Consulting firm Protiviti has released the 2021 edition of its annual survey of Sarbanes-Oxley Act (SOX) compliance costs, SOX Compliance and the Promise of Technology and Automation. A majority of companies represented in the survey reported that both internal costs associated with compliance with SOX internal control over financial reporting (ICFR) requirements and hours devoted to such compliance increased in 2020. However, as in past years, a significant majority of respondents also reported substantial improvements in their company’s ICFR as a result of SOX. (The prior annual survey is summarized in Protiviti’s Annual Survey Finds Rising SOX Compliance Costs, July-August 2020 Update.)
As described in the executive summary, key findings of the 2021 survey are:
Internal SOX compliance costs continue to rise, but the results are more of a mixed bag -- While SOX compliance costs have gone up for a number of groups of organizations, other companies have seen slight decreases. This is to be expected given the dynamics of the past year and changing operating models.
Hours continue their upward march – SOX compliance hours increased for most organizations, and among these companies, most experienced increases of 10% or more. However, Digital Leaders have experienced a lesser impact in terms of substantial increases in hours, suggesting they are gaining some advantages through their greater use of technology and automation in the SOX compliance process. [The concept of Digital Leaders is explained below.]
With technology and automation, Digital Leaders stand out -- In numerous aspects of the SOX compliance process, from the use of technology tools to automating controls in different processes, Digital Leaders are significantly more advanced than other organizations. Digital Leaders clearly are leveraging these tools to reap the benefits they deliver in terms of greater efficiencies for documentation and testing.
Automation presents challenges – Implementing automation in the SOX compliance process can present challenges for any organization. Specific hurdles include the overall level of effort, change management considerations , stakeholder buy-in and overall investment. However, there is a roadmap to achieve short-term and long-term successes.
Protiviti’s findings are based on the results of an online survey conducted in March 2021 in collaboration with AuditBoard, a cloud-based platform offering audit management and compliance solutions. The positions held by the 660 survey respondents included audit manager (18 percent), chief financial officer (13 percent), chief audit executive (12 percent), audit director (11 percent), and finance director (11 percent). The industries represented covered a wide range, with Financial services--banking (13 percent), Manufacturing and distribution (other than technology) (10 percent), and Technology (software/high-tech/electronics) (8 percent), the top three. Thirty-four percent of the non-financial services organizations represented in the survey had $5 billion or more in annual revenue, and 56 percent of the financial services companies had $10 billion or more in assets under management. Eighty-two percent of the companies represented were subject to both SOX Section 404(a) (management reporting on ICFR effectiveness) and Section 404(b) (auditor reporting on ICFR effectiveness).
For the first time this year, Protiviti classified responding companies according to their self-assessed level of digital maturity and presented results separately for those classified as “Digital Leaders.” Digital Leaders were those companies categorized as either “digital experts” (organizations that have a proven track record of adopting emerging technologies) or as “digital top performers” (organizations that have a proven track record of disrupting traditional business models). Twenty-seven percent of companies in the survey were deemed to be Digital Leaders.
Some highlights of the 2021 survey are discussed below.
Internal SOX Compliance Costs
As noted above, SOX compliance costs rose for most companies. Changes in compliance costs varied with filer status and company size:
The average annual internal cost of SOX compliance for the largest public companies (large accelerated filers) declined to $1.328 million, from $1.371 million in the prior survey. Internal compliance costs rose for all other filer categories (accelerated filers, smaller reporting companies, and emerging growth companies).
For Digital Leaders, internal compliance costs averaged $1.44 million. For all other companies, cost averaged $1.199 million. Since this is the first year that Protiviti has grouped companies according to their digital sophistication, Digital Leader comparisons to prior years are not available.
On an industry sector basis, companies in Energy and Utilities companies had the highest average internal compliance costs ($1.446 million), followed by Technology, Media and Telecommunications ($1.402 million). Healthcare Providers had the lowest costs ($922,220). In last year’s survey, Technology, Media and Telecommunications lead the list.
Hours Devoted to SOX Compliance
A majority of companies reported that hours devoted to SOX compliance increased in fiscal 2020. Fifty-eight percent of Digital Leaders and 52 percent of other organizations said that their internal hours increased. In contrast, 17 percent of Digital Leaders and 18 percent of other organizations reported a decrease in compliance hours.
Protiviti observes that Digital Leaders appear to have experienced smaller increases in hours than other companies. Of those Digital Leaders reporting increased hours, fewer reported increases exceeding 10 percent than did their less sophisticated peers. “This can be an indication of some advantages they are gaining through the use of technology and automation in the SOX compliance process. In addition, given their greater use of technology and automation, it is possible that amid the pandemic, Digital Leaders were less impacted by newly implemented remote testing requirements.”
The number of organizations reporting decreased SOX compliance hours rose in 2020 compared to the prior survey. Protiviti notes that this is “another likely effect of the pandemic and the ensuing changes on compliance activities, including but not limited to curbs on traveling and office visits.”
Technology and Automation
Protiviti’s annual surveys have historically pointed to the benefits of automating controls. In Protiviti’s view, “automated controls and testing deliver numerous benefits -- there are countless examples that can be found among Digital Leaders and other organizations.” The survey asked respondents to identify the five greatest challenges to automating SOX compliance processes in fiscal 2020. The challenges reported, along with the percent of respondents citing each, were:
Level of effort to implement, train, govern, and maintain – 56 percent.
Lack of time to spend exploring automation due to other priorities – 55 percent.
Many areas of the SOX control environment are not conducive to automation – 49 percent.
Lack of funding and/or executive support for automation – 41 percent.
Lack of knowledge on available tools and technology – 41 percent.
According to Protiviti, these challenges are compounded by the fact that, “when it comes to SOX compliance and testing, management often times does not trust automation” because of “concerns about looking at full populations of data which may reveal exceptions that need to be addressed.”
Protiviti suggests the following “path to success for chose who have yet to undertake any automation-related initiatives”:
“The first key step is to get started, ideally focusing on automating one area that may present a relatively easy opportunity for success. Once the SOX compliance team achieves a few such "wins," automating the testing process becomes easier to put into place. Also, if the internal audit group helps develop the automation, it subsequently has the opportunity to tum it over to the business to manage. This represents a win both for internal audit and the business.
“In addition, if there is an opportunity to work in partnership with the external auditor to automate testing, the trust factor between the two groups will grow, furthering the possibility that the external auditor can increase its reliance on internal audit's testing of controls * * *.”
Perceptions of the SOX Compliance Process and ICFR Reporting
As in past years, respondents were generally positive on the benefits of SOX. Sixty-eight percent of respondents believe that their organization’s ICFR structure has “significantly” or “moderately” improved since an ICFR external audit became required, up from 60 percent last year. However, the number of respondents with a negative view also increased: Four percent of respondents said that their company’s ICFR structure had been either “minimally weakened” or “moderately weakened” since external auditor ICFR reporting began, compared to one percent who held that view last year. Six percent reported that they did not know how the company’s ICFR had changed.
The primary benefits of SOX compliance cited by respondents were:
Improved ICFR structure – 59 percent (Digital Leaders), 64 percent (other organizations).
Continuous improvement of business processes -- 55 percent (Digital Leaders), 48 percent (other organizations).
Enhanced understanding of control design and control operating effectiveness -- 52 percent (Digital Leaders), 63 percent (other organizations).
Improved compliance with SEC rules -- 50 percent (Digital Leaders), 49 percent (other organizations).
Ability to better identify duplicate or superfluous controls -- 45 percent (Digital Leaders), 37 percent (other organizations).
Improvement in company culture related to risks and controls -- 44 percent (Digital Leaders), 54 percent (other organizations).
Comment: While SOX compliance costs continue to rise for most categories of companies, Protiviti’s annual surveys have also documented the possibility of cost reductions (or at least slower increases) based on greater use of automation and technology. The concept of analyzing SOX compliance costs based on the level of company digital sophistication seems to further illustrate this point. As noted in last year’s Update, audit committees may want to explore with management whether it is taking advantage of opportunities to automate compliance and, if not, why not. Discussion of the five challenges to automating SOX compliance that Protiviti identified in this year’s survey could be a starting point.