Ernst & Young Sees Room for SOX Improvement
A new report from Ernst & Young finds that many companies can improve their Sarbanes-Oxley compliance.
The survey of 225 executives from around the world uncovers some of their main concerns and challenges with SOX compliance. The report, entitled “Think outside the SOX box,” also suggests various ways for companies to reduce their costs, make quicker decisions and carry them out, and free up resources for strategic initiatives.
In addition, the report outlines the benefits of automated testing, outsourcing resources, leveraging information technology investment and innovation.
“Many organizations still treat the SOX function as a difficult compliance exercise,” said Ernst & Young global risk leader Gerry Dixon in a statement. “There is an opportunity to channel innovative approaches and practices, which can help a company build value into its operations. Strategic evaluation and realignment of SOX execution can directly impact decision making and efficiency.”
The survey found that only 3 percent of the executives surveyed have fully automated more than half of their key controls. More than a third (35 percent) indicated they had more than 1,000 controls, with 61 percent of the survey respondents spending at least five hours just testing each control. Nearly 40 percent of the executives surveyed consider one of their major SOX challenges to be cost. In addition, 37 percent of respondents said they spend up to $2 million on SOX testing, while 14 percent spend up to $5 million every year on SOX overall.
Half of the survey respondents said they use outside providers for some part of their SOX compliance. Nevertheless, 81 percent of executives surveyed said their internal audit department was involved with SOX in some capacity. Moreover, 40 percent of the respondents indicated their internal audit department devoted at least a quarter of its budget and capacity to SOX testing alone, even as 66 percent of the respondents used outside resources for testing.
Survey respondents recommended reducing costs by automating and outsourcing SOX-related activities, allowing in-house resources to be applied more strategically. Only a small proportion of respondents use offshore resources for SOX processes.
A small percentage of those surveyed use technology to manage SOX compliance, such as 21 percent who say they regularly use data analytics. Twelve percent of the respondents use predictive modeling, but 65 percent said they do not use third-party applications to automate continuous controls monitoring. Ninety percent of the survey participants still use Microsoft Excel for scoping out SOX compliance.