Survey: SOX Compliance Costs Rise Again

Sarbanes-Oxley compliance executives looking to pull out even more of your hair, we’ve got you covered! A new report concludes that SOX compliance costs are rising for many types of companies, and technologies that hold the most promise to reduce costs aren’t being widely adopted.

That cheery news comes from Protiviti, which released its 2018 SOX Compliance Survey on Thursday. The report polled more than 1,000 compliance executives and is a rich source of benchmarking if you want to place your own costs and compliance experience into context with peers.

Internal compliance costs rose for all categories of public filers except non-accelerated filers — although that comes after a dip in compliance costs in 2017, so in some instances this year’s costs are still lower than what filers paid in 2016. Take a look, below.

And yes, companies with larger annual revenue generally pay more in SOX compliance costs, too. But that trend is somewhat misleading because the more accurate measure of compliance pain is SOX compliance cost per dollar of revenue.

For example, a company with $20 billion in revenue might pay $1.83 million in SOX compliance costs, which is less than 1/100th of a cent per dollar of revenue. One the other hand, company with $750 million in annual revenue might pay $1.44 million in compliance costs — 0.2 cents per dollar of revenue. And a company with $80 million in revenue and $283,000 in compliance costs is paying 0.35 cents per dollar.

So as worthwhile as SOX is for investor protection and assurance of financial statements, when CFOs of smaller public companies rant and scream about compliance costs — they do have their reasons.

Complexity Matters

The Protiviti report didn’t identify any single factor as the driving force for SOX compliance costs. Rather, numerous factors — from a company’s digital transformation of business processes, to new accounting standards, to pressure audit firms face to be more skeptical of client assertions, to corporate mergers or restructurings — are all hitting compliance programs at once.

That makes me wonder how much companies and regulators really can bend the cost curve downward, because that bending will take coordination among multiple parties on both sides of the corporation-regulator divide.

For example, clearly the Securities and Exchange Commission wants to make compliance with Section 404(b) optional for filers with less than $250 million in market cap. Well, so what? That exemption won’t do you much good if your company opts out of 404(b) compliance and your audit firm then labels your tone at the top as deficient, which is a scenario that more than one compliance officer has told me they fear.

So to offset that threat, the Public Company Accounting Oversight Board would need to revisit its audit standards and inspection of firms relating to 404(b) and internal control audits. Could that happen? Maybe, although the PCAOB is still an organizational mess right now with no senior staffers in place. Even then, we’ll still have shareholder activists ready to pounce with lawsuits any time a financial restatement happens, and they’ll use that decision to skip 404(b) as Exhibit A of management’s misplaced confidence.

You get the picture. Short of a dramatic reshaping of the business and regulatory landscape, too many of those forces driving SOX compliance costs are going to endure no matter what rollback efforts the SEC tries. We’re not seeing much evidence that SOX compliance costs will soar (as they did in the mid-2000s), but bending the cost curve in a truly downward direction seems tricky.

Short of a dramatic reshaping of the business and regulatory landscape, too many of those forces driving SOX compliance costs are going to endure no matter what rollback efforts the SEC tries.

SOX Compliance Technology

In theory, better compliance technology could alleviate some of the burden filers face. The Protiviti report does show that compliance teams are using a wide range of tech solutions to that end, but most troubling to me is that—

1. Sixty-three percent of respondents said they still don’t use technology to help in the testing of controls; and
2. The most powerful solutions (robotic process automation and data analytics) are also among the least widely used.

Now, buyer beware: Protiviti makes a living selling consulting services about how to use data analytics and robotic process automation, so it’s no surprise that the report frames Point No. 2 as a source of dismay. Still, just because the source may have an ulterior motive, that doesn’t mean the finding isn’t true.

The good news is that many filers say they plan to embrace more technology this year and beyond to automate IT processes controls. Most of them seem to have “moderate” plans, whatever that might mean, with the exception of non-accelerated filers: 61 percent have minimal or no plans at all to do more automation.

Also notable: more companies say they are “issuing a cybersecurity disclosure” — from 20 percent in 2017 to 46 percent this year. That’s not surprising given the constant barrage of cybersecurity attacks companies now suffer, and the increased scrutiny that the SEC and PCAOB both place on cybersecurity. And when a company did report a cybersecurity event, 70 percent of that group said it increased the amount of man-hours devoted to SOX compliance by 10 to 20 percent.

The frustrating part, as Protiviti diplomatically notes in its report: “the PCAOB has not found any [incidents] that have resulted in financial misstatements or material weaknesses” in internal control over financial reporting.

So yet again, we are all trying to panic about cybersecurity, but don’t yet know how to panic over it effectively.

Lots more data in the report, so SOX compliance executives should give it a read. We’ll try to do a follow-up post sometime next week.