Few board members and C-suite leaders view Sarbanes-Oxley (SOX) compliance as a hotbed of opportunity for process innovation or leading-edge technology. They may want to reassess their perspective. More companies are embracing a new, “next-generation” SOX compliance mindset, one that prioritizes introducing tools and technology to support the company’s internal controls systematically and efficiently.  

Companies are attacking climbing compliance costs by taming the complexity of their control environment and exploring and pursuing options to further tech-enable controls and testing activities. Protiviti’s annual Sarbanes-Oxley Compliance Survey provides detailed benchmarks for compliance costs and hours, while quantifying the impact of technology, automation and changing business conditions on these measures and activities.  

Key findings include: 

• Compliance costs are influenced by organizational size and complexity – while the increasing cost of SOX compliance is a recurrent concern, our data confirms that factors such as organizational size, complexity, process maturity and the stage of SOX compliance predominantly determine these costs. Strategies to optimize costs must consider these parameters.  
• SOX compliance hours continue to climb – This likely is a result of efforts to create and implement more sustainable change in SOX compliance programs, as well as the increasing complexity of regulatory environments and the integration of new technologies and processes throughout the organization, all of which require additional controls and risks to be managed.  
• The use of automation and technology tools continues to rise, delivering value-added benefits – More than 60% of SOX compliance programs use an audit management and GRC platform to enable their SOX compliance programs, and three out of four organizations are seeking opportunities to further enable automation in their program. 
• ESG reporting and data are gaining more attention – A majority of organizations have initiated efforts to address the SEC’s proposed climate change disclosure rules.  
• Source code reviews are on the rise – Once a rather arcane component of SOX compliance, these reviews are moving to the forefront as external auditors increasingly require review of the source code underlying automated controls. The shift, driven in part by heightened scrutiny from the PCAOB, is prompting auditors to adopt a more comprehensive evaluation of automated controls to ensure their effectiveness and integrity.