Fifteen years ago, the Sarbanes-Oxley Act (SOX) became law. Soon after there was a massive scramble by companies who needed a way to comply. This also gave rise to a wave of software implementations that were necessary and needed to be in place and functioning very quickly. Needless to say, this required use of technology that was available at that time. For many, the tie to this technology has not been broken.

Certainly there have been upgrades, and for some, migration to new versions and more recently to cloud based systems, but for many (about half if we use the typical generation length of around 30 years), the system they are using was put in place by a prior generation of auditors, and those who are subject to the record keeping and reporting requirements of SOX.

More recently there has been greater emphasis on risk-based approaches. It is often not possible to do absolutely everything required (and certainly it is not cost effective), so many organizations have developed risk-based approaches. In 2002, there wasn’t a great deal of emphasis on risk. The major risk standard at that time was probably AS:NZS4360:1999 and it wasn’t until 2009 that ISO 31000 appeared,which now forms the basis for risk in many other standards (note: ISO 31000 is under review and a new draft international standard was published Feb. 17, 2017). While reform of SOX may be under consideration, the general consensus seems to be that this will be more focussed on reforms for financial institutions, but whatever happens, the changes could be as sudden as the tsunami-like changes set off by SOX in 2002.

There are, however, changes brought about by technology that may make this next wave simpler to manage for those who are prepared. Firstly, the cloud. While many still debate the rights and wrongs of having SOX data on the cloud, there has been an increasing acceptance of the use of the cloud. Major advantages include:

• Speed to implement.

• Speed to update.

• Security.

Think of the major cloudproviders who have hundreds if not thousands of highly specialized people and systems protecting the system and data, compared with the IT resources of most companies.


The shared cost of the cloud infrastructure is typically much less than on-site implementations.

Secondly, the integration of the SOX process into all the niches of the organization has given rise to Integrated Risk Management – where risks in any part of the organization are managed consistently and rely in the interconnected data to ensure there is a single instance of the facts, so better decision making can occur and potential problems can surfaced before they become major incidents.

Thirdly, “Big Data” is here. While this can be a challenge in itself, the key is the layering of data visualization tools that sit above the data, providing insights into this massive pool of data and presenting these insights in ways that are readily understood and enable the decision makers to make informed decisions based on current data. But on-site implementations may not have the capability to take advantage of this wave as effectively as cloud based systems.

The cloud is here to stay, and now could be the best time to be considering a move.

Why is SOX Compliance so Time Intensive?

Even after 15 years, executives from large public companies say they still struggle to stabilize costs and reign in hours spent on Sarbanes-Oxley Compliance, (SOX compliance), according to Protiviti’s 2017 Sarbanes-Oxley Compliance Survey.

The key findings of the study include:

Evolving regulations increase time spent on SOX compliance

Most companies—regardless of size—saw the time they devoted to SOX compliance increase last year, and for two-thirds of those companies it went up by over 10 percent. Changing regulations—like Audit Standard AS.18 (recodified AS.2410); non-GAAP disclosures and the associated controls; increased documentation around cyber security; and increased focus on outsourced SOC reports—were likely driving factors, according to the study.  Associated regulatory requirements will probably continue to change, making it difficult to predict the number of hours organizations—particularly large, complex ones—will need to devote to compliance from year to year.

Complex organizations spend more time on SOX compliance

Not surprisingly, there is a correlation between the number of locations and annual SOX compliance costs, with a nearly $1 million average gap between the least and most complex organizations. More specifically, the survey notes that the greater the number of company locations, the greater the number of control counts will be. Nearly 43 percent of companies with more than 12 locations said between 78 and100 percent of controls were classified as key controls—significantly higher than those with 4-12 locations.

Outsourcing offers relief from SOX compliance woes

More companies are outsourcing their SOX compliance work—likely spurred by the time restraints it imposes on an organization. As a result they’re finding costs are leveling off. However, these third-party costs are generally not captured under the SOX compliance budget, but dispersed through business unit budgets. For larger organizations, this makes it even more difficult to accurately capture how much is being spent on SOX compliance.

Read “Do External Audits Cost, Save Businesses Money?”

SOX compliance work still viewed positively by executives

Despite the costs, executives reported that SOX compliance has helped them create more streamlined and lean process, which has benefits beyond compliance. But getting long-term value out of their efforts might demand a closer look at how they’re weaving compliance work into other aspects of risk control.

The role of risk management technology in SOX compliance

Such survey results should prompt executives from large—and growing—companies to consider what they can do to keep a handle on SOX compliance time and costs. Most large companies have likely already invested in some type of technology solution to support SOX compliance efforts, but that technology might be showing its age.

Executives need to examine whether their technology solutions are agile enough to help control time and costs well into the future. Learn how SaaS risk management technology can help complex, global organizations keep up with changing regulations and integrate SOX compliance into their overall ERM program.