SOX compliance professionals trying to find your place in the world may want to read the latest survey from the SOX Professionals Group. It’s full of benchmarking statistics about the challenges of Sarbanes-Oxley compliance this year and the technologies compliance teams are eyeing to get the job done.
The report, “2020 State of SOX & Internal Controls Marketing Survey,” polled 428 in-house SOX compliance officers on everything from the number of key controls they have, to testing work done, to control failures and deficiencies respondents may have suffered during the past year. So if you’re looking for data to help you put your own SOX compliance experiences in context, this report is a great place to start.
No clear trends emerged from this year’s data (this is the fifth annual State of SOX report) that were a stark break from prior years. For example, 44 percent of respondents said their SOX compliance costs did rise this year — but another 44 percent said their costs had remained the same, and the remaining 12 percent said their costs fell. None of those numbers were wildly different from 2019’s compliance costs.
Along similar lines, 20 percent of respondents said they use a GRC software tool as their primary technology for SOX compliance, and 39 percent said they use a SOX-specific software tool. In 2019, those numbers were 25 percent and 34 percent, respectively.
Does that mean some compliance teams are dropping GRC software tools in favor of SOX-specific tools? Possibly. In numbers great enough to suggest a broader shift that other SOX compliance leaders should consider? I dunno. Might just be the luck of the draw in who responded to this year’s survey compared to last year’s.
With that grain of salt taken, let’s consider a few of the report’s other primary findings.
Internal Audit Still Heavily Involved
Forty-five percent of respondents said their internal audit teams led the charge on SOX compliance, down from 46 percent in 2019. Another 36 percent said they had a dedicated SOX compliance team, up from 34 percent in 2019.
The big trend here isn’t so much that internal audit is becoming less involved, or dedicated SOX teams are becoming more prevalent; both figures have fluctuated in a narrow range over the last five years. Financial reporting teams, however, are less likely to play a leading role in SOX compliance: only 12 percent this year, compared to 22 percent in 2018 and 27 percent in 2016.
Within that group where internal audit leads SOX compliance, 31 percent of them said SOX compliance burdens consume more than half their time. Meanwhile, 44 percent of those internal audit teams also said they perform fewer than 10 operational audits each year.
Put those two findings together. They tell you that for a significant number of internal audit shops, they’re spending so much time on SOX compliance that they can’t audit other risks — which seems like a precarious state of affairs when corporations are gripped with pandemic disruption, recession, cybersecurity threats, and vigorous enforcement of privacy, sanctions, and anti-corruption laws.
So perhaps we shouldn’t be surprised that respondents’ top priority for the coming year is — wait for it — improving efficiency of the SOX function (cited by 42 percent).
Enter the Coronavirus Imperative
That goal of greater efficiency makes sense, but what intrigued me most was a line the report included right after that statistic: “The amount of time SOX professionals spend managing disconnected pieces of data is a driver for prioritizing the efficiency of the SOX function.”
Now, we should be aware that the SOX Professionals Group is sponsored by Workiva, and Workiva sells software to help audit and compliance professionals tie disconnected pieces of data together. So that point does neatly align with a Workiva sales interest.
That doesn’t mean the point is wrong. On the contrary, I think it’s an excellent point no matter who raises it, because coronavirus has forced untold millions of us to work remotely, which means the risks of disconnected pieces of data are soaring. Building stronger systems of data governance and IT controls (especially access controls) will be crucial to combat the SOX compliance risks that coronavirus raises.
How will that translate into SOX compliance changes in the coming year? You tell me. (Seriously, tell me: I’m at [email protected] and would love to hear what you’re doing.)
Clearly that work will involve some revisiting of control design, since coronavirus has radically altered our daily operating processes. Control failures also tend to happen because the control was not properly performed, enforced, or monitored — and all of those errors become more likely when people are working physically apart from each other, communicating and supervising each other virtually.
One clue: survey respondents did say they’re looking long and hard at continuous controls monitoring as one strategy to boost SOX compliance efficiency. CCM would also help against exactly those heightened risks that coronavirus presents.
Only 12 percent of respondents said they’ve already implemented CCM; another 55 percent said they’re considering it. That’s up from 53 percent looking at CCM last year.
Looking is nice. But if SOX compliance people are serious about this, let’s hope that number starts to shift from “looking” to “implemented” in the next few years.