Protiviti’s 2022 SOX compliance survey reveals that SOX compliance hours and costs continue to climb across most company sizes, industries, and reporting types. The silver lining is that internal audit and SOX teams are ramping up efforts to automate and streamline their compliance efforts — paving the way for greater efficiencies and potential cost savings down the line. Leaders in this space are making greater investments in automation technologies as well as making structural changes to their SOX programs to drive efficiencies, highlighting a notable dedication to innovation and improvement.
The survey, conducted by Protiviti with support by AuditBoard in March and April of 2022, reflects the current state of SOX programs as organizations face inflation, rising interest rates, labor shortages, and other economic challenges affecting internal control environments. Read on below for the top five takeaways from the 2022 report, register for our June 23 webinar for a deeper dive, and download your free copy of SOX Compliance Amid Rising Costs, Labor Shortages and Other Post-Pandemic Challenges.
Five Key Findings From the 2022 Protiviti SOX Survey
1. Costs continue to climb.
Talent shortages, increased scrutiny from external auditors and the Public Company Accounting Oversight Board (PCAOB), strategic pivots, and technology-driven transformation are factors contributing to rising costs.
- More companies spend $2 million or more on compliance while fewer spend $500,000 or less.
- A surge in the number of smaller companies spending $2 million or more in SOX compliance also reflects the increase in initial public offerings (IPOs), driven by special purpose acquisition companies (SPACs).
- Higher internal SOX compliance costs are also being driven by increased testing. Organizations are performing more baseline testing of key system-generated reports used in key SOX controls. When it comes to such standardized reports and SOX 404(b) compliance, both audit firms and organizations have become more risk-averse, thus more time is required to test them.
2. Hours continue rising.
A majority of organizations increased the number of hours logged for SOX compliance during their most recent fiscal year. This growth is driven by the same factors contributing to rising compliance costs.
- A key contributing factor to rising hours is higher volumes of detailed information requests from external auditors, whose scrutiny is intensifying in response to actions and guidance from the PCAOB.
- A majority of organizations are auditing suppliers directly to gain sufficient comfort around the control environment — also linked to external auditor requests for deeper and more detailed information to substantiate audit findings.
- Consequently, external auditors are also spending more hours on testing (more on this below).
3. External auditors appear to be relying less on management controls testing.
Assessing year-over-year trends in external auditor reliance on management controls testing, percentages show a year-over-year decline. This decline is likely an indicator of external auditors seeking to independently substantiate their findings on a more frequent basis, per guidance from the PCAOB.
4. Investment in SOX automation technology is growing.
More and more companies are deploying automation to support SOX work, with the majority (54%) leveraging audit management and GRC platforms. According to Protiviti, these results are promising, as greater reliance on automation can help moderate jumps in internal SOX compliance costs.
- Two out of five organizations are using data analytics and visualization platforms, and one in three are using segregation of duties analysis tools and continuous monitoring.
- A majority of organizations (53%) devoted 500 hours or more toward automating and modernizing various aspects of their SOX compliance program or otherwise enabling it with technology to drive improved efficiencies and effectiveness.
- Despite rising key control counts, the percentage of automated key controls has risen significantly — a positive trend. Greater use of cloud applications with built-in automated controls is likely fueling this trend.
5. Organizations are restructuring their SOX compliance models for efficiency.
Alternative delivery models for SOX compliance services have become more appealing in the wake of rising SOX compliance costs and hours. A widespread desire for efficiency is kindling interest in using centers of excellence and outsourcing for SOX controls testing — the same approaches organizations have deployed to manage numerous finance, accounting, tax, and other back-office processes.
- 46% of organizations rely on third-party service providers for SOX testing efforts.
- Organizations typically consider a third-party model in response to one or more triggering events, e.g., a surge in annual SOX compliance costs and/or hours.
- This approach to SOX compliance yields the following benefits: efficiency improvements, access to advanced automation and tools, an opportunity to reduce compliance cost increases, and staffing and retention advantages.
SOX programs remain vulnerable to future external factors that could compromise internal control environments while contributing to rising SOX compliance costs and hours. This is why it is essential to invest in improvements now that create efficiencies and free up staff for more value-add projects. Download the 2022 SOX Compliance Report: SOX Compliance Amid Rising Costs, Labor Shortages and Other Post-Pandemic Challenges to benchmark your SOX program time, costs, and efforts against the survey results — and for a deeper dive, register for our June 23 webinar discussion of the report findings.