Is the SOX Management Problem Worth Solving?

Is the SOX Management Problem Worth Solving?

When the Sarbanes-Oxley (SOX) Act was passed in 2002 to restore investor confidence, publicly traded companies had to quickly scramble to understand the requirements of SOX compliance. In addition to the new internal control (Section 404) and executive certification (Section 302) requirements, the Act also presented Chief Financial Officers with other challenges. A 2003 survey of CFOs by Protiviti claimed companies were undergoing significant changes to achieve compliance that went well beyond Sections 302 and 404, including addressing audit committee oversight, board composition and structure, and auditor independence. As a consequence of these massive requirements, for the first several years, companies spent significant amounts of money bringing in experts and consulting firms to help them put compliance programs together.

Companies also sought out SOX software. But given the newness of the Act, there was little guidance or experience to help software builders understand the features needed to address the biggest pain points of Sarbanes-Oxley.

This was echoed in a review on available SOX software in 2006 by Accounting Today:

The problem with SOX is that while it details the reports and statements that are necessary for compliance, it does not detail the methods or techniques that have to be employed to back up these statements. There is no one “right way” to comply with the requirements of Sarbanes-Oxley. In turn, that pretty much leaves the field of what constitutes “SOX compliance software” open for interpretation.

Regardless, software companies rushed to create “SOX tools” by adding modules or tweaking their existing auditing software to address SOX compliance. These tools were pushed out in a rush to capitalize, and thus a software market ill-suited to solving SOX reporting’s major problems was born. Fourteen years after the passing of Sarbanes-Oxley, these solutions largely failed to make SOX any easier. Most companies ultimately returned to using spreadsheets, which became the industry standard for SOX management. Today, 95% of companies still manage SOX manually on spreadsheets.

Most of the initial solutions marketed as “SOX software” were originally designed to address different end-goals altogether, such as SEC reporting or Governance, Risk and Compliance. Not to mention, this software was extremely costly. Companies shelled out $100,000-$200,000 a year for these so-called SOX tools, which in actuality were just audit tools designed to address a multitude of other problems, in addition to SOX. Oftentimes, companies had to hire a full-time employee just to manage their new SOX tool, since they were oftentimes difficult to navigate, over-engineered, and not specifically designed to eliminate SOX management’s major pain points. Ultimately, companies ended up overpaying for a tool that did not help them streamline their SOX management. Cue the mass exodus back to tried and familiar spreadsheets.

However, recently there has been a shift towards seeking out SOX software once again. This can be attributed to a number of changes that have impacted the industry’s perspective towards software solutions.

PCAOB and SEC Requirements Have Risen Significantly

Testing requirements and document requirements have all gone up significantly, and with them, audit fees have risen as well. Protiviti’s latest report on the costs of SOX compliance shows external audit fees have risen for over half of large accelerated and accelerated filers, with 32% of large accelerated filers and 52% of accelerated filers reporting increases of over 10%. While this may seem like a small number, for a company spending 1 million on SOX to see an increase of $100,000 in a year, this is a pretty huge leap. Unfortunately, this appears to be the new normal, as costs are projected to continue rising. As such, the time is ripe for companies to reevaluate how they can reduce SOX costs and hours. A large area where SOX hours and costs can be saved are in the administrative efforts of SOX, which can be reduced through the right software.

The Rise of Cloud-Based Technology

With the wide acceptance of cloud-hosting platforms such as AWS, Rackspace, and Azure, many businesses have become receptive to the once eyebrow-raising concept of cloud-based technology. In the past, onboarding a company onto SOX software would require the involvement of both IT and procurement teams to prepare the company’s information for implementation. Typically, this was a lengthy process that could take up to 6 months, when a company would already be in mid-year testing. Cloud tech has changed this dynamic. These days, a Director of Internal Audit can make a decision to buy SOX software and have it up and running in as little as 20 days. Depending on how fast that software can be implemented, the period of time from decision to buy to implementation can be a matter of weeks.

The Growing Internal Audit Talent Gap

The growing Internal Audit talent gap has become a widespread industry theme. In a recently-published study of more than 1,200 CAEs by Deloitte, 57% of CAEs were not satisfied that their Internal Audit teams had the necessary skills to deliver on stakeholder expectations for efficient audits and insightful reports. In PwC’s 2016 State of the Internal Audit profession study, CAEs responded talent shortages were the most significant barrier to increasing their contribution as leaders. As a result, companies are left to supplement Audit functions with highly-experienced consulting firms, constituting a huge driver of increased costs. This has acted as a motivator for companies to seek an alternative in the form of software.

Product Market Fit

In the first decade after Sarbanes-Oxley passed, no tool was successfully able to improve every facet of SOX management nor make it worthwhile for companies to replace their spreadsheets with software. There was no dominant SOX software on the market. This is partially due to the fact that it took time for the industry to wrap its head around SOX since it is such a large, technical, and cross-functional effort. In fact, the biggest issue with existing SOX solutions is they don’t account for the fact that Internal Audit teams are made up of different user roles with different user needs, along with the needs of the CFO, Controller, and the rest of the organization affected by SOX. An effective SOX solution must be easy to use for all functions that are audited and have ownership in their SOX environments – IT, accounting and finance groups, logistics, payroll, and HR, for example. These functions need a solution that is appropriately built to address each of their roles – from process owners and auditors in each entity.

The Future of SOX Automation

All of these factors compounded have become a catalyst for driving Internal Audit teams to look for ways to reduce their costs. SOX can be a costly effort and a huge resource and time drain on companies, as evidenced above. There has been a void of software that effectively addresses SOX, but thankfully companies are starting to think more strategically when building SOX software. Companies founded by former Internal Auditors, such as AuditBoard, are designing software that centralizes data, eliminates the use of spreadsheets, and makes it easy for all user roles to gain real-time status updates and generate reports quickly. AuditBoard is the first SOX solution in the industry to truly streamline SOX compliance by addressing all the pain points for testers, reviewers, process owners all in a very easy-to-use, yet powerful solution. Learn more about our product on our products page, or request a demo today.


Daniel Kim, CPA, is co-founder of AuditBoard. Formerly global head of audit for two multibillion-dollar public companies, Daniel leverages his 15+ years of audit, risk, compliance, and SOX program consulting with hundreds of pre-IPO and public companies to deliver modern solutions for today’s corporate audit needs.