Generative AI offers exciting potential for SOX compliance
Why it matters: Automation and technology enablement, resourcing models that include outsourcing options and centers of excellence, and greater use of standardized controls across multiple locations and complex organizations are foundational elements of a “next generation” SOX compliance program.
- Similar to leading internal audit functions that deliver value and demonstrate relevance, next-generation SOX compliance programs need to embrace such tools and approaches in the face of unrelenting business changes.
- While there are no shortcuts on the journey to more efficient and effective SOX compliance, there are a host of innovative ways to structure, equip and manage SOX compliance teams.
- The introduction of automation and continuous monitoring is having a positive impact in streamlining and strengthening business process and IT controls.
The first step: Reconsider outdated notions of what SOX compliance is and can be.
63% - Organizations that use an audit management and GRC platform to enable their SOX compliance program.
But it’s not just about technology: External factors impacting SOX compliance activities, such as the SEC’s recently adopted rules around cybersecurity disclosures, the PCAOB’s annual inspection process of external auditors, and the SEC’s proposed climate change disclosure rules, highlight the broader and changing landscape of non-financial data reporting and how organizations are preparing for it.
Internal audit’s leading role: Internal audit continues to have a significant role in SOX compliance, particularly in emerging growth companies and Section 404(a) filers.
- Internal audit functions devote nearly half of their time (47%) to SOX compliance.
Adding ESG into the mix: More than one in three organizations (37%) disclose ESG metrics and apply ICFR-type processes to that information, and we expect this number to increase significantly in the coming years, regardless of the timing of regulatory activity.
Highlights from our study
Compliance costs are influenced by organizational size and complexity — While the increasing cost of SOX compliance is a recurrent concern, our data confirms that factors such as organizational size, complexity, process maturity and the stage of SOX compliance predominantly determine these costs. Strategies to optimize costs must consider these parameters.
SOX compliance hours continue to climb — This likely is a result of efforts to create and implement more sustainable change in SOX compliance programs, as well as the increasing complexity of regulatory environments and the integration of new technologies and processes throughout the organization, all of which require additional controls and risks to be managed.
The use of automation and technology tools continues to rise, delivering value-added benefits — More than 60% of SOX compliance programs use an audit management and GRC platform to enable their SOX compliance programs, and three out of four organizations are seeking opportunities to further enable automation in their program.
ESG reporting and data are gaining more attention — A majority of organizations have initiated efforts to address the SEC’s proposed climate change disclosure rules.
Source code reviews are on the rise — Once a rather arcane component of SOX compliance, these reviews are moving to the forefront as external auditors increasingly require review of the source code underlying automated controls. This shift, driven in part by heightened scrutiny from the PCAOB, is prompting auditors to adopt a more comprehensive evaluation of automated controls to ensure their effectiveness and integrity.
A note to our readers
Protiviti can provide further detailed results and insights from this study, including where other organizations in similar industries and of comparable size, filer status and more stand in relation to a company’s own SOX compliance program. Please contact your local Protiviti office or representative for more information.