Home > Risk > Where do our SOX programs stand today? Two reports

Where do our SOX programs stand today? Two reports

Two firms recently released reports on SOX Compliance trends: Protiviti and Deloitte.

I need to make one important point.

When I was responsible for SOX at my company, I wanted to find out what our internal SOX compliance costs were. To my surprise, more than 50% of the costs were incurred by management: supporting testing by both internal and external audit teams, maintaining the documentation, answering questions, and helping with the scoping.

The surveys on cost performed by firms like these two tend to ignore the management-related costs. Keep that in the back of your mind as we review the two reports.

Protiviti shared the results of their annual SOX surveys in Assessing SOX internal costs, hours, controls and other trends in the results of Protiviti’s 2022 Sarbanes-Oxley Compliance Survey. It has a great deal of information and is worth downloading and reading.

Protiviti’s Executive Summary includes this (with my highlights):

Escalating compliance costs, time and efforts have a silver lining: They are driving more investments in automation and technology tools that generate greater efficiencies — and potentially cost savings as well as effectiveness and coverage benefits — into the SOX compliance process. Our data indicates that technology tools currently support an average of one-fourth of SOX compliance work across all companies, and a majority of programs deploy audit management and/or GRC platforms. These results are promising: Greater use of enabling technologies can, over time, help moderate jumps in internal SOX compliance costs. That said, more progress is needed. Many programs have yet to begin using an audit management platform while most have yet to leverage more advanced technology tools in their SOX programs.

There also are opportunities to pursue procedural and structural changes in SOX compliance programs. Shared services or “centers of excellence” approaches — managed internally or by an external outsourcing partner — offer substantial opportunities for efficiency improvements, especially when it comes to the highly defined and repeatable tasks, such as gathering and organizing evidence, and control testing, that dominate SOX compliance efforts. Many of the forces driving internal SOX compliance costs and hours higher are, for the most part, beyond the control of companies. This is not the case with investments in compliance automation and broader technology enablement as well as alternative delivery models that generate greater efficiency over the long term. Internal audit and finance leaders, together with their C-suite colleagues, should avoid delaying their evaluation and pursuit of opportunities in these areas.

I have highlighted two sections:

  1. While technology can provide useful functionalities in managing a SOX compliance program, the ROI for what can be expensive software is not always clear for companies without hundreds of key controls. In addition, my experience with some of the software is that it doesn’t always support the top-down and risk-based approach explained in PCAOB and SEC guidance; it doesn’t identify significant accounts and then the key controls relied upon to prevent or detect potential material errors of omissions in those accounts.

The consulting firms preach that you can use technology for testing. However, the potential is not nearly as great as they indicate. We need to perform testing that provides reasonable assurance of the existence, design, and operation of the key controls we rely on. Most of the software tests the data, not the controls – and just because the data is clear you cannot assume that the controls are in place, adequately designed, and consistently operating as they should.

Protiviti says this later on, which is highly questionable:

Automation platforms and applications bring greater efficiency to SOX compliance activities. The deployment of process mining, advanced analytics, robotic process automation (RPA) and continuous monitoring, along with other advanced technological tools, can significantly reduce the volume of manual compliance tasks as well as retention risks associated with subjecting internal full-time staff to heavy loads of repetitive, task-driven work.

  1. These “shared service centers” for SOX testing, if outsourced, are a return to the use of expensive consulting firms for testing – not something I recommend. If they are run in-house, staffed by people who do nothing else, then they may not be in tune with the business. I would think twice (or more) before doing this. There is huge value in a SOX team that suggests better controls and process improvements in addition to testing key controls.

Protiviti tells us in the report that, on average, 41% of SOX internal costs is for outsourced resources.

On the other hand, this is correct:

A combination of internal and external factors creating volatility — technology-driven transformation and innovation, talent shortages, strategic pivots and more — is contributing to rising SOX compliance costs. More companies spend $2 million or more on compliance while fewer spend $500,000 or less. A surge in the number of smaller companies spending $2 million or more in SOX compliance costs likely reflects last year’s significant increase in initial public offerings (IPOs), driven by special purpose acquisition companies (SPACs).

The chart on page 12 of the report is very useful information. It shows the typical time taken for various activities, such as testing for operational effectiveness or adequate design of a key control. Unfortunately, Protiviti did not distinguish between manual and automated controls.

The results in one chart disappointed me: the percentage of controls where the external auditors relied on management testing. The average was just 26% and only 10% of respondents said external auditors’ reliance exceeded 50%.

Protiviti tells us:

In assessing year-over-year trends in external auditor reliance on management controls testing, percentages show a year-over-year decline — i.e., external auditors appear to be relying less on this testing.

Two points:

  1. At my company, EY told the audit committee they relied on my team for 80%. At the SOX Masters training I lead, a number of attendees have reported similar levels of reliance.
  2. It is important to recognize that the external auditors can rely entirely (with review) on management’s testing of key controls that are not high risk, but they can also reduce their work by placing partial reliance with limited reperformance.

I found it interesting that according to the survey, in the average company 50” of the key controls are automated, up from 33%.

I also found it interesting that the average company has 52 significant applications, and more than half of them are cloud applications. That seems too high.

I wonder whether they have done a good job in using the top-down and risk-based approach to identify significant applications, or whether they have included applications that are involved in financial reporting but don’t contain any automated controls or other IT-dependent controls.

I am also surprised that many companies either test key reports (IPE) on a rotational basis (which should not be allowed) or only once and then not until the report is changed – 21% rotational and 36% just once. That conflicts with my empirical experience with the number of companies who have employed a baselining or benchmarking approach.

As a reminder, except when benchmarking is used for IT-dependent controls, every SOX year has to stand on its own.

Let me make one important statement:

The best path to reducing SOX compliance costs and improving effectiveness is through application (and re-application every year) of the top-down and risk-based approach. Right-size your controls!

The Deloitte report is SOX modernization: Optimizing compliance while extracting value.

They seem to agree with my important statement, above, when they say:

A SOX program that has not been challenged in years may be stale, which could be a drain on resources and impede performance, particularly if this compliance program is treated more like a “check-the-box” activity.

Deloitte also comments, with my highlights:

Management’s responsibilities related to internal control over financial reporting is to obtain reasonable assurance over the reliability of financial reporting, not absolute assurance, and the concept of “reasonableness” is objective with a range of judgments and methodologies that could be considered appropriate. Performing an effective risk assessment can help management identify areas with risks of material misstatement within the company and determine which of those areas it should focus its efforts.

Many factors could contribute to a lagging SOX program. Over time, risks evolve, or new risks are identified, and the response may have been to design new controls without always taking into consideration if any existing controls should be modified or removed. Additionally, once risks are identified, the level of risk may not be considered, such as if it’s a lower risk or a significant risk, which could result in not spending enough time in areas of significant risk or spending too much time in areas of lower risk. Controls could also have been added to manage an issue or deficiency identified without actually addressing the root cause.

Deloitte goes on to provide good advice on the risk assessment process.

But they fail miserably by recommending testing data instead of controls:

Automated testing consists of profiling certain populations and transactions with real-time results, allowing a company to be able to test up to 100 percent of the population and potentially achieve more assurance for less time and cost.

As a reminder: the data can be 100% clean even though nobody is performing the controls. Just think about how many times you left your windows open and/or doors unlocked when you left home, and even though those controls were not operating you were not burglarized.

Deloitte makes one good point, but they don’t go far enough.

They talk about automating a current manual process. That can certainly provide both efficiency and effectiveness.

But why not go further and consider whether the process should be changed – with or without modernization. There’s little point in automating an inefficient process!

If you are responsible for your company’s SOX program, I urge you to consider my SOX Masters class (one is planned for September). You can also purchase the IIA’s Management Guide to Sarbanes-Oxley Section 404.

I welcome your comments and experiences.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: