The global health crisis has disrupted businesses in many ways — and the impacts are likely to be long-lasting. But one thing that’s remained constant for many organizations is the need to maintain compliance with Sarbanes-Oxley (SOX) requirements.
We’ve seen notable changes over the past year and a half in how organizations are approaching their SOX compliance activities, and in the time and costs they’re devoting to that work. The good news is that many changes, like providing more detailed documentation in certain areas, can help to meet increased regulator expectations.
These trends are highlighted in Protiviti’s latest Sarbanes-Oxley Compliance Survey. Following is a quick overview of some key findings from the survey, along with additional observations and analysis.
Internal SOX compliance costs continue to rise for most firms
This year’s survey results on changes in SOX compliance costs in fiscal year 2020 were mixed. While most organizations reported that their average annual costs increased year-over-year, some companies, particularly those with more mature programs and those in the financial and insurance industries, saw a decrease in their costs. Given the dynamics of the past year and changing operating models, slight decreases are not unexpected.
One factor contributing to the increased costs for many companies was the need to plan for alternative controls and documentation in response to the sudden shift to remote work last year. We saw organizations increase their documentation related to management review controls, for example. Many companies also saw additional controls brought into scope in areas such as covenant compliance and going concern as well as more frequent program administration tasks such as risk assessment and calculation of materiality, which also contributed to higher compliance costs.
The need to change operating models and shut down offices and facilities for most of 2020 may have eased compliance costs for some companies. However, the resulting need to conduct certain procedures virtually, like physical inventory observations or site visits, also made SOX compliance work more challenging — and costly — for other businesses.
Hours spent on compliance efforts also trending up
Most of the organizations responding to our 2021 Sarbanes-Oxley Compliance Survey reported a year-over-year increase in the number of hours they devote to SOX compliance activities. The use of technology tools and automation appears to be creating benefits for companies dubbed “digital leaders,” however. These are companies in our survey that we categorized as having made significant progress toward digital transformation.
While 58% of digital leaders saw SOX compliance hours increase in fiscal year 2020, only 56% of those companies said their hours increased by more than 10%. As a comparison, 52% of all other organizations reported an increase in hours, and 68% of those firms reported that their hours rose by more than 10%.
One likely contributor to the rise in hours for all organizations across industries, including the digital leaders, is heightened expectations for documentation and assurance in management review controls and information produced by the entity (IPE). The Public Company Accounting Oversight Board (PCAOB) has long been focused on these areas, but the level of scrutiny it applies in its reviews continues to impact external auditors’ reviews, which, in turn, increases the time that organizations must spend ensuring they’re compliant in these areas.
More controls — and more granularity
Over the past year, we’ve also observed an increase in the breadth of control areas included within the scope of SOX. For example, the Securities and Exchange Commission (SEC), and thus external auditors and company management, are becoming increasingly focused on cybersecurity.
Interestingly, our latest Sarbanes-Oxley Compliance Survey shows that digital leaders issued a significantly higher number of cybersecurity disclosures compared with other organizations — 56% versus 32%, respectively. This is likely a reflection of digital leaders being more reliant on technology and also perhaps having more visibility into cyber-risk exposures and incidents.
Also, we’ve observed organizations taking a more granular approach to outlining control responsibilities, especially in areas where businesses are relying on external service providers for certain SOX control activities. To help manage potential risk, many businesses are taking the time to thoroughly articulate which organization is responsible for which control-related task. Some organizations are also finding they need to do more work due to delayed or qualified opinions coming from their service providers.
Increased recognition that automation provides competitive advantage
Protiviti’s 2021 Sarbanes-Oxley Compliance Survey results show that, overall, digital leaders are significantly more advanced than other organizations in using technology tools in various SOX compliance processes. For example, we know that about two-thirds (66%) of digital leaders used technology tools in the testing of controls to comply with SOX Section 404 in the 2020 fiscal year.
Automation of other key processes like SOX 302 certifications appears to be providing digital leaders with an edge in staying on top of SOX compliance requirements during the pandemic. It’s also likely that testing remotely has had less of an impact on digital leaders than on other organizations that aren’t as digitally mature.
Pandemic disruption has helped many firms with lower digital maturity to recognize that widening their embrace of technology and automation to increase efficiency in SOX compliance activities can be a wise strategy moving forward. However, budget constraints and wariness about the uncertain business environment have made it challenging for many organizations to accelerate digital efforts.
On the positive side, these obstacles have not prevented many firms from forging ahead with creating a road map for digital change. In fact, many companies we’re working with are committed to progressing their initial automation goals for SOX compliance processes within the next 12 to 18 months. Many must overcome significant hurdles as they make this critical shift, including defining the overall level of effort, ensuring effective change management, obtaining stakeholder buy-in and securing investment budget.
Our survey findings indicate that SOX, which is now nearly two decades old, is still challenging for many organizations to comply with efficiently and cost-effectively. The pandemic hasn’t helped them to get ahead, of course. But requests from external auditors and other stakeholders and related regulatory obligations continue to be a large driver of the ongoing trend of rising hours and costs related to SOX.
It’s also evident that the use of technology tools and automation to support SOX compliance activities can provide an advantage. We therefore expect to see more firms devoting more attention and resources to these areas so they can impact the efficiency of their SOX compliance processes.
Be on the lookout for our next blog post, where we’ll take a closer look at how organizations can get started with automation for SOX compliance. To listen to the podcast, click here.