SOX Costs Drop; Struggles Don’t
Sarbanes-Oxley compliance costs fell for many companies last year, according to an analysis released this week — although time spent on SOX compliance work actually rose, suggesting that many companies are struggling to implement automation technologies even as demands from their audit firms keep rising.
In other words, as usual, SOX compliance is a bit of a mess.
The findings come from Protiviti’s annual survey on SOX compliance programs, published every year around this time. This year’s report, analyzing 2023 compliance costs and challenges, found that SOX compliance costs dropped for large accelerated filers, accelerated filers, and non-accelerated filers alike. Table 1, below, shows the recent trend for large accelerated filers and accelerated filers. (I dug up the 2021 and 2022 numbers from last year’s report; Protiviti didn’t have comparable data for non-accelerated filers.)
Spending trends also tracked with company size and complexity, as one would expect. For example, for companies with more than 10 locations, the average SOX compliance cost was $1.6 million; for companies with only one location, it was $704,000. For companies with $10 billion or more in annual revenue, average compliance cost was $1.8 million; for companies with $500 million or less, average cost was $651,000.
We can all cheer this year’s lower costs, but more interesting is that time spent on SOX compliance increased pretty much across the board. See Table 2, below.
If SOX compliance costs are falling, but time spent on SOX work is rising — that most likely means that SOX compliance teams are trying to develop better, smoother internal compliance processes, but still struggle to get those processes right. Meanwhile, the rest of the business is still trying to expand as usual, with new IT systems, mergers, and all the other usual events.
So SOX compliance teams are somewhat trapped, trying to improve their compliance processes for an enterprise that is changing how it operates at the same time. That dynamic is nothing new for SOX compliance teams, but Protiviti’s findings underline just how challenging it can be on a daily basis.
Trying to Automate SOX Compliance
The Protiviti survey (of 564 SOX compliance professionals) also found that 74 percent of respondents do want to improve the automation of their SOX compliance program, but numerous practical obstacles make that ambition difficult to achieve. See Table 3, below, for examples of why companies struggle to automate control testing.
Hooo boy, we have a few points to unpack from Table 3. First is that 47 percent who say many areas of the SOX control environment aren’t conducive to automation. That raises the question of whether there’s some natural ceiling to how much automation a compliance program can embrace. I suppose in some theoretical world, where the enterprise operations remain largely unchanged from one year to the next, you could slowly shape the SOX control environment to something more suited to automation — but here in the real world, that’s not likely to happen. (By the way, I’d love to hear any specific examples of how your SOX program isn’t conducive to automation; if anyone wants to talk confidentially, drop me a line at [email protected].)
We also have all those other obstacles to more automation: lack of time to explore automation due to other priorities, lack of skilled talent, inability to train, manage, and govern automation efforts. That’s probably because most companies still saddle the internal audit team with lots of SOX compliance work (internal audit teams spend 47 percent of their time on SOX, according to the Protiviti survey) and internal audit teams are simply stretched too thin. They’re so busy with the here-and-now of risk assessments, control testing, and remediation, and their day job of conducting other audits, that they don’t have time to step back and build a smarter, more strategic, more automated approach.
A Word About External Auditors
For all our talk about greater automation of controls testing, it’s also fair to ask why we bother with this push. For example, if you invest time and money in an automation program, will your external audit team place more reliance on those testing results?
The Protiviti findings suggest that the answer might well be “no.” The average percentage of controls testing that external auditors relied upon was only 29 percent. On the optimistic side, one could argue that this means there is plenty of opportunity for more automation, and more use of those results by external audit. On the pessimistic side, however, we could also argue that external auditors will continue to insist on their own testing, because they’re under increasing pressure from the Public Company Accounting Oversight Board and the Securities and Exchange Commission to take a more skeptical view of their client’s audit work.
Plenty of SOX compliance people whisper to me behind the scenes that what they encounter in the real world is the pessimistic scenario. That’s unfortunate, and it underlines the challenge of developing the right automation strategy, in close discussion with your external auditors and your senior executive overlords approving your project budget.
We have one other item to note, too: as companies embrace automated controls, an increasing number of external auditors want to review the actual source code for those controls.
Again, the portion of external auditors inspecting source code tends to increase with the size and complexity of the company. For example, 64 percent of large accelerated filers said their auditors inspected source code, while the figures were 49 percent of accelerated filers and only 32 percent for non-accelerated filers. That’s not surprising, since larger companies are more likely to have automated processes running on dedicated business ERP software.
Moreover, in our digitally transformed world where cybersecurity risk is everywhere — where cybersecurity risk and SOX compliance risk are converging into one blurry mess of access control risk — we should welcome this practice. My question is how companies might anticipate this source code scrutiny. You could, for example, perform more vulnerability scans on your Oracle or SAP software to identify security risks and seal those flaws up. By definition, your access control will improve and that will strengthen your SOX environment.
That’s enough for today. Clearly SOX compliance continues to be as challenging as ever.