Sarbanes-Oxley (SOX) compliance costs are a top concern for executives and compliance leaders who continue to look for ways to both reduce costs and derive strategic value from their investment in compliance activities. Emerging practices, such as automated controls testing and robotic process automation (RPA), show promise in the long run for reducing these costs. Current results vary widely, however, as companies in various stages of digital transformation adapt to new rules and increasing audit scrutiny, according to Protiviti’s 2018 SOX survey.
This year’s results show that costs for SOX compliance appear to have leveled off or even dropped from 2017 for some organizations. For a substantial number of others, however, costs are on the rise. More than size or industry, SOX costs appear to be driven by each organization’s unique circumstances and structure, including but not limited to the total numbers of controls and locations, as well as the regions in which the company operates.
One nonrecurring factor affecting this year’s results is the degree to which companies are affected by the new revenue recognition accounting standard, which went into effect this year. We anticipate that some companies may experience a similar spike in the coming fiscal year, attributable to new lease accounting standards.
One ongoing area of concern is compliance hours, which are rising for many organizations — by 10 percent or more in most cases. Numerous factors are contributing to this, from greater demands placed on auditors by the PCAOB to an increased rate of changes to the business, digital transformation, and mergers and acquisitions.
As mentioned at the outset, some organizations have achieved greater efficiency and cost savings in their SOX compliance efforts by increasing their use of technology in business processes, which in turn supports greater opportunities for employing automated controls. We expect more benefits from these emerging technologies in the future.
Surprisingly, this year’s survey reflects that among those organizations using technology tools when testing their SOX Section 404 controls, the financial-close process is by far the area for which these tools are used most frequently, followed by the financial reporting process.
Although some companies have begun to apply RPA to automate manual and repetitive tasks, nearly three out of four organizations have yet to avail themselves of this opportunity, leaving room for substantial improvements in the future.
While companies have always looked for ways to make their SOX programs more effective and efficient, we are seeing an uptick in the number of companies that have either started to deploy or are planning to increase the deployment of automation/analytics in support of their SOX programs. Take a look at how your company compares by downloading the free survey report.