The costs of SOX compliance are surprisingly still high. Here’s how technology can cut those costs and improve SOX compliance processes.
The Sarbanes-Oxley (SOX) Act was passed into law in 2002. But surprisingly, rather than compliance costs going down, they seem to be going up.
“According to Protiviti’s report, Fine-Tuning SOX Costs, Hours and Controls, in 2017 66% of companies actually saw a more than 10% increase in hours spent on SOX compliance.”
The report also found that the overall average annual expenditure on internal SOX compliance efforts was more than $1 million, and larger/global companies spent $2 million or more.
There are a few different factors that contribute to these high costs.
1. Inefficiencies of spreadsheets, shared documents, and older systems
Many organizations (mid-sized companies in particular) are still using internal systems based on spreadsheets and shared documents. It’s understandable to some extent why you would rely on these to manage the compliance process—it was once a simple and inexpensive approach. But the reality is spreadsheets are:
- Difficult to manage
- Don’t promote efficient collaboration, and
- Can be frustratingly inefficient to use, especially for creating reports.
Using older audit, risk, and compliance applications is another alternative, but also not the best choice, since they’re expensive to upgrade and hard to re-configure if you want them to support the new functions like collaboration, control rationalization, and optimization.
2. Costs of manual control testing
The Protiviti report also revealed that simply testing each key control can involve somewhere between 30–40 hours of documenting, evaluating, testing, and re-evaluating controls, with most of these processes performed without technology or automation. One of the major drawbacks of manual control testing based on samples and periodic testing, is that you don’t know on a timely basis whether a control problem exists, or a new control risk has developed. Managing the entire testing and sign-off and certification process can also be resource-intensive and unnecessarily time-consuming.
How specialized technology can improve compliance processes
A more optimized technology approach can help you improve SOX compliance processes and reduce costs in a few different ways:
1. Automating control questionnaires and certification
Software designed for the compliance purpose supports a far higher degree of automation around dealing with control questionnaires and sign-offs.
2. Facilitating collaboration
Purpose-built software is made to support multiple user profiles and lets you set access levels to a central database. Features like this can significantly help collaboration and better integration within the Three Lines of Defense.
3. Greater insight into the relationships between risks and controls
One very cool benefit of specialized software is the ability to clearly see the links and relationships among different risks and controls. Being able to view these relationships helps you optimize controls and eliminate controls that are redundant.
4. Control monitoring
Data analytics can help you automatically test entire populations of financial transactions or controls. It can also be used to automate control implementation in areas that involve transaction monitoring.
5. Remediation management
Automated transaction and control monitoring can simplify the process of identifying and remediating issues. Purpose-built software can detect issues, and use workflows to notify the appropriate stakeholders, then escalate issues as needed. Having this process automated saves significant time on addressing red flags.
6. Integrating SOX compliance into ERM and overall compliance
One other area to think about is how SOX compliance processes fit into the overall compliance and risk management processes within your organization. Specialized technology puts SOX compliance into a wider perspective of overall compliance and risk management processes within your organization. This promotes increased collaboration around enterprise risk and control issues.
How specialized technology can reduce SOX costs
So how does better technology selection translate into actual cost reductions?
- Costs can be saved by reducing the time and effort involved in control testing and certification.
- Compliance processes become more efficient, requiring fewer resources.
- Greater collaboration among the Lines of Defense adds to efficiencies around control design and testing.
- Optimizing controls and reducing the number of overlapping or redundant controls means less money and time are spent on different control activities.
- Data analytics and transaction monitoring improves controls and reduces risks from error, fraud, and abuse in financial systems.
- Finding control weaknesses before they escalate means the scale of loss, if realized, is kept to a minimum.
Another point to consider is the relationship you have with external auditors. If they find it challenging to review your compliance activities, they may not trust the work you perform, and end up requesting more documentation, or increasing their own testing procedures—all of which results in additional time and costs.
Finally, the use of specialized technology allows a far more efficient, collaborative, and valuable way of reviewing the entire SOX compliance status. Starting from a high-level summary, all those involved in managing the compliance process can review and drill down into the specific issues and risks as deep as necessary.