Staying in compliance with SOX can be costly, say experts.
For years, industry observers have complained that the passage of the Sarbanes-Oxley (SOX) accountability and responsibility act has caused serious financial hardship for many companies. However, a recent report from Big Four accountancy firm Ernst & Young is challenging those claims, suggesting that companies should work even harder to improve their SOX compliance.
The survey of 225 executives from around the world reveals some of the main concerns and challenges with SOX compliance. The report, entitled ‘Think outside the SOX box,’ also indicates that only three percent of the executives surveyed have fully automated more than half of their key controls.
According to the report, nearly 40 percent of the executives surveyed consider the high cost of compliance to be one of their major SOX challenges. In addition, 37 percent of respondents said they spend up to $2 million on SOX testing, while 14 percent spend up to $5 million each year on SOX overall. More than a third of respondents (35 percent) indicated that they had more than 1,000 controls at their company, with 61 percent saying they are spending at least five hours testing each individual control.
‘The assumption always was that costs would go down in time, as companies became more accustomed to SOX, and perhaps automated [but] the above data suggests that the costs are still significant and automation has not fully occurred,’ says James Fanto, a Professor of law at Brooklyn Law School.
‘This [report] is a cause for concern, especially if one is not convinced that SOX has actually done what it is supposed to do: reduce financial fraud or other financial problems in companies,’ says Fanto. ‘The jury is still out on this point.’
Moreover, half of the survey respondents claim that they use outside providers for some part of their SOX compliance. Roughly 81 percent of executives polled said their internal audit department was involved with SOX in some capacity; 40 percent indicated internal audit devoted at least a quarter of its budget and capacity to SOX testing alone. In fact, testing was a sore spot for respondents; 66 percent claimed to use outside resources for testing.
The report does, however, outline the benefits of automated testing, outsourcing resources, leveraging information technology investment and innovation. Additionally, survey respondents suggested that reducing costs by automating and outsourcing SOX-related activities would allow in-house resources to be applied more strategically, says E&Y.
Fanto, who specializes in comparative and international corporate law and governance, agrees that automation is the key to achieving better SOX compliance. ‘In a firm, there is too much focus on lower level control, which could result in the total risk to a firm collectively growing too large – and this is something we saw in the financial crisis.’
A small percentage of those surveyed currently use innovative IT techniques to manage compliance; 21 percent use data analytics regularly and 12 percent use predictive modeling. The survey also revealed that 65 percent of those polled do not use third-party applications to automate continuous controls monitoring, and 90 percent of survey participants still use Excel for their scoping exercise.