Seventeen years after passage of the Sarbanes-Oxley Act, those not involved in SOX compliance might assume that by now it would be a rote activity requiring diminishing effort.
They would be wrong. Despite efforts and expectations to the contrary, the time and cost expended on SOX compliance have decreased little over the past decade, according to a new report by Protiviti.
In fact, in the consulting firm’s survey of finance professionals from 693 publicly held companies, half (51%) said SOX compliance hours increased in 2018. And among those, 59% said the increase was more than 10%.
Just 15% of respondents said compliance hours decreased last year.
The overall trend “reflects the fact that the cumulative time internal teams and external auditors invest in compliance activities is determined by a range of ‘beyond-SOX’ factors, including … [Public Company Accounting Oversight Board] inspections, the adoption of new accounting standards, internal technology implementations, process changes, and more,” Protiviti said.
As to cost, average internal SOX compliance costs were virtually identical last year as they were in 2017 for both large accelerated filers (companies with a public float of $700 million or more) and accelerated filers (public float between $75 million and $700 million).
Also, 56% of large accelerated filers, and 49% of accelerated filers, said their external audit fees increased in 2018.
“External auditors’ scrutiny of compliance capabilities continues to change and intensify, largely due to the PCAOB’s ongoing refinement of auditing standards and related oversight activities,” the report says.
Protiviti has been tracking SOX compliance trends for 10 years. That the level of cost and effort expended has not decreased in any meaningful way over that time “would certainly not be the expectation for those involved in this process, but it’s the reality today,” the firm wrote.
That reality suggests companies should assess where and how they can leverage analytics, robotic process automation (RPA), machine learning, and other advanced technologies in their SOX compliance activities, according to the report.
The degree to which companies are embracing such technologies varies. For example, 15% of those surveyed are using RPA for SOX compliance this year, up slightly from 11% in 2018. Machine learning is catching on much more quickly, with 13% of companies using it in 2019, compared with just 2% last year.
The most notable increases in technology usage are for data analytics (rising to 41% of companies, up from 30%) and advanced data analytics (24%, up from 8%).
“We expect the use of advanced technology by organizations in their SOX compliance activities to become even broader and more pervasive over the next 12 to 24 months,” Protiviti wrote.
Dubbing the greater efficiency enabled by today’s technologies as “SOX compliance 2.0,” the report noted that the toolkit at companies’ disposal is large. It also includes technologies related to process discovery and mining; enterprise governance, risk, and compliance; visual analytics; data visualization; segregation of duties; information security; and more.
The change wrought by SOX compliance 2.0 could be profound.
“As advanced tools test a higher number of complete data sets, rather than sampling data populations, far more exceptions will likely be identified,” the report suggested. “This will reset previous norms concerning acceptable levels of exceptions. Operating in a new realm of extreme transparency may also require new ways of thinking.”