Two Quick Takeaways from Five Years of SOX Surveys
Bring out the confetti cannon. Or, if you don't have one, rip up some paper on your desk, toss it into the air, and shout, "Hurray!"
That's because the State of the SOX/Internal Controls Market Report just turned five with the release of the 2020 edition!
We decided to have a little fun to celebrate this special occasion—by digging up the most compelling trends and stats from 2016 to 2020, and sharing them with you. (I suppose our definitions of "fun" and "celebrated" are different from most.)
Read on to see a selection of the top-level stats and insights, or check out the full report for all the shifts we’ve uncovered in SOX over the past half-decade.
Audit has been taking the reins of SOX
One major takeaway we noticed throughout the course of the past five years: The internal audit function has emerged as the owner of the SOX program.
In 2016, survey responses indicated that SOX program management was handled by one of three teams: internal audit, a dedicated SOX team, or the financial reporting team. And a pretty even split, at that: 31%, 31%, and 29%, respectively.
But, by 2020, the survey results showed internal audit had taken majority ownership of SOX programs, accounting for 45% of the respondents.
It often makes sense to have audit or financial reporting teams work on SOX compliance tasks such as testing and walkthroughs. But, you know what else is important for internal audit teams to work on? Proving real value, staying agile—and doing their job.
Spending too much time on SOX compliance can be detrimental to audit teams. Because of the high utilization of internal audit resources for SOX management, there has been a reduction of assurance reviews executed.
SOX compliance consumes time, money, and patience
The Sarbanes-Oxley Act has been in place for almost 20 years now, and the number of survey respondents that said their SOX compliance costs had risen has gone up year-over-year: from 36% in 2017 to 44% in 2020. In simpler terms, more people are saying their SOX compliance is going up, and that doesn't seem to be changing.
So, why is this cost increasing?
One reasoning is the complexity of SOX itself. As organizations grow and mature—and as SOX matures—the number of SOX controls inside organizations has increased. The survey showed that the number of respondents who reported 250+ controls increased 10% between 2016 and 2020.
Accordingly, as the number of controls increases, so does the amount of time spent on risk assessment, scoping, testing, and reporting processes. As mentioned above, these additional hours of tasks are becoming the responsibility of internal audit teams—costing them time and money.
A secondary reasoning: SOX compliance is still largely manual. Not pen-and-paper manual, naturally, but nowhere near the automation we expect in other areas of technology. It's largely handled by the same desktop word processing and spreadsheet tools you used in freshman English class.
Ill-fitting tools mean more time and energy dedicated to processes that devour resources from already strapped audit, risk, and compliance teams. The increasing number of hours and headcount needed to perform manual tasks is a big part of what is driving up SOX costs, the survey found. This price will continue to rise for organizations that fail to leverage SOX-specific technology to eliminate manual tasks and streamline the execution of their compliance programs.
But don't take our word for it. (And, really, it's not even our word. It's the word of hundreds of other SOX practitioners like yourself across the last five years.)
Download your copy of the full report to learn more about where SOX has been in the past few years—and where it's headed in the years to come.
About the Author
David Thande is a Director of Product Marketing at Workiva, and an Executive Advisor to the SOX & Internal Controls Professionals Group. David has over 15 years of experience in SOX compliance and internal audit. Prior to Workiva, David served as a Senior Manager with Synchrony Financial, in addition to holding various SOX compliance and risk management roles at a General Electric and Fannie Mae. David started his audit career with PwC and is a Certified Internal Auditor.