Organizations spending more time on SOX compliance

Despite over two decades of experience, complying with the Sarbanes-Oxley Act of 2002 doesn't seem to be getting any easier for audit and finance leaders.

More than half (58%) of the more than 560 audit and finance leaders surveyed by the consulting firm Protiviti reported an increase in the amount of hours they've spent on SOX compliance in the last year, according to a report released Tuesday. 

Automation is supposed to help, but 74% of the respondents are still looking for opportunities to further enable automation. However, many of the audit and finance leaders polled said they lack the time to explore technologies due to other priorities (39%); lack the effort to implement, train, govern and maintain the new systems (34%); and lack the funding and/or executive buy-in (31%). According to 47% of the respondents, many areas of the SOX control environment are not conducive to automation.

Over time, the use of generative AI technology and machine learning is expected to help with automation and cost reduction, but they'll require an initial investment.

sarbanes-paul-oxley-michael.jpg
Former Rep. Mike Oxley, R-Ohio, left, talked with former Sen. Paul Sarbanes, D-Maryland, during a 2005 workshop at George Washington University Law School.
Jay Mallin/Bloomberg News

"The investment in technology and automation has the potential to deliver strong ROI — helping to streamline routine tasks, increase the quality and efficiency of communications, enhance the effectiveness of the overall program and allow for a more optimal allocation of resources," said Andrew Struthers-Kennedy, a Protiviti managing director and global leader of the firm's internal audit and financial advisory practice, in a statement. "There is significant untapped potential through the implementation of automation, enabling technologies and increasingly GenAI and LLMs."

The survey also asked about cybersecurity and environmental, social and governance reporting. When asked whether their organization was required to issue a cybersecurity disclosure, 41% of the respondents said yes. In terms of ESG, 37% of the respondents' organizations are already disclosing ESG metrics, but only 16% have added extra controls to address the SEC's proposed climate change disclosures, but that number is expected to increase significantly in the years ahead once the SEC finalizes its climate-related disclosure rule, which is expected to happen this fall.

Protiviti partnered with the audit software company AuditBoard on the survey, and they will be presenting a one-hour webinar on Sept. 26 at 1:00 p.m. EDT to discuss the findings.

For reprint and licensing requests for this article, click here.
Audit Sarbanes-Oxley Audit software
MORE FROM ACCOUNTING TODAY