Consulting firm Protiviti has released the 2020 edition of its annual survey of Sarbanes-Oxley Act (SOX) compliance costs, SOX Compliance Amid a New Business Equilibrium. (The 2019 survey is summarized in Protiviti Finds that SOX Compliance Costs are Down, Hours are Up, and Technology is Slowly Taking Over, July 2019 Update.) As described in the executive summary, key findings of the 2020 survey are:
Costs continue to rise. “This has been a long-term trend in our study, reflected in both internal SOX compliance costs and related external auditor fees. SOX compliance requirements are unlikely to change significantly – to drive down costs over the long term, greater use of data, automation and technology tools is key.”
Hours are increasing. “Commensurate with costs, SOX compliance-related hours are on the rise, as well. And similar to cost trends, organizations have an opportunity to reduce hours through increased use of data and technology, including automation as well as collaboration and workflow tools.”
It’s time to embrace automation. “Automated processes and controls, along with utilization of technology tools to test controls, can create long-term efficiency, increased accuracy, and measurable time and cost savings. Of note, this also is advantageous during times such as the COVID-19 pandemic, when offices are shuttered and staff are working remotely.”
With AuditBoard, a cloud-based platform offering audit management and compliance solutions, Protiviti conducted an online survey of 735 public company audit, compliance, and finance professionals during the first quarter of 2020 (before the scope of the COVID-19 pandemic was clear). Twenty-three percent of respondents were in the financial services industry, with the remainder from a range of industries. The most common positions held by respondents were audit manager, audit staff, audit director, and finance director. Thirty-eight percent of the surveyed non-financial services organizations had $5 billion or more in annual revenue, and about half of the financial services companies had $25 billion or more in assets under management.
Internal Compliance Costs
As noted above, SOX compliance costs rose in 2019 for most companies, reversing a small decline Protiviti reported in last year’s survey. Changes in compliance costs varied with company size:
The average annual internal cost of SOX compliance for the largest public companies (large accelerated filers) increased 5 percent from $1.309 million to $1.371 million in the prior survey. For the next tier of public companies (accelerated filers), average annual internal costs averaged 15 percent higher, up from $989,300 last year to $1.133 million.
For smaller companies (non-accelerated filers), SOX compliance costs rose more sharply – by 21 percent to $889,300 from $734,200 last year. However, average compliance costs for emerging growth companies (EGCs – certain recently-public companies with revenues of less than $1 billion) fell one percent. Nevertheless, at an average of $1.3289 million per company, ECG SOX costs rivaled those of large accelerating filers.
On an industry sector basis, companies in Technology, Media and Telecommunications and those in Manufacturing and Distribution had the highest internal SOX compliance costs ($1.244 and $1.208 million, respectively). In the 2019 survey, Technology and Consumer Products/Retail lead the list.
External Audit Fees
Like internal compliance costs, external audit fees rose for most companies. Protiviti observes that “external auditors have been spending more time on internal controls reviews and attestations” and that this “is likely to continue in the wake of the COVID-19 pandemic as internal control environments undergo significant changes.” Forty-nine percent of large accelerated filers, and 50 percent of accelerated filers, reported that their external audit fee increased in fiscal 2019, while only about 10 percent of each of these filer groups reported a decrease. For non-accelerated filers, 36 percent reported an increase, and 24 percent reported a decrease. For emerging growth companies, 53 percent reported an audit fee increase, while 8 percent said their audit fee decreased.
Hours Devoted to SOX Compliance
Significant percentages of companies reported that hours devoted to SOX compliance increased. For all companies in the survey, 51 percent said that their total hours increased in FY 2019. Only 13 percent of respondents said their SOX compliance hours fell, and 36 percent said they were constant. Non-accelerated filers were the least likely to report an increase in compliance hours –35 percent of these companies said that their compliance hours were higher in fiscal 2019 than in the prior year. Almost two-thirds (64 percent) of emerging growth companies reported higher SOX compliance hours in 2019.
External Auditor Reliance on Company Testing
Protiviti asked respondents what percentage of their control testing the external auditor relied on. For all accelerated filers, the overall percentage of controls on which the auditor relied was 44 percent. In contrast, for non-accelerated filers and ECGs the overall reliance percentages were 43 percent and 39 percent respectively. For the smaller filing company categories, these percentages have been increasing, apparently indicating increasing auditor confidence in company control testing.
Technology Tools
Surprisingly, Protiviti finds that “the overall use of technology tools for testing controls appears to be trending down” and that “RPA [robotic process automation] and other forms of automation do not appear to be advancing significantly in the SOX compliance environment.” Protiviti offers several explanations for this decline:
Uncertainty about whether external auditors are ready to deal with automated control testing.
Concern about how much an external auditor may inquire about the testing “bot”. “Some auditors still question whether bots might actually cause more, rather than less, work when it comes to meeting control requirements and answering external auditor questions.”
Access to data at companies that were not “born digital”. “For those firms that are digitalizing now, data is not always available electronically, or it is not in the right format (i.e., it is unstructured). Additional tools are needed to structure the data properly, and that obviously causes complexity, along with extra costs, raising the barrier to automation.”
Respondents were asked which technology tools their organization used in SOX Section 404 compliance. The five most frequently reported tools were:
Data analytics -- 47 percent, up from 41 percent last year.
Automated process approval workflow tools (e.g., expense report approval process -- 35 percent, down from 38 percent last year.
Automated reconciliation tools -- 26 percent, down from 28 percent last year.
Continuous controls monitoring -- 25 percent, down from 28 percent last year.
Access controls/user provision/segregation of duties review tools -- 25 percent, down from 36 percent last year.
Across all categories of companies, respondents’ estimates of the percentage of their key controls that were automated declined in the 2020 survey, as compared to last year. For example, large accelerated filers estimated that 24 percent of their key controls were automated, compared to 26 percent in the prior year.
Perceptions of SOX Compliance and Internal Control Over Financial Reporting
Respondents continue to be generally positive on the benefits of SOX. Sixty percent of respondents believe that their organization’s internal control over financial reporting (ICFR) structure has “significantly” or “moderately” improved since an ICFR external audit became required. Only 1 percent thought their ICFR structure had been “minimally weakened” while 8 percent reported that they did not know how it had changed.
The primary benefits of SOX compliance cited by respondents were:
Improved ICFR structure – 61 percent, up from 57 percent last year.
Continuous improvement of business processes -- 55 percent, up from 47 percent last year.
Enhanced understanding of control design and control operating effectiveness -- 54 percent, up from 51 percent last year.
Compliance with SEC rules -- 44 percent, down from 46 percent last year.
Ability to better identify duplicate of superfluous controls -- 41 percent, down from 43 percent last year.
Improvement in company culture related to risks and controls -- 39 percent, up from 36 percent last year.
Comment: SOX compliance has imposed significant costs on companies of all sizes, and the impact on non-accelerated filers and ECGs has been substantial, given their more limited resources. Protiviti survey respondents have, however, consistently also reported that SOX compliance has created value in the form of stronger and more reliable controls. While costs rose somewhat last year, they seem generally to have plateaued for most companies. Protiviti foresees the possibility of SOX compliance cost reductions based on the adoption of advanced technology as part of their SOX compliance, although, as noted, this year’s survey seems to suggest that trend has stalled. Audit committees may want to explore with management whether it is taking advantage of these opportunities.
Protiviti suggests a series of questions that management should ask the external auditor as part of managing costs, particularly in light of COVID-19. Given the audit committee’s oversight responsibilities, it may also want to consider a dialogue with the auditors around these topics, which are listed below:
Obtain external auditor agreement with the risk assessment conclusion and practical guidance for updates in fiscal year 2020.
Query their external auditor regarding the relationship between their increasing internal control attestation costs versus a potential reduction of substantive audit costs, with the expected driver being greater control reliance in aggregate audit approaches.
Understand if/how the external auditors will be applying technology/tools to the audit process to increase efficiency, while also ensuring a clear understanding of how external audit will evaluate management’s use of similar tools (e.g., RPA)
Discuss how the timing and extent of audit procedures will be impacted and coordinate on the effects of any filing extension. Organizations also should keep their auditors apprised of critical changes to business operations and how those might affect the control environment.