First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Why are SOX compliance costs increasing so much?

From a recent survey by Protiviti, the information on how many organizations had to issue a cyber-security disclosure is interesting. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear.

SOX complianceThis is a question answered, to a degree, by Protiviti in their latest annual Sarbanes-Oxley Compliance Survey: Benchmarking SOX Costs, Hours and Controls.

Let me first thank Brian Christensen and Protiviti for their continued annual reporting. They have upgraded it each year to provide additional information (partly, perhaps, in response to my and others’ feedback).

As expected, Protiviti reports a continued rise in SOX costs. This is consistent with what I am hearing from companies, especially those attending my SOX Masters courses[1]. I will expand on that later.

The report provides some interesting numbers on costs, including the average cost by number of unique locations (presumably, although this is not clear in the report, those are “in-scope” locations); by size (based on revenue); and by industry.

Protiviti tell us that if we want more detailed information related to our company size and industry, we can contact them directly.

The Protiviti report shares additional, useful information. I especially like the chart (page 11) that shows the average time per control to update documentation, evaluate control design, test for operating effectiveness, and so on[2]. However, the charts on number of entity or process-level controls and the percentage of them classified as key controls make little sense. They would have done better by telling us the percentage of key controls that were at each level. Note, however, that controls exist at multiple levels within an organization, not just at corporate or process level.

The information on how many organizations had to issue a cyber-security disclosure (as mandated by the SEC) is interesting. I had not seen this before. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear to me.

As in prior years, the report tells us that most organizations have their internal audit team supporting control testing (78%). A surprisingly large number (66%) help with updating documentation, and 36% are involved in SOX project management.

Protiviti also shares statistics on the level of reliance by the external auditors on management testing. This obviously can be higher when performed by internal audit. A fair number of companies report reliance in the 76% or higher level. I achieved 80% and I have heard from others at that level. Unfortunately, Protiviti did not break either this range (76%-100%) or the 51%-75% level down.

This is how Protiviti explains the reasons for cost increases:

As we have observed in results from the prior few years of our study, hours required for SOX compliance continue to increase for many organizations. And in a majority of companies, hours appear to have risen by 10 percent or more.

Similar to our findings on costs reported earlier, there are many factors at play that are contributing to these increases. These include changing organizational structures resulting from digital transformation and greater demands from external auditors as a result of increased scrutiny from the PCAOB.

Another contributing factor is revenue recognition. After implementing the new ASC 606 Revenue Recognition Standard, companies were required to document their transition controls.

In addition, a growing number of organizations are outsourcing software and business processes. While this offers numerous advantages, there are assurance activities that need to take place around the SOC reports these vendors provide, along with the related management review controls that are required.

Based on what I hear from attendees at my training and so on, there are more important reasons:

  1. The scoping is not really top-down and risk-based. For example:
    1. The scoping for ITGC and even automated controls may be performed by a separate group from that covering business processes.
    2. Controls are being added because they seem important.
    3. Applications are added to the scope because they are ‘involved’ in financial reporting (see the IIA’s GAIT methodology or the SEC’s Interpretive Guidance – they should only be included in scope if they contain functionality relied upon for key business process or entity-level controls).
  2. Because it is not top-down and risk-based, the scope includes far more controls in scope than are necessary. Only those relied upon to prevent or detect a material misstatement that is at least reasonably possible need to be included in scope.
  3. For the same reason, the external auditors are insisting that management include in scope controls where there is no reasonable likelihood of a material error or misstatement should they fail. Management is too timid to challenge!
  4. The external auditors continuously quote the PCAOB Examiners as requiring this or that to be done when that simply is not the case. Unfortunately, management does not ask where the PCAOB is requiring this.
  5. There is no annual reperformance of the top-down and risk-based scoping process to trim out excess fat.
  6. The external auditors are not relying sufficiently on internal audit testing. Management and the board need to exert more pressure.

Here are recommendations, based on a blog from last year (on the IIA site):

  1. Make sure you are focused on financial reporting risk! The scope should include controls required to provide reasonable assurance that material errors or omissions will be either prevented or detected. That means that the likelihood is more than a reasonable possibility. That means more than simply a theoretical possibility and the error or omission has to be material to the consolidated financial statements.
  2. Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.
  3. Apply the risk-based, top-down approach to the whole program, including ITGC and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are present and functioning (as defined by COSO, a defect would not be a major deficiency).
  4. Be experts not only in the PCAOB Standards (including AS10 and so on) but also in the SEC’s Interpretive Guidance and SEC/PCAOB Staff guidance – especially Staff Alert Number 11.
  5. Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.
  6. Read the IIA’s updated guidance (my book): Management’s Guide to Sarbanes-Oxley Section 404, 4th Edition. (FYI, I receive no income from sales of this book: it all goes to the IIA Research Foundation.)
  7. Have the CFO, CEO, and the audit committee press the external auditors to rely as much as possible on internal audit testing

I welcome your comments.

[1] For information on these classes, the next one of which is on September 20-21 in Chicago, please contact
[2] Protiviti can improve this in their next report by breaking down the statistics further, telling us the average time to document, test, etc. manual vs automated controls vs ITGC controls

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , ,

Comments are currently closed.