Since its passage in 2002, there is strong evidence that Sarbanes-Oxley has had a positive impact on the quality of financial reporting. In Protiviti’s annual SOX survey, two out of three mature companies reported “significant to moderate improvements to their internal controls over financial reporting structures” resulting from SOX compliance processes. There are also fewer financial restatements post-SOX: the number continues to decline year-over-year, decreasing from 1,851 in 2006 to just 737 in 2015.1
While we no longer question the effectiveness of SOX, concerns over the rising costs and resource burdens of compliance continue to plague companies. As reported by Protiviti, SOX hours have risen by more than 10% for 68% of publicly held companies, and a staggering 82% of private companies preparing for IPO. External audit fees are also on the rise as companies struggle to meet increasingly stringent regulatory requirements.
This begs the following questions: How can a CFO get more out of their Internal Audit function? What are the ways CAEs can reduce SOX spend and decrease hours spent, as well as perform more value-add audits? Below, we take a closer look at the industry statistics.
Current State of SOX
A company’s average SOX budget is between one million to two million dollars, and Internal Audit teams spend an average of 5,000 to 10,000 hours on SOX programs annually. But 70% of those hours are actually spent on administrative tasks - mainly, reconciling and managing spreadsheets.
The Spreadsheet Problem
Today, over 95% of companies still manage their SOX programs manually on spreadsheets. While spreadsheets are useful in some contexts for organizing data, they are not ideal for managing SOX data for several reasons:
Spreadsheets volume. For each documented control, there are five to six spreadsheets, including individual test sheets, PBC listings, RCMs and status sheets. SOX involves anywhere from 1,000 to 3,000 spreadsheets and documents.
High user volume. Anywhere from 10 to 300 total users can be handling the RCM and data spread across multiple spreadsheets and documents.
SOX requirements are dynamic. This means frequent changes to reports, test sheets and the overall structure of the SOX environment.
SOX is highly cross functional. It requires real-time collaboration between multiple departments and teams.
Some common pain points found when managing a SOX environment on spreadsheets include:
- Version control issues
- Lack of visibility
- Not enough manpower resources
- Higher error rate
- Lower external auditor leverage
What About the Existing GRCs & SOX Software?
When SOX first passed, technology companies were not sufficiently savvy enough in SOX to design solutions that could effectively meet its pain points. As a result, the tools that initially entered the market were over-engineered to the extent that they complicated the process instead of streamlining it. Many large GRC solutions introduced “all-in-one” solutions that were clunky and ill-suited for SOX. Other companies who initially built solutions for other purposes, such as financial reporting, attempted unsuccessfully to repackage their technology to meet SOX requirements. Many public companies that experienced a failed GRC implementation became disillusioned and jaded, and eventually returned to Excel to manage SOX manually.
How can the industry move forward?
The key to maximizing SOX resources lies in leveraging technology to automate manual enterprise-wide processes. Other enterprise accounting and finance teams have already tapped into automation to drive process efficiencies. While many SOX teams have yet to fully embrace this technology, forward-thinking SOX teams are quickly seeing the return of SOX automation software. Several benefits of automation include:
- Reduced administrative hours and efforts spent on SOX
- Internal Audit teams are freed to perform more value-add audits
- Improved visibility into SOX environments
- Increased quality of internal controls
- Reduced number of financial resstatements
- Improved external auditor collaboration and reliance