In the early days after the Sarbanes-Oxley Act (SOX) took effect in 2002, companies expected to struggle for a few years under the added costs and effort required to comply with the new law. Then, they believed, the annual compliance exercise would gradually evolve into a relatively stable one.
The first expectation was certainly realized. The second was too, but to a much lesser extent.
The compliance picture continues to shift year by year, according to a new report from management consulting firm Protiviti. Notably, costs continue to rise in response to external changes, such as new laws and regulations, as well as the transitions many companies are traversing.
“Organizations today are subject to more frequent, significant, and fast-moving changes,” Protiviti says in its report on a survey of 1,004 organizations, undertaken in this year’s first quarter. “These include changing organizational structures and processes undergoing digital transformation that, in turn, call for changes in SOX compliance practices.”
Another influence on costs is an increase in M&A and divestiture activity, which has been building steadily over the past year.
Many activities associated with such deals “come with the potential for material changes to a company’s SOX compliance work, with some requiring extensive changes to scope and underlying control activities that its auditors need to assess,” Protiviti notes.
With respect to internal SOX compliance costs, for large accelerated filers (public float of $700 million or more) the average increased by 17.2% this year compared with 2017, reaching $1.34 million.
But this year’s average cost for that group of filers was almost identical to what they experienced in 2016, underscoring the volatile nature of SOX compliance costs.
The pattern was similar for accelerated filers (public float of at least $75 million and less than $700 million). Their internal costs climbed by 24.3%, to an average of $997,000, after having declined by 12.3% last year compared with 2016.
In part the larger tabs reflected compliance work necessitated by the new revenue recognition standard, Protiviti says.
The proportion of companies that spent at least $2 million on compliance swelled to 28% for both large accelerated and accelerated filers, up from 18% and 10%, respectively.
On the other hand, internal costs for non-accelerated files (public float of less than $75 million), most of which were not yet subject to the new revenue recognition rules in 2018, went in the other direction, falling off by 19.9% to $561,000.
It was the second consecutive steep decline for the smallest filers, which spent 42.6% less last year than they did in 2016. That year, costs for non-accelerated filers were actually greater than they were for accelerated filers.
“More than ever, SOX compliance costs appear to hinge on an organization’s unique circumstances and structure, including but not limited to its number of controls and locations, as well as the number of regions in which it operates,” Protiviti comments in the survey report.
External audit costs for SOX compliance were up as well, for 50% of the largest group, 23% of the middle group, and 39% of the smallest group. Such costs were lower for only 6%, 6%, and 11%, of organizations in those groups, respectively.
“Numerous factors likely are contributing to this, from annual compensation increases for staff to greater demands on auditors by the [Public Company Accounting Oversight Board],” Protiviti writes.
Companies likely could mitigate their costs through greater use of automated tools, the survey data suggests. For example, just 11% of those surveyed use robotic process automation (RPA) for internal SOX compliance activities.
And only 28% of the survey participants use technology tools in the testing of controls to comply with SOX Section 404. In that area, companies generally appear to be stuck.
“Assessing our SOX compliance survey results over the past few years, there has been minimal movement in the percentages of key controls that are automated,” Proviti says. “In addition, fewer companies are indicating significant plans to automate a broad range of IT processes and controls.”
The consulting firm counsels that for those not planning to pursue embedded automation within enterprise systems, “RPA offers an opportunity to deliver automation without significant system integration efforts.”