Five Key Findings From the 2023 Protiviti SOX Compliance Survey Report
While boards and executive teams typically don’t see SOX compliance as an opportune area for innovation, a growing number of organizations are investing in automation and advanced technology tools to support their SOX activities — with great value-added benefits. Protiviti’s 2023 SOX Compliance Survey report, The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates, explores how technology is transforming SOX compliance in over 500 organizations in the face of more complex control environments.
With more ESG and cyber reporting requirements on their way, organizations have been proactively seeking ways to automate their SOX processes and controls using enabling technologies. In fact, while SOX hours are rising partially due to an increasingly complex regulatory environment, increased hours are also being attributed to the implementation of new technologies in SOX programs — and the additional controls and risks that come with them.
However, the benefits of these technologies, including time savings that can be directed toward more value-added internal audit activities, are well worth it, as SOX compliance costs and hours are unlikely to decrease significantly given the volatile risk and regulatory environment. Moreover, as internal audit functions embrace next-gen technologies to improve and automate their practices and achieve greater relevance in the organization, there will be more opportunities for SOX programs to emulate.
Download the full report, The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates, and continue reading for the top five takeaways from this year’s survey.
1. Costs
While SOX compliance costs are high, they have not risen dramatically over the past year. Moreover, where costs are increasing, factors such as organizational size, complexity, process maturity, and SOX program maturity predominantly drive these increases. It can be helpful to reference these parameters when considering cost-optimization strategies, especially areas that can feasibly be addressed and improved upon, such as control environment complexity, process maturity, and overall program maturity.
2. Hours
Time spent on SOX continues to climb, likely a result of efforts to create and implement more sustainable change in SOX compliance programs. In addition, the increasing complexity of regulatory environments and the integration of new technologies and processes throughout the organization create additional controls and risks to be managed. However, as efforts to implement automation and other enabling technologies begin to produce more results, we hope to see decreasing SOX hours as teams begin to realize greater process efficiencies.
3. Automation and Technology
The use of enabling technologies continues to rise, delivering value-added benefits. More than 60% of SOX compliance programs use an audit management solution or GRC platform to enable compliance, and three out of four organizations are seeking opportunities to further enable automation in their program. As internal audit functions take advantage of next-gen technologies, advanced analytics, and high-impact reporting to achieve greater relevance in their organizations, there will likely be more opportunities for SOX programs to emulate these successes.
4. ESG Reporting
A majority of organizations have initiated efforts to address the SEC’s proposed climate change disclosure rules and the EU’s Corporate Sustainability Reporting Directive (CSRD). More than one in three organizations (37%) disclose ESG metrics and apply ICFR-type processes to that information, and we expect this number to increase significantly in the coming years, regardless of regulatory activity. COSO’s recently-released guidance, which applies to its COSO 2013 framework to Internal Control over Sustainability Reporting, will greatly benefit organizations in their efforts to prepare and disclose ESG-related data in compliance with these new and anticipated requirements.
5. Source Code Reviews
External auditors increasingly require reviews of the source code underlying automated controls. Driven in part by increased scrutiny from the PCAOB of automated controls, especially those that exist in legacy or highly customized GRCs, this is prompting auditors to adopt a more comprehensive evaluation of automated controls to ensure their effectiveness and integrity. This trend aligns with the fact that a majority of survey respondents have significant or moderate plans to automate their IT processes and controls. As organizations seek out and adopt new enabling technologies to help streamline their SOX programs, they should take the necessary steps to 1) ensure that tech implementations align with defined business requirements, and 2) address any new risks that these technologies may bring and ensure they are aligned with the proper controls.
Driven by increasingly complex control environments and the impending arrival of more ESG and cyber reporting requirements, SOX programs have become an unexpected area of innovation and automation. Given the persistently volatile risk and regulatory landscape, it is clear that SOX compliance costs and hours are unlikely to see significant reductions — creating a prime opportunity for technology-enabled transformation. Moreover, as internal audit functions continue to embrace next-gen technologies in their quest for greater relevance, SOX programs will be able to emulate their models of success. For a comprehensive understanding of these trends and key takeaways, download the full report, The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates, to see how your organization compares.
