Even after 15 years, executives from large public companies say they still struggle to stabilize costs and reign in hours spent on Sarbanes-Oxley Compliance, (SOX compliance), according to Protiviti’s 2017 Sarbanes-Oxley Compliance Survey.
The key findings of the study include:
Evolving regulations increase time spent on SOX compliance
Most companies—regardless of size—saw the time they devoted to SOX compliance increase last year, and for two-thirds of those companies it went up by over 10 percent. Changing regulations—like Audit Standard AS.18 (recodified AS.2410); non-GAAP disclosures and the associated controls; increased documentation around cyber security; and increased focus on outsourced SOC reports—were likely driving factors, according to the study. Associated regulatory requirements will probably continue to change, making it difficult to predict the number of hours organizations—particularly large, complex ones—will need to devote to compliance from year to year.
Complex organizations spend more time on SOX compliance
Not surprisingly, there is a correlation between the number of locations and annual SOX compliance costs, with a nearly $1 million average gap between the least and most complex organizations. More specifically, the survey notes that the greater the number of company locations, the greater the number of control counts will be. Nearly 43 percent of companies with more than 12 locations said between 78 and100 percent of controls were classified as key controls—significantly higher than those with 4-12 locations.
Outsourcing offers relief from SOX compliance woes
More companies are outsourcing their SOX compliance work—likely spurred by the time restraints it imposes on an organization. As a result they’re finding costs are leveling off. However, these third-party costs are generally not captured under the SOX compliance budget, but dispersed through business unit budgets. For larger organizations, this makes it even more difficult to accurately capture how much is being spent on SOX compliance.
SOX compliance work still viewed positively by executives
Despite the costs, executives reported that SOX compliance has helped them create more streamlined and lean process, which has benefits beyond compliance. But getting long-term value out of their efforts might demand a closer look at how they’re weaving compliance work into other aspects of risk control.
The role of risk management technology in SOX compliance
Such survey results should prompt executives from large—and growing—companies to consider what they can do to keep a handle on SOX compliance time and costs. Most large companies have likely already invested in some type of technology solution to support SOX compliance efforts, but that technology might be showing its age.
Executives need to examine whether their technology solutions are agile enough to help control time and costs well into the future. Learn how SaaS risk management technology can help complex, global organizations keep up with changing regulations and integrate SOX compliance into their overall ERM program.