Marketing Communications Specialist at ERP Maestro.
SOX Compliance and the Lack of Digital Transformation
New survey from Protiviti shows technology adoption for SOX compliance is gradually growing yet overall remains low.
Almost 20 years have passed since SOX (also known as the Sarbanes-Oxley Act) became federal law in the US to help protect investors from fraudulent financial reporting by corporations, and it has not been immune to technological developments. Section 404 of the SOX Act requires the establishment of internal controls and reporting methods to validate the accuracy of those controls, and different types of technologies, from data analytics to machine learning, have made waves in SOX compliance to ease the burden of manual work and increase the accuracy of results for both companies and external auditors. However, the digital transformation in SOX compliance has yet to make a lasting impression on most companies.
A newly published survey from Protiviti reveals that for the 12 technology solutions it included, more than half of respondents are not utilizing any of them for their SOX compliance process in 2019. The technology with the highest adoption rate is data analytics tools at 41 percent, while the lowest adoption rate is for machine/deep learning tools at 13 percent. While these and other tools on the list had increased adoption rates from 2018 to 2019, the fact remains that many respondents are not using technology that can make SOX compliance processes less complex and costly.
The True Cost of SOX Compliance
While SOX compliance costs are generally trending downward year over year, there are some companies still experiencing a significant increase from 2018. Regarding internal SOX costs, companies that had less than six unique locations experienced an increase, as well as companies that generate $500 million or less in annual revenue. External SOX costs also increased by at least 10 percent this year for many companies, including those that generate between $100 million and $10 billion in annual revenue.
But what’s really driving those costs? The survey indicates that many companies reported spending more hours on SOX compliance than the previous year by at least 10 percent, thereby driving up costs. This could be due to changes in regulations governing accounting and audit practices, or the addition of cybersecurity risk disclosures within the past few years. Tack on the pressure external audit firms receive from the Public Company Accounting Oversight Board (PCAOB) to follow through on practice standards, and companies are looking at inflated SOX costs in their future. The SEC, who oversees the PCAOB, also has issued guidance for companies on disclosing cybersecurity risks, putting pressure on companies and even executives to disclose vulnerabilities. This, too, has affected SOX hours as over half of companies (53 percent) that were required to issue a cybersecurity disclosure experienced an increase in SOX hours by 11 percent or higher.
The Trouble with Embracing SOX Technology
Automating internal access controls is potentially one of the best defenses in SOX compliance and can be big time and cost saver, in addition to protecting against fraud and internal threats. Yet, many companies are still lagging behind in adopting and limping along with inaccurate and inefficient manual control processes. Only 36 percent of respondents indicated they were using access controls/user provisioning/segregation of duties reviews tools in 2019. Why?
There may be multiple rationalizations for not moving to automated controls or any other SOX tool, yet none of them make good business sense. Sometimes, if companies have not experienced a failed audit or serious case of internal fraud, they exist with the false notion that “It can’t happen here,” and, therefore, don’t take the steps to put prevention tools in place –until they face a crisis and then have to pay the price.
Other times, there is a disconnect between upper-level decision makers and IT/security professionals who see and understand the risk, which prevents a company from approving spend on the necessary control tools. Likewise, companies tend to not put as much emphasis on their internal controls and security as they do on external cybersecurity when they should ideally be focused on a holistic strategy.
Companies that want to be digital-first companies, remain competitive and have optimal growth will invest not only in SOX technology but also cloud-based technology for the best future-proofed advantages. This is true for all companies, not just those accountable for meeting SOX compliance. Fraud is a massive risk today, with typical companies losing five percent of their annual revenue to fraud and internal threats and breaches becoming all too common. External audit firms know this risk all too well and are already putting the pressure on their clients to test exceptions and deficiencies, as well as putting more reliance on the work output of internal audit teams. SOX technology is getting better at reducing this pressure and helping companies gain a clearer understanding of their risk profile and what compliance processes can be improved.