The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates
Generative AI offers exciting potential for SOX compliance
Why it matters: Automation and technology enablement, resourcing models that include outsourcing options and centers of excellence, and greater use of standardised controls across multiple locations and complex organisations are foundational elements of a “next generation” SOX compliance programme.
- Similar to leading internal audit functions that deliver value and demonstrate relevance, next-generation SOX compliance programmes need to embrace such tools and approaches in the face of unrelenting business changes.
- While there are no shortcuts on the journey to more efficient and effective SOX compliance, there are a host of innovative ways to structure, equip and manage SOX compliance teams.
- The introduction of automation and continuous monitoring is having a positive impact in streamlining and strengthening business process and IT controls.
The first step: Reconsider outdated notions of what SOX compliance is and can be.
63% - Organisations that use an audit management and GRC platform to enable their SOX compliance programme.
But it’s not just about technology: External factors impacting SOX compliance activities, such as the SEC’s recently adopted rules around cybersecurity disclosures, the PCAOB’s annual inspection process of external auditors, and the SEC’s proposed climate change disclosure rules, highlight the broader and changing landscape of non-financial data reporting and how organisations are preparing for it.
Internal audit’s leading role: Internal audit continues to have a significant role in SOX compliance, particularly in emerging growth companies and Section 404(a) filers.
- Internal audit functions devote nearly half of their time (47%) to SOX compliance.
Adding ESG into the mix: More than one in three organisations (37%) disclose ESG metrics and apply ICFR-type processes to that information, and we expect this number to increase significantly in the coming years, regardless of the timing of regulatory activity.
63% - Organisations that use an audit management and GRC platform to enable their SOX compliance programme.
Highlights from our study
Compliance costs are influenced by organisational size and complexity — While the increasing cost of SOX compliance is a recurrent concern, our data confirms that factors such as organisational size, complexity, process maturity and the stage of SOX compliance predominantly determine these costs. Strategies to optimise costs must consider these parameters.
SOX compliance hours continue to climb — This likely is a result of efforts to create and implement more sustainable change in SOX compliance programmes, as well as the increasing complexity of regulatory environments and the integration of new technologies and processes throughout the organisation, all of which require additional controls and risks to be managed.
The use of automation and technology tools continues to rise, delivering value-added benefits — More than 60% of SOX compliance programmes use an audit management and GRC platform to enable their SOX compliance programmes, and three out of four organisations are seeking opportunities to further enable automation in their programme.
ESG reporting and data are gaining more attention — A majority of organisations have initiated efforts to address the SEC’s proposed climate change disclosure rules.
Source code reviews are on the rise — Once a rather arcane component of SOX compliance, these reviews are moving to the forefront as external auditors increasingly require review of the source code underlying automated controls. This shift, driven in part by heightened scrutiny from the PCAOB, is prompting auditors to adopt a more comprehensive evaluation of automated controls to ensure their effectiveness and integrity.
A note to our readers
Protiviti can provide further detailed results and insights from this study, including where other organisations in similar industries and of comparable size, filer status and more stand in relation to a company’s own SOX compliance programme. Please contact your local Protiviti office or representative for more information.
