The Rising Cost of SOX Compliance and What Organizations Can Do About It
The cost of Sarbanes-Oxley Act (SOX) compliance has been on the rise year after year. Talent shortages, increased scrutiny from external auditors and the Public Company Accounting Oversight Board (PCAOB), strategic pivots, and technology-driven transformation are some of the contributors to the rising costs. More companies spend over $2 million on compliance while fewer spend $500,000 or less. A 2023 KPMG SOX report states that, on average, key control counts increased by 41% in 2022 when compared with 2016 due to ever-changing organizational risk profiles. The report also states that an average budget for the SOX program was reported to be $1.6M and 11,800 hours; the average cost of compliance per control was calculated as $3,200; and the average hours per control for test of effectiveness was 12 hours, which is an increase from 9 hours per control in 2016.
What can organizations do about the rising costs of SOX compliance? Reducing costs in SOX can be challenging, but there are strategies for organizations to make the process more efficient. Here are some ways to help reduce costs while maintaining effective SOX compliance.
1. Risk-Based Approach
By focusing on high-risk areas, organizations can allocate their resources more efficiently. Instead of applying the same level of effort to all processes, a risk-based approach allows teams to concentrate on critical control points and avoid spending unnecessary resources on low-risk processes. This approach also ensures that compliance efforts align with overall objectives and prioritize controls that directly impact financial reporting accuracy and integrity.
2. Collaboration and Efficiency
Effective SOX compliance requires collaboration across different functions within an organization. Breaking down departmental barriers and fostering a culture of collaboration will help to identify redundancies and enhance the efficiency and effectiveness of compliance efforts.
3. Foster a Culture of Compliance
Compliance is a mindset that should permeate throughout the organization. Foster a culture of compliance by emphasizing the importance of regulatory requirements and the role individuals play in meeting them. Encourage individuals to be proactive, report any potential issues they encounter, and provide feedback on improving compliance processes. When compliance is ingrained in the company’s DNA, streamlining the processes becomes second nature.
4. Understand IT Risks
IT departments are critical for SOX compliance because their efforts are necessary to ensure financial data security and financial record availability. IT personnels’ understanding of risks related to IT systems and processes is crucial in keeping compliance costs under control.
5. Leverage Technology
Organizations can also invest in a comprehensive Governance, Risk, and Compliance (GRC) software solution to automate key SOX compliance processes. From data gathering and validation to report generation and workflow management, automation can revolutionize SOX compliance efforts and strengthen the control environment. A robust GRC tool may not be cost justifiable for small organizations. Cost-benefit analysis should be performed to determine merit.
SOX compliance is important for maintaining investor confidence and financial transparency. While cost reduction is essential, it should not compromise the effectiveness of any organization’s compliance program.
McKonly and Asbury has a proven track record of implementing risk-based SOX solutions for organizations, and is adept at facilitating risk and control sessions to streamline controls and increase control owners’ awareness and buy-in. For more insights on SOX compliance related topics, be sure to visit our Internal Audit Services page. Don’t hesitate to contact Elaine Nissley or Victor Kong for more information on SOX cost reduction strategies or if you have further questions.
About the Author
Victor joined McKonly & Asbury in 2023 and is currently a Senior Manager with the firm. He is a member of the firm’s Audit & Assurance Segment. Victor is a Certified Internal Auditor (CIA) and Certified Fraud Examiner (CFE), and hol… Read more