX teams using Microsoft Excel and Word, or legacy GRC systems to manage their control environments, spend 30-40% of their work time dealing with version control issues, manually making individual control changes across a dozen or so documents, and preparing status reports. Using a GRC solution purposely built for SOX compliance enables auditors to eliminate time wasted on these administrative tasks. Best-in-class SOX solutions can also help eliminate control deficiencies, which adds to the time savings that can be achieved in a SOX program.

All of the above approaches, which can be summed up as SOX Compliance 2.0, are going to become more important over the next ten years as SOX teams are asked to do more with less. One final thought, in addition to the things we’ve already discussed, is that maybe there is an opportunity to be a little more agile. By engaging process owners earlier in the process and including them on our teams, we can proactively work with them to find ways to improve the SOX compliance process. They might even have suggestions on ways to make the testing process more enjoyable for all!

The approaches described above aren’t miracle cures, but they are ways that we’ve seen companies succeed at reducing their SOX compliance costs. SOX compliance 2.0 is really about encouraging innovation in the compliance process. In all aspects of internal audit, including but certainly not limited to SOX compliance work, SOX teams need to think about where they may be able to do things differently.

Add comment