Skip to main content

Two Quick Takeaways from Five Years of SOX Surveys

Internal Audit
Internal Controls
Risk Assessment
Image of many different document types
4 min read
Ernest Anunciacion
Senior Director of Product Marketing
Published: November 17, 2020
Last Updated: April 25, 2023

Bring out the confetti cannon. Or, if you don't have one, rip up some paper on your desk, toss it into the air, and shout, "Hurray!"

That's because the State of the SOX/Internal Controls Market Report just turned five with the release of the 2020 edition

We decided to have a little fun to celebrate this special occasion—by digging up the most compelling trends and stats from 2016 to 2020, and sharing them with you. (I suppose our definitions of "fun" and "celebrated" are different from most.) 

Read on to see a selection of the top-level stats and insights, or check out the full report for all the shifts we’ve uncovered in SOX over the past half-decade.

One major takeaway we noticed throughout the course of the past five years: The internal audit function has emerged as the owner of the SOX program.

In 2016, survey responses indicated that SOX program management was handled by one of three teams: internal audit, a dedicated SOX team, or the financial reporting team. And a pretty even split, at that: 31%, 31%, and 29%, respectively.

But, by 2020, the survey results showed internal audit had taken majority ownership of SOX programs, accounting for 45% of the respondents.

Graph showing the responsibility for SOX/IC compliance management has shifted to internal audit

It often makes sense to have audit or financial reporting teams work on SOX compliance tasks such as testing and walkthroughs. But, you know what else is important for internal audit teams to work on? Proving real value, staying agile—and doing their job.

Spending too much time on SOX compliance can be detrimental to audit teams. Because of the high utilization of internal audit resources for SOX management, there has been a reduction of assurance reviews executed.

Five Years of the State of the SOX/Internal Controls Market Survey

The Sarbanes-Oxley Act has been in place for almost 20 years now, and the number of survey respondents that said their SOX compliance costs had risen has gone up year-over-year: from 36% in 2017 to 44% in 2020. In simpler terms, more people are saying their SOX compliance is going up, and that doesn't seem to be changing.

Graph showing SOX assessment costs have increased, as has the use of SOX-specific technology.

So, why is this cost increasing?

One reasoning is the complexity of SOX itself. As organizations grow and mature—and as SOX matures—the number of SOX controls inside organizations has increased. The survey showed that the number of respondents who reported 250+ controls increased 10% between 2016 and 2020.

Accordingly, as the number of controls increases, so does the amount of time spent on risk assessment, scoping, testing, and reporting processes. As mentioned above, these additional hours of tasks are becoming the responsibility of internal audit teams—costing them time and money.

A secondary reasoning: SOX compliance is still largely manual. Not pen-and-paper manual, naturally, but nowhere near the automation we expect in other areas of technology. It's largely handled by the same desktop word processing and spreadsheet tools you used in freshman English class.

Ill-fitting tools mean more time and energy dedicated to processes that devour resources from already strapped audit, risk, and compliance teams. The increasing number of hours and headcount needed to perform manual tasks is a big part of what is driving up SOX costs, the survey found. This price will continue to rise for organizations that fail to leverage SOX-specific technology to eliminate manual tasks and streamline the execution of their compliance programs.

But don't take our word for it. (And, really, it's not even our word. It's the word of hundreds of other SOX practitioners like yourself across the last five years.)

Download your copy of the full report to learn more about where SOX has been in the past few years—and where it's headed in the years to come.

About the Author
Ernest Anunciacion
Ernest Anunciacion

Senior Director of Product Marketing

Ernest Anunciacion, Senior Director of Product Marketing, brings over 15 years of experience in internal audit, risk management, and business advisory consulting to Workiva. Ernest is a Certified Internal Auditor and Six Sigma Black Belt. He holds an undergraduate degree and an executive MBA from the Carlson School of Business at the University of Minnesota.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at