For years, industry observers have complained that the passage of the Sarbanes-Oxley (SOX) accountability and responsibility act has caused serious financial hardship for many companies. However, a recent report from Big Four accountancy firm Ernst & Young is challenging those claims, suggesting that companies should work even harder to improve their SOX compliance.
The survey of 225 executives from around the world reveals some of the main concerns and challenges with SOX compliance. The report, entitled ‘Think outside the SOX box,’ also indicates that only three per cent of the executives surveyed have fully automated more than half of their key controls.
According to the report, nearly 40 per cent of the executives surveyed consider the high cost of compliance to be one of their major SOX challenges. In addition, 37 per cent of respondents said they spend up to $2 million on SOX testing, while 14 per cent spend up to $5 million each year on SOX overall. More than a third of respondents (35 per cent) indicated that they had more than 1,000 controls at their company, with 61 per cent saying they are spending at least five hours testing each individual control.
‘The assumption always was that costs would go down in time, as companies became more accustomed to SOX, and perhaps automated [but] the above data suggests that the costs are still significant and automation has not fully occurred,’ says James Fanto, a Professor of law at Brooklyn Law School.
‘This [report] is a cause for concern, especially if one is not convinced that SOX has actually done what it is supposed to do: reduce financial fraud or other financial problems in companies,’ says Fanto. ‘The jury is still out on this point.’
Moreover, half of the survey respondents claim that they use outside providers for some part of their SOX compliance. Roughly 81 per cent of executives polled said their internal audit department was involved with SOX in some capacity; 40 per cent indicated internal audit devoted at least a quarter of its budget and capacity to SOX testing alone. In fact, testing was a sore spot for respondents; 66 per cent claimed to use outside resources for testing.
The report does, however, outline the benefits of automated testing, outsourcing resources, leveraging information technology investment and innovation. Additionally, survey respondents suggested that reducing costs by automating and outsourcing SOX-related activities would allow in-house resources to be applied more strategically, says E&Y.
Fanto, who specialises in comparative and international corporate law and governance, agrees that automation is the key to achieving better SOX compliance. ‘In a firm, there is too much focus on lower level control, which could result in the total risk to a firm collectively growing too large – and this is something we saw in the financial crisis.’
A small percentage of those surveyed currently use innovative IT techniques to manage compliance; 21 per cent use data analytics regularly and 12 per cent use predictive modelling. The survey also revealed that 65 per cent of those polled do not use third-party applications to automate continuous controls monitoring, and 90 per cent of survey participants still use Excel for their scoping exercise.
[Article by Aarti Maharaj, Corporate Secretary]