Most companies are not taking advantage of technology that automates some of the processes for compliance with Sarbanes-Oxley (SOX), according to a Protiviti survey report released yesterday. The global consulting firm's study, Benchmarking SOX Costs, Hours and Controls, found that the benefits of using automated controls and robotic process automation (RPA) for compliance processes are being ignored by many companies. It found that:

• fewer than a third of organisations are using technology tools such as automated process approval workflow, access controls and user provisioning;
• nearly two-thirds (63 per cent) are still not using technology tools at all in the testing of their controls to comply with SOX Section 404;
• only 11 per cent of organisations are using RPA;
• however, 49 per cent confirmed they are planning to embed technology in their SOX activities by 2019; and
• 83 per cent of companies in their first year of SOX compliance are using process mining and analytics.

SOX compliance costs rising

Protiviti's Brian Christensen said: “In the age of digital transformation, it has never been more important for companies to take responsibility and automate their compliance processes, as well as explore the use of artificial intelligence and predictive analytics in their control structure.”

While Protiviti's Jordan Reed adds that the SOX compliance landscape is changing: “From new accounting standards and continuing PCAOB inspections of external auditors to ongoing digital transformation efforts, the landscape for SOX compliance continues to shift. In this environment, progressive companies that take advantage of new technologies, tools and data analytics will benefit from more consistent and accurate testing results, fewer control deficiencies and reduced compliance spend.”

The study also found that SOX compliance costs and hours continue to go up for some companies, which is due in part to increased external audit costs for more rigorous SOX compliance testing and reporting – attributed to greater demands on auditors by the Public Company Accounting Oversight Board (PCAOB) – and an increase in merger and acquisition activity. SOX compliance costs typically hinge on a company’s filer status, size, SOX year and its unique circumstances and structure, including the numbers of controls, as well as the number of locations and regions in which it operates.

The report is based on data from more than 1,000 executives and leaders in finance and internal audit functions at publicly held companies, gathered in the first quarter of 2018. The majority of companies surveyed are from North America, and 55 per cent have revenues of $1 billion or more.