This year, we’ll be celebrating the 18th anniversary of the introduction of the Sarbanes–Oxley Act. Nicknamed SOX, SOA or Sarbox, the act is has reached majority, in terms of age that is.
No cheers or applause? Really? Maybe this is due to missed expectations…
Indeed one would have expected that, at 18, SOX would be ready to fly on its own wings and hence no longer be the same (resource-wise) burden that it was on control and compliance departments when it first passed. Unfortunately, nothing seems further from the truth.
I am a great follower of Protiviti’s benchmarks on SOX compliance costs and their 2019 release, Benchmarking SOX Costs, Hours and Controls, once again sheds interesting light on the costs associated with this regulation.
The finding that I found the most interesting is as follows: “Overall, SOX compliance hours continue to rise”. So clearly, SOX is still a teenager lying on the couch and requiring attention.
Taking the 2018 report and analysing the average time spent per key control leads us to a grand 29.3 hours. This includes all the steps of the control of course, from its design, to its assessment and review:
But now comes the bitter comparison. Applying Protiviti’s 2019 data to the same graph, it’s staggering to find out that every category has actually increased in terms of the time required to fulfill the task:
Why Such an Increase May You Ask?
According to the report, reasons behind this continued increase in time to perform controls but also in the sheer number of controls themselves are to be associated to new accounting standards, to new guidance concerning management review of control and last but most certainly not least, requirements to consider cyber threat when implementing and testing controls.
What Can Be Done? It’s Back To Basics!
When I first started working on GRC software solutions 15 years ago, it was clear that the market was driven by SOX requirements and by associated corporate governance regulations worldwide. The introduction of COSO II ERM somewhat changed the path and refocused the requirements on a more proactive approach based on risk management, but control was still at the heart of things of course.
Since then, many regulations have been published and new guidelines issued that put more focus on one area or the other of GRC, and control management was deemed sufficiently mature in many cases.
Nevertheless, it’s still surprising, for me at least, to see that key SOX basics like segregation of duties management is still mostly performed manually.
In today’s more and more hybrid IT landscapes with processes being performed in different platforms – some in the Cloud and some OnPremise, I personally believe that we need to refocus our efforts by implementing a revised control practice that will automatically monitor information in the source system where the process is being applied.
In 2002, we didn’t have the right technology to do so. After the fact control was therefore the best option. Today, we can place the control directly in the process execution itself, therefore making it much more proactive. And we can automate it, hence making it less resource intensive.
If you are interested in hearing more about this, or just having an open discussion, please come and see me at the SAP Conference on Internal Controls, Compliance and Risk Management in March 2020 in Copenhagen.
I look forward to meeting you there or reading your thoughts and comments either on this blog or on Twitter @TFrenehard