Internal auditors might want to look at a new report on Sarbanes-Oxley compliance that paints a rather drab picture of things these days: SOX compliance duties crowding onto your plate, costs going up, and compliance teams adopting new technology at a pace less than people might like.
The report, from the SOX Professionals Group and sponsored by Workiva, surveyed more than 475 SOX compliance folks at companies large and small. This is the fourth year of the SOX State of the Market Report, so we also have longitudinal data to give us a sense of trends changing over time.
Hillary Eckert, vice president of product marketing, captured the state of things in the introduction to the report when she wrote: “This year’s survey confirms what we see in the marketplace and hear from SOX professionals every day: they spend an excessive amount of time managing information. The SOX function is complex and inefficient, costs continue to increase, and the tools that the majority of SOX professionals use are tethered to their desktops.”
That’s a downer of a summary, but Eckert’s not wrong.
Let’s start with internal audit’s role in SOX compliance. It’s growing, from roughly 33 percent handling SOX compliance in 2016 to 46 percent now. Figure 1, below, suggests that internal audit is picking up that responsibility while the financial reporting team is shedding it, with dedicated SOX compliance teams see-sawing up and down over the years.
My concern is whether internal audit is handling SOX compliance to such an extent that SOX compliance crowds out other needs.
For example, 66 percent of respondents said their internal audit function exists in-house, rather than outsourced or co-sourced; and 31 percent said they spend more than half their time on SOX compliance. Meanwhile, 39 percent said they perform fewer than 10 operational audits every year.
To me, all that suggests lots of internal audit functions spending lots of time on SOX compliance, rather than all the other risks an organization might face. That directly contradicts what the Institute of Internal Auditors, chief audit executives, and audit committees all say they want: an internal audit function that focuses on emerging or strategic risks, with lots of attention on building better data analytics to help business functions intercept risks before they get out of hand.
A Word on SOX Compliance Tech
OK, so there you are, an internal audit team mired in SOX control testing and documentation rather than doing the cool stuff on emerging risks. In theory, you could get that monkey off your back by embracing better technology to automate a lot of the scut work. So what does our SOX compliance survey say about that?
Again, nothing great. As you can see from Figure 2, the vast majority of respondents still rely on desktop software as their primary tool for SOX compliance. Yes, 34 percent also use a SOX-specific tool, and 21 percent use data analytics — and both of those numbers are double where they were in the 2018 report, which is good. But those are still low numbers, and we’re not truly going to alleviate SOX compliance burdens until the numbers are much higher.
Another interesting point on technology: 53 percent of respondents said they are considering how to adopt continuous controls monitoring, another SOX compliance technology that would automate — and therefore alleviate — a lot of the compliance burden internal audit teams have today. Only 11 percent have implemented CCM already.
That’s interesting because the vast majority of control failures were caused by controls not properly executed. Failures like that are what CCM should reduce, so in theory we should see more companies adopting CCM in years to come. I’ll be curious to see whether the statistics bear that out in future SOX compliance surveys. (We should also note here that Workiva, sponsor of this report, sells continuous controls monitoring software.)
The Other Stuff
At this point, SOX compliance has been around for so long that reporting on the costs is the least interesting issue. For the record, however, 49 percent of respondents said their compliance costs rose for 2019, compared to 46 percent who said the same last year. Only 13 percent saw their compliance costs fall.
That differs from Protiviti’s SOX compliance survey from earlier this year, which found compliance costs drifting downward this year, even as hours spent on SOX compliance drifted upward. But we see so much variation on cost depending on a firm’s size and its maturity (pre-IPO, newly IPO, veteran public company) that I question how useful a broad statement about SOX compliance costs really is.
Meanwhile, respondents also say they expect their most significant challenge in the coming year to be — you guessed it — cybersecurity! In second place were changes to accounting policy, such as revenue recognition, leases, and tax.
With all due respect to the survey and its respondents, I’m not sure I buy those priorities.
Everyone likes to talk about cybersecurity, but I remain unconvinced that it’s a significant SOX compliance issue simply because audit firms and regulators themselves aren’t sure how to frame it as such. Like, everyone wants to panic about cybersecurity, but nobody knows how to panic about it effectively.
Don’t take my word for it. Consider two speeches from Kathleen Hamm, former member of the Public Company Accounting Oversight Board, who twice said that audit firms play a limited role in checking the cybersecurity of their clients. And the Securities and Exchange Commission just ousted Hamm to replace her with a Trump loyalist, so the SEC could get on with rolling back attention to SOX compliance generally. This doesn’t convey a sense of thoughtful attention to cybersecurity as a compliance issue to me.
On the other hand, new accounting standards for revenue recognition and lease accounting, plus more auditor attention to other issues that might wind up as critical audit matters — those things are pressing, and audit firms do know how to fit them into SOX compliance, and SEC staff might indeed have questions about your controls or processes that end up in a comment letter.
So 2020 might end up with lots of compliance attention on those nitty-gritty things, while bigger issues like cybersecurity continue not to receive the attention they deserve.
Which is how it goes at a lot of firms a lot of the time, frankly.