Table of Contents

Can Audits Save Your Business?

What Is The SOX Act?

3 Challenges of Complying with Sarbanes Oxley

Sox Compliance and The Cost of Exemption

Technology Solutions and SOX Compliance

Auditing and Fraud Prevention

The Responsibility of Internal Auditors

What Happens If I Get Audited?

Can Audits Save Your Business?

Like them or not, external auditor requirements for corporate financial reporting have been proven “highly effective” in detecting corporate fraud, according to a recent study from the American Accounting Association.

Is your business exempt from Sarbanes-Oxley (SOX) external audit review? If so, that exemption may actually cost your business as much as it saves, according to a recent study published in late June by notable academic institutions.

The study, led by academics at the University of Washington and Georgetown University, found that while exemption from SOX auditing can benefit businesses financially — by way of avoiding steep audit fees — it can also cause businesses to incur even costlier expenses from misreporting, including:

  1. Lower operating performance due to non-remediation
  2. Market values that fail to reflect a firm’s underlying internal control status

What Is The SOX Act?

The Sarbanes-Oxley (SOX) Act was passed by U.S. Congress in 2002 to help curb fraudulent accounting activity by corporations. 

More specifically, provision 404(a) of the SOX Act requires organizations to establish internal accounting controls and reporting methods.  Section 404(b) requires external auditor oversight of firms’ internal control over financial reporting.

Companies with less than $75 million in market capitalizations have been permanently exempt from 404(b) since 2010, thanks to the Dodd Frank Act — a reprieve small businesses were granted for fear they wouldn’t be able to shoulder the burden of costs associated with compliance.

3 Challenges of Complying with Sarbanes-Oxley

Even if companies believe external audits can save them from the perils of fraud, they are still left with the frustrations associated with complying with Sarbanes-Oxley and other auditing requirements.

1. Requirements and Regulations Are Always Changing

Organizations have to keep pace with those changes and then change their own processes in order to meet those constantly evolving obligations. Read, “Your Auditors Care About These 8 Things”

2. Keeping Pace When the Rules Are Always Changing Costs Time and Money

It can in fact take a real toll on an organization’s resources. Without adequate staff, tools or technology, organizations might find themselves diverting resources away from business performance just to stay compliant.

3. Technology Gets Outdated Quickly

Not only do organizations have to keep their processes and reporting in line with the evolving rules and requirements, they have to keep the technology they use to support their compliance efforts up-to-date as well. And for companies that invested in technology early in the Sarbanes-Oxley era, and now have “legacy systems” in place, this can be a real struggle.

Fortunately, in the last several years integrated risk management technology has matured significantly to make compliance and audit management more agile.

Because such technology is now offered as software-as-a-service, it touts benefits like rapid deployment and modification; improved productivity for auditor and auditee; a reduction in reliance on IT staff; and an overall reduction in cost.

This enables companies to focus on problems — whether it’s fraud or any other issues an audit might highlight — instead of focusing on keeping technology working.   

SOX Compliance and the Cost of Exemption

However, the burden of compliance might be one worth shouldering, according to the study, which is entitled The benefits and costs of Sarbanes-Oxley Section 404(b) exemption: Evidence from small firms’ internal control disclosures.

The study was based on a sample of more than 5,300 exempt organizations and annual observations from 2007 to 2014.

It certainly confirms that audit fees are no small expense — with audit fee savings amounting to an estimated aggregate of $388 million for those exempt firms evaluated during the seven-year analysis.

Still, the study found the cost of 404(b) exemption to be much greater than the savings. From 2007 to 2014, the study’s sample firms lost out on tremendous potential future earnings — estimated at $856 million in aggregate — because they didn’t properly remediate their internal controls.

Further, they experienced an additional $935 million in delayed aggregate market value because of untimely internal control disclosure.

Ultimately, the study determined, “Section 404(b) exemption is costly to the extent that it results in firms’ failure to discover or disclose ineffective internal controls (e.g., misreporting).”

The two main losses that stem from misreporting — as mentioned above — include lower operating performance due to non-remediation and market values that fail to reflect a firm’s underlying internal control status.

Technology Solutions and SOX Compliance

Consequential misreporting that occurs because of either non-compliance or a lack of oversight with accounting controls and reporting methods can be costly.

These costs of course don’t even account for the penalties and fines incurred by the larger organizations that do actually have to comply with SOX 404(b).

For this reason, larger companies turned to technology for help when the requirements were put in place. In fact, the SOX Act generated a huge increase in the provision of software to support the requirements of the act — costly and cumbersome software that is now antiquated and can’t support the evolving nature of the requirements or companies’ changing needs.

However, in the last several years, new SaaS technology has been developed to help address internal accounting controls and reporting methods–proving to be quicker, more secure and more effective, with reduced internal support required.

Even risk management technology can now integrate solutions for resolving such issues. This means the technology is accessible to large and small organizations, alike — regardless of whether SOX 404(b) compliance is required or not — and at a fraction of the costs that stem from misreporting.

More recently there has been greater emphasis on risk-based approaches. It is often not possible to do absolutely everything required (and certainly it is not cost effective), so many organizations have developed risk-based approaches. In 2002, there wasn’t a great deal of emphasis on risk. The major risk standard at that time was probably AS:NZS4360:1999 and it wasn’t until 2009 that ISO 31000 appeared,which now forms the basis for risk in many other standards (note: ISO 31000 is under review and a new draft international standard was published Feb. 17, 2017). While reform of SOX may be under consideration, the general consensus seems to be that this will be more focused on reforms for financial institutions, but whatever happens, the changes could be as sudden as the tsunami-like changes set off by SOX in 2002.

Benefits to Having SOX Data on the Cloud

There are, however, changes brought about by technology that may make this next wave simpler to manage for those who are prepared. Firstly, the cloud. While many still debate the rights and wrongs of having SOX data on the cloud, there has been an increasing acceptance of the use of the cloud. Major advantages include:

Speed to implement.

Speed to update.


Think of the major cloudproviders who have hundreds if not thousands of highly specialized people and systems protecting the system and data, compared with the IT resources of most companies.


The shared cost of the cloud infrastructure is typically much less than on-site implementations.

Secondly, the integration of the SOX process into all the niches of the organization has given rise to Integrated Risk Management – where risks in any part of the organization are managed consistently and rely in the interconnected data to ensure there is a single instance of the facts, so better decision making can occur and potential problems can surfaced before they become major incidents.

Thirdly, “Big Data” is here. While this can be a challenge in itself, the key is the layering of data visualization tools that sit above the data, providing insights into this massive pool of data and presenting these insights in ways that are readily understood and enable the decision makers to make informed decisions based on current data. But on-site implementations may not have the capability to take advantage of this wave as effectively as cloud based systems.

The cloud is here to stay, and now could be the best time to be considering a move.

Auditing and Fraud Prevention

While Sarbanes-Oxley Act auditing requirements — or any other auditing requirements for that matter — are typically considered to be cumbersome and costly by corporate executives, the risks associated with not auditing (even if your company isn’t required to do so) can be even costlier, especially if and when fraud is detected.

For instance, the typical organization loses 5% of its revenues to fraud each year, according to the most recent Report to the Nations on Occupational Fraud & Abuse, which was published in 2014 by the Association of Certified Fraud Examiners.

The report also highlighted that more than 22% of the cases in the survey resulted in losses of at least $1 million, and the median loss amounted to $145,000. The costly nature of fraud is why fraud detection is so important — and in effect, why external audits are potentially equally important.

The American Accounting Association study, published in Auditing: A Journal of Practice and Theory, suggests a link exists between weak internal controls on financial reporting and a higher risk of undisclosed accounting fraud at public companies.

That link “is an important consideration when weighing the costs and benefits of Sarbanes-Oxley,” according to a recent New York Times article, “Sarbanes-Oxley, Bemoaned as a Burden, Is an Investor’s Ally.”

Such a consideration has become of great interest lately, as Congress considers rolling back some of the act’s regulations.

The Responsibility of Internal Auditors

Internal audit departments have traditionally been viewed as a governance and compliance-driven function meant to ensure that the organization’s risk management, governance and internal control process are operating effectively in order to comply with regulations and standards affecting their businesses.

Board members expectations are being raised for internal auditors to innovate in ways that both protect and transform the business—ultimately meaning compliance is critical. Integrated risk management technology helps efficiently develop innovative ways to provide better strategy enabling internal auditors to effectively focus their efforts on predicting risk and protecting their organizations.

Data can be entered, normalized and reviewed in real-time—all in one place. Accurate information and insights are readily available and up-to-date, rather than locked away in emailed spreadsheets with old data that is no longer relevant.

Cloud-based and automated systems encourages information sharing across the organization and provides real time data and real-time analytics. Instant visual or graphical depictions of data, cuts down the time-consuming report-building and allows you to improve audit strategies, accelerate audit cycles, reduce audit cost and enhances auditor productivity.

Why internal audit needs to make the shift from checking boxes to innovating

The need to be relevant is often the main driver for internal audit departments trying to shift from compliance-based functions to transformative operations—a concept that is certainly familiar to external auditing firms also vying to be relevant and provide value to their clients.

For auditors, themselves, moving from a compliance-driven role to an innovative role is obviously going to be more professionally satisfying. But businesses, too, reap very real financial rewards from thinking of compliance in a way that is “out of the box” instead of as “checking boxes.”

But what does innovation by way of internal audit departments actually look like? According to the Institute of Internal Auditors, “pulse of the profession” study, it requires internal audit departments to transforms their operations and improve their responses to constantly evolving business disruption.

Simplified, it means they must identify and mitigate harmful risks in advance of disruption, as well as realize the upside of risk, so management can make informed decisions to protect and add value to the business.

If this sounds impossible, it’s not…at least for those organizations willing to invest in the right technology. According to PwC’s annual “State of the Internal Audit Profession” study, 56% of of internal audit leaders believe technology adoption impacts internal audit’s value to the organization.

What Happens If I Get Audited?

If your company is subject to SOX compliance or other external audit requirements — or just engages external auditors as a cost of doing business — then you might experience an increased level of scrutiny from your auditors.

That’s because a multitude of audit firms will be under increased scrutiny themselves as the Public Company Accounting Oversight Board (PCAOB) announced in late August it intends to review 195 registered auditors of public companies and other issuers in 2017 around a few key focus areas.

The nature and extent of the PCAOB inspection findings continue to significantly influence how the audit industry executes and how companies design and operate internal controls.

The key areas of focus for 2017 PCAOB reviews include:

  1. Audit areas where inspectors have identified deficiencies in the past, such as assessing and responding to risks of material misstatement
  2. Audit areas affected by recent economic developments, including the high rate of merger and acquisition activity and fluctuations in oil and natural gas prices
  3. Financial reporting areas that require significant judgment, including going concern considerations and income tax disclosures
  4. An audit firm’s compliance with new transparency rules (Form AP)
  5. Preparation for new accounting standards for revenue recognition and lease accounting
  6. Work by other auditors on multinational audits
  7. The auditor’s use of information technology, particularly software audit tools
  8. The audit firm’s system of quality control

Whether your company is subject to external audits by choice or necessity, you’re no stranger to the always evolving regulations, compliance standards and audit requirements that can send your compliance and audit process into a tailspin.

Knowing what your auditors are looking for, however, can help alleviate that stress. Are you interested in learning more about how risk management technology can solve your SOX compliance or audit woes? Read more about Riskonnect’s Sarbanes-Oxley SOX solution. 

Why is SOX Compliance so Time Intensive?

Even after 15 years, executives from large public companies say they still struggle to stabilize costs and reign in hours spent on Sarbanes-Oxley Compliance, (SOX compliance), according to Protiviti’s 2017 Sarbanes-Oxley Compliance Survey.

The key findings of the study include:

Evolving regulations increase time spent on SOX compliance

Most companies—regardless of size—saw the time they devoted to SOX compliance increase last year, and for two-thirds of those companies it went up by over 10 percent. Changing regulations—like Audit Standard AS.18 (recodified AS.2410); non-GAAP disclosures and the associated controls; increased documentation around cyber security; and increased focus on outsourced SOC reports—were likely driving factors, according to the study.  Associated regulatory requirements will probably continue to change, making it difficult to predict the number of hours organizations—particularly large, complex ones—will need to devote to compliance from year to year.

Complex organizations spend more time on SOX compliance

Not surprisingly, there is a correlation between the number of locations and annual SOX compliance costs, with a nearly $1 million average gap between the least and most complex organizations. More specifically, the survey notes that the greater the number of company locations, the greater the number of control counts will be. Nearly 43 percent of companies with more than 12 locations said between 78 and100 percent of controls were classified as key controls—significantly higher than those with 4-12 locations.

Outsourcing offers relief from SOX compliance woes

More companies are outsourcing their SOX compliance work—likely spurred by the time restraints it imposes on an organization. As a result they’re finding costs are leveling off. However, these third-party costs are generally not captured under the SOX compliance budget, but dispersed through business unit budgets. For larger organizations, this makes it even more difficult to accurately capture how much is being spent on SOX compliance.

Read “Do External Audits Cost, Save Businesses Money?”

SOX compliance work still viewed positively by executives

Despite the costs, executives reported that SOX compliance has helped them create more streamlined and lean process, which has benefits beyond compliance. But getting long-term value out of their efforts might demand a closer look at how they’re weaving compliance work into other aspects of risk control.

The role of risk management technology in SOX compliance

Such survey results should prompt executives from large—and growing—companies to consider what they can do to keep a handle on SOX compliance time and costs. Most large companies have likely already invested in some type of technology solution to support SOX compliance efforts, but that technology might be showing its age.

Executives need to examine whether their technology solutions are agile enough to help control time and costs well into the future. Learn how SaaS risk management technology can help complex, global organizations keep up with changing regulations and integrate SOX compliance into their overall ERM program.