The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates

Executive Summary

Consider the possibilities: Few board members and C-suite leaders view SOX compliance as a hotbed of opportunity for process innovation or leading-edge technology. They may want to reassess their perspective.

More companies are embracing a new, “next-generation” SOX compliance mindset, one that prioritises introducing tools and technology to support the company’s internal controls systematically and efficiently. Companies are attacking climbing compliance costs by taming the complexity of their control environment and exploring and pursuing options to further tech-enable controls and testing activities.

By the numbers: Protiviti’s annual Sarbanes-Oxley Compliance Survey provides detailed benchmarks for compliance costs and hours, while quantifying the impact of technology, automation and changing business conditions on these measures and activities.

  • A growing number of organisations are investing in automation and advanced technology tools to support their SOX compliance activities. They utilise intelligent audit management and GRC platforms, workflow automation, continuous monitoring, process mining, advanced analytics, and data visualisation tools to streamline controls testing, reporting, and other manual compliance activities. Our results indicate that more compliance programs would benefit from following suit, as there are efficiency, effectiveness and cost-saving benefits to be realised.
Generative AI offers exciting potential for SOX compliance

Why it matters: Automation and technology enablement, resourcing models that include outsourcing options and centers of excellence, and greater use of standardised controls across multiple locations and complex organisations are foundational elements of a “next generation” SOX compliance program.

  • Similar to leading internal audit functions that deliver value and demonstrate relevance, next-generation SOX compliance programs need to embrace such tools and approaches in the face of unrelenting business changes.
  • While there are no shortcuts on the journey to more efficient and effective SOX compliance, there are a host of innovative ways to structure, equip and manage SOX compliance teams.
  • The introduction of automation and continuous monitoring is having a positive impact in streamlining and strengthening business process and IT controls.

The first step: Reconsider outdated notions of what SOX compliance is and can be.

63% - Organisations that use an audit management and GRC platform to enable their SOX compliance program.

But it’s not just about technology: External factors impacting SOX compliance activities, such as the SEC’s recently adopted rules around cybersecurity disclosures, the PCAOB’s annual inspection process of external auditors, and the SEC’s proposed climate change disclosure rules, highlight the broader and changing landscape of non-financial data reporting and how organisations are preparing for it.

Internal audit’s leading role: Internal audit continues to have a significant role in SOX compliance, particularly in emerging growth companies and Section 404(a) filers.

  • Internal audit functions devote nearly half of their time (47%) to SOX compliance.

Adding ESG into the mix: More than one in three organisations (37%) disclose ESG metrics and apply ICFR-type processes to that information, and we expect this number to increase significantly in the coming years, regardless of the timing of regulatory activity. 

Download report
63% - Organisations that use an audit management and GRC platform to enable their SOX compliance program.
sox survey

Highlights from our study

Compliance costs are influenced by organisational size and complexity — While the increasing cost of SOX compliance is a recurrent concern, our data confirms that factors such as organisational size, complexity, process maturity and the stage of SOX compliance predominantly determine these costs. Strategies to optimise costs must consider these parameters.

SOX compliance hours continue to climb — This likely is a result of efforts to create and implement more sustainable change in SOX compliance programs, as well as the increasing complexity of regulatory environments and the integration of new technologies and processes throughout the organisation, all of which require additional controls and risks to be managed.

The use of automation and technology tools continues to rise, delivering value-added benefits — More than 60% of SOX compliance programs use an audit management and GRC platform to enable their SOX compliance programs, and three out of four organisations are seeking opportunities to further enable automation in their program.

ESG reporting and data are gaining more attention — A majority of organisations have initiated efforts to address the SEC’s proposed climate change disclosure rules.

Source code reviews are on the rise — Once a rather arcane component of SOX compliance, these reviews are moving to the forefront as external auditors increasingly require review of the source code underlying automated controls. This shift, driven in part by heightened scrutiny from the PCAOB, is prompting auditors to adopt a more comprehensive evaluation of automated controls to ensure their effectiveness and integrity.

View infographic
sox survey

A note to our readers

Protiviti can provide further detailed results and insights from this study, including where other organisations in similar industries and of comparable size, filer status and more stand in relation to a company’s own SOX compliance program. Please contact your local Protiviti office or representative for more information.

Leadership

Andrew Struthers-Kennedy
Andrew Struthers-Kennedy is a Managing Director leading Protiviti’s global IT Audit practice. Based in the metro Washington D.C. area, Andrew works with clients to help drive efficiency, effectiveness, and enhanced risk mitigation in their IT and business operations. ...
Angelo Poulikakos
Angelo is a Managing Director and global leader of Protiviti’s Technology Audit & Advisory practice. His specific areas of concentration include technology risk management, cybersecurity, IT compliance, internal audit, and automation. Angelo has over 18 years of ...
Loading...