For many organizations, most notably large accelerated and accelerated filers, compliance with the Sarbanes-Oxley Act has been a 15-year journey, and an unexpectedly challenging one at that.
Protiviti has been collecting data points and insights on all aspects of SOX compliance activities, costs and challenges for the past 10 years. The results of our decade of research make it clear that this groundbreaking law and the ongoing compliance activities it requires are anything but static and predictable. Numerous influences inside and outside of the enterprise – regulatory pronouncements and enforcement, external auditors’ recalibrations in response to the Public Company Accounting Oversight Board (PCAOB) mandates, a steady procession of new accounting and auditing rules, technological disruptions, cyber threats and their influence on the implementation of internal controls, digital transformation, and more – require internal SOX teams to adapt and improve continually.
Organizations have been adapting and evolving their SOX practices over the past decade in an effort to become more efficient, including but not limited to the growing use of third-party/outsourced providers. But incremental steps may not be sufficient for much longer. Overall compliance costs have edged downward this year but remain significant in most companies. SOX hours and control counts continue to increase. Such findings, combined with Protiviti’s complete body of SOX-compliance knowledge, suggest SOX compliance programs have reached a critical juncture: In our view, they must pursue and perform the same magnitude of transformation and innovation rippling across most other functions in their organizations.
In our report, we take a look at how some of these emerging SOX compliance practices are growing, while also focusing on the factors of SOX compliance efforts that generate the greatest attention: cost, hours and control counts. Upon request, Protiviti can provide more detailed results on where other organizations in similar industries and of comparable size, filer status and more stand in relation to the company’s own SOX compliance program.