SOX Compliance: Costs Down, Hours Up

Protiviti has released its annual study of SOX compliance costs — a mixed picture where compliance costs are drifting downward overall, even while the hours spent doing SOX compliance work are on their way up.

The report polled nearly 700 finance or audit executives. Frankly, the statistics about SOX compliance costs don’t tell us much, because they’re all over the map depending on how you group the firms. 

Large filers, accelerated filers, and emerging growth companies all saw their SOX compliance costs edge down by a few percentage points, while non-accelerated filers saw their costs rise by a painful 31 percent. Huge companies paid more, slightly less huge companies paid less, and tiny companies paid a lot more. Tech firms and consumer-facing companies paid the most, insurance paid the least. 

See Figure 1, below, for a more detailed breakdown of costs. You can place your own business into its proper category for context relevant to you. Not sure what else to say about SOX compliance costs overall.

Compliance Hours Rising

Much more interesting is that hours spent on SOX compliance rose this year. Fifty-two percent said their manhours rose this year. Within that group, 59 percent said those hours rose by more than 10 percent. That’s a lot. 

The spike in man hours is partly due to factors such as major new accounting standards that went into effect recently, and audit firms paying more attention to SOX compliance because they’re under more pressure from their industry regulator to do so. 

The line that jumped out at me, however, was this:

Internal changes, often related to digital transformation and the adoption of emerging technologies, also require SOX compliance teams to spend more time examining potential new control issues and related risks. 

That’s interesting because as buzzwordy as “digital transformation” may be, it’s a genuine, powerful phenomenon in business. For example, say a company digitally transforms its procurement process. Your inherent FCPA risks might go up, because it’s easier for a sales executive to sign a questionable contract with a high-risk third party. So as an internal control, you might integrate due diligence checks into the company’s payment system, and block payments to that party until due diligence is complete. 

That arrangement can work, but as Protiviti says, it requires SOX compliance teams to explore the potential control issues of a digital process; and figure out what controls make the most sense; and test them.

Moreover, as more business functions in the enterprise embrace new digital technologies, that’s more business functions that might introduce internal control risks somehow. So more parts of the enterprise (IT security, HR, IT audit, or operations units in the First Line of Defense) could get pulled into SOX compliance discussions. Result: more man hours spent on SOX issues. 

You have to wonder whether that pressure will ever recede. After all, you transform a business process from analog to digital only once — but once it is digital, you can transform it over and over again. Cloud-based services make the modern business process more transformable, forever. So how will that fact of life affect risk assessment and internal control mediation for the SOX compliance crowd? 

Testing, Testing; and Tech

The Protiviti report also found that companies are testing more controls, and especially entity-level controls that apply to the whole organization.

First, companies are splitting single “super controls” into smaller individual controls, which helps to identify why that super control isn’t working; you can study and test individual parts rather than the whole. Meanwhile, as noted above, new recent accounting standards have been putting financial reporting processes through the wringer, so compliance teams are testing more controls related to whatever they had to do to implement those standards. 

And as the SEC and PCAOB both continue to panic about cybersecurity and its possible risks to financial reporting — even if they’re not quite clear on how to panic about cybersecurity effectively — that also means more testing of more controls. 

The good news: the more controls you test, the more precisely you can understand what isn’t working and might need remediation. The bad news: more testing means more work for your team and more cost. 

In theory, then, SOX compliance teams should be embracing automation and other new technologies. So is that embrace of new technology actually happening? As you can see from the adjacent chart, the best we can say is “kinda.” 

Yes, more SOX teams are using technology this year to streamline their testing. On the other hand, none of the listed technologies cracks 50 percent. What’s more, the top technologies are data analytics and automated approval tools — which are nifty and helpful, but I’d hardly call them cutting-edge. 

The truly whiz-bang stuff that will push your compliance effort toward automation is still at much lower levels of adoption. Those tools are more like data visualization (23 percent), robotic process automation (15 percent), and machine learning (13 percent). Some day they’ll transform testing of controls and SOX compliance overall, just not quite today.

One other point that sticks in my mind: 47 percent of survey respondents said they didn’t use technology tools to test their SOX controls this year. Of that group, 68 percent of them said they do plan to use technology tools next year. 

So again, in theory, our chart here should look quite different by 2021 or so, as all those firms not yet using new technology to accelerate SOX testing start implementing that tech. Let’s see what the Protiviti survey says in two years’ time.