Protiviti Reports that SOX Compliance Costs Continue to Rise
Consulting firm Protiviti has released the 2022 edition of its annual survey of Sarbanes-Oxley Act (SOX) compliance costs, SOX Compliance Amid Rising Costs, Labor Shortages and Other Post-Pandemic Challenges. Protiviti found that the number of hours devoted to SOX compliance increased in 2021 for 53 percent of respondent companies – similar to the percent that reported an increase in the prior survey. (The 2021 annual survey is summarized in Protiviti: Companies are Spending More Time and Money on SOX Compliance, July 2021 Update.) Protiviti attributes increasing compliance costs to, among other things, “[i]nflation, a rising interest rate environment, ongoing supply chain volatility, a bruising talent shortage, and other economic and external factors.”
However, in Protiviti’s view, escalating compliance costs have a silver lining. “They are driving more investments in automation and technology tools that generate greater efficiencies -- and potentially cost savings as well as effectiveness and coverage benefits -- into the SOX compliance process.” Protiviti reports that, in 2021, companies used technology tools for 25 percent of overall SOX compliance activities. In Protiviti’s view, that leaves “significant room for improvement.”
Protiviti’s findings are based on the results of an online survey conducted in March and April 2022 in collaboration with AuditBoard, a cloud-based compliance management platform. Protiviti and AuditBoard polled 562 audit, compliance, and finance leaders. The survey participants, half of whom were CFOs, represented a wide range of industries, with Financial Services--Banking (27 percent), Government/Education (12 percent), and Manufacturing and Distribution (9 percent) the top three.
As set forth in the executive summary, the “Key Findings” of the 2022 survey are:
Costs continue to climb due to a range of factors: A combination of internal and external factors creating volatility – technology-driven transformation and innovation, talent shortages, strategic pivots and more – is contributing to rising SOX compliance costs. More companies spend $2 million or more on compliance while fewer spend $500,000 or less. A surge in the number of smaller companies spending $2 million or more in SOX compliance costs likely reflects last year’s significant increase in initial public offerings, driven by SPACs.
Hours on the rise as well: A majority of organizations increased the number of hours logged for SOX compliance during their most recent fiscal year. This growth is driven by the same factors contributing to rising compliance costs. SOX compliance teams are also spending more time responding to higher volumes of more detailed information requests from external auditors, whose scrutiny is intensifying in response to actions of and guidance from the PCAOB.
A growing number of companies are deploying automation to support SOX work; more should follow suit: Automation platforms and applications bring greater efficiency to SOX compliance activities. The deployment of process mining, advanced analytics, robotic process automation, continuous monitoring, and other advanced technological tools, can significantly reduce the volume of manual compliance tasks.
A widespread desire for efficiency is kindling interest in centers of excellence and alternate sourcing strategies: In addition to investing in supporting automation, compliance and internal audit leaders are evaluating and adopting internal shared services models as well as partnerships with third parties that operate external centers of excellence for controls testing.
Some additional highlights of the 2022 survey are discussed below.
Internal SOX Compliance Costs
The average annual internal cost of SOX compliance for the largest public companies (large accelerated filers) rose 9 percent to $1.451 million, up from $1.328 million, in the prior survey. Internal compliance costs also rose for accelerated filers (up one percent) and for smaller reporting companies (up 27 percent) but fell three percent for emerging growth companies. The survey also found that, for companies that are beyond their second year of SOX compliance, average annual costs averaged $1.468 million, up 18 percent from 2021.
Outsourced and Offshored Costs
More organizations are investing in offshore and outsourced resources to assist with SOX compliance. On average across all respondents, 41 percent of SOX internal costs were for outsourced resources (both onshore and offshore), an increase from 37 percent last year. Thirty-five percent of internal SOX costs went to offshore resources, compared to 26 percent last year.
Hours Devoted to SOX Compliance
Fifty-three percent of companies reported that hours devoted to SOX compliance increased in fiscal 2021. In contrast, 21 percent reported a decrease in compliance hours, while 26 percent saw no change. These percentages are generally consistent with the findings of the 2021 survey. Protiviti states that a “key contributing factor to ongoing increases in SOX compliance hours includes the growing number of inquiries from external auditors for more detailed information form management teams to substantiate their audit conclusions.”
Auditor Reliance on Management Control Testing
Protiviti also identifies a trend of decreasing auditor reliance on management control testing, which it characterizes as an indicator of external auditors more frequently seeking to independently substantiate their findings based on guidance from the PCAOB. Survey respondents reported that, on average, auditors relied on 26 percent of management’s testing, down from 29 percent last year.
Auditor requests may also be driving an increase in time spent by management in auditing suppliers directly. In 2022, 53 percent of respondents said that, for outsourced processes, they had to audit the supplier directly to gain sufficient comfort around the control environment. In 2021, only 39 percent reported the need to perform such supplier audits.
Technology and Automation
Protiviti’s annual surveys have historically pointed to the benefits of automating controls. The 2022 survey finds progress among survey respondents in the use of technology for SOX compliance. Protiviti’s emphasizes four points:
“Our results indicate that, more than ever, organizations are embracing the use of technology to enable their SOX compliance programs. A majority [54 percent] are leveraging audit management and GRC platforms, two out of five organizations are using data analytics and visualization platforms, and one in three are using segregation of duties analysis tools and continuous monitoring.
“Another positive development: In fiscal year 2021, a majority of organizations [53 percent] devoted 500 hours or more toward automating and modernizing various aspects of their SOX compliance program or otherwise enabling it with technology to drive improved efficiencies and effectiveness. Greater use of technology and automation are among the top opportunities organizations have to incorporate greater efficiencies into their SOX compliance activities. A commitment of resources is required to achieve significant progress in this area.
“On average, 25% of an organization's SOX compliance program is enabled by technology. We expect this number to continue rising over time as audit management/GRC platforms further evolve, making it easier to automate control testing all while organizations continue to invest in modernizing their financial systems and enhancing data consistency and quality.
“The most common challenges to automating controls testing are that many areas of the SOX control environment are not conducive to automation, and there is a perceived lack of time to explore automation opportunities due to other priorities.”
Perceptions of the SOX Compliance Process and ICFR Reporting
In past years, Protiviti has asked respondents about their perceptions of the benefits of SOX. For example, last year 68 percent of respondents reported that, in their view, their organization’s internal control over financial reporting (ICFR) structure has “significantly” or “moderately” improved since an ICFR external audit became required.
This year, Protiviti appears to have taken a different approach by focusing on the extension of SOX compliance processes to non-financial data. Forty-one percent of respondents stated that, during 2021, their organization applied ICFR-type processes to human capital reporting; an additional 34 percent indicated that they planned to do so in the future. Similarly, 42 percent of respondent indicated that their organization had disclosed ESG metrics in 2021 and applied ICFR-type processes to that information, while an additional 38 percent said that planned to do so in the future.
Protiviti also asked about the corporate functions involved in SOX compliance. Seventy-four percent of respondents said that internal audit engaged in SOX activities, down from 81 percent in 2021. Internal audit was also the organizational unit most frequently cited as supporting SOX testing. On average, internal audit was reported to have spent 58 percent of its time on SOX, up from 49 percent last year.
In terms of changes in SOX compliance programs during 2021, the three areas most frequently identified as having undergone either “extensive” or “substantial” changes were:
Additional testing to justify using the work of others (38 percent).
Challenging the credentials (objectivity and competency) of other performing testing (36 percent).
Increase in scope to baseline test more IT reports (35 percent).
Comment: SOX compliance costs continue to rise for most categories of companies, and the extension of SOX processes to additional reporting areas, such as human capital and ESG, is likely to exacerbate these cost increases. This is especially likely if the SEC adopts its climate change reporting proposals. The proposed financial statements disclosures relating to climate would have a significant impact on ICFR for most companies. See SEC Unveils its Climate Disclosure Proposals, March 2022 Update. In light of the SEC’s ambitious schedule for adoption and implementation of these rules (see SEC Rulemaking is in Hyperdrive: Spring 2022 Regulatory Agenda in this Update), managements and audit committees should already be considering how their controls would be affected.
Protiviti’s annual surveys have also documented the increasing use of technology in SOX compliance and the opportunities that automation affords for reductions (or at least slower increases) in compliance costs. As noted last year in Protiviti: Companies are Spending More Time and Money on SOX Compliance, above, audit committees may want to explore with management whether it is taking advantage of opportunities to automate compliance and, if not, why not.