SOX Is Turning 18, But Still Requires Much Attention

Thomas Frénéhard

Part 4 in the Controls and Risk Management series

This year, we’ll be celebrating the 18th anniversary of the introduction of the Sarbanes-Oxley Act. Nicknamed SOX, SOA, or Sarbox, the act is has reached majority, in terms of age, that is.

No cheers or applause? Really? Maybe this is due to missed expectations…

Indeed, one would have expected that, at 18, SOX would be ready to fly on its own wings and no longer be the same (resource-wise) burden that it was on control and compliance departments when it first passed. Unfortunately, nothing seems further from the truth.

I am a great follower of Protiviti’s benchmarks on SOX compliance costs. The 2019 release, Benchmarking SOX Costs, Hours, and Controls, once again sheds light on the costs associated with this regulation.

The finding I found the most interesting is: “Overall, SOX compliance hours continue to rise.” Clearly, SOX is still a teenager lying on the couch and requiring attention.

Taking the 2018 report and analyzing the average time spent per key control leads us to a grand 29.3 hours. This includes all the steps of the control, of course, from its design to its assessment and review.

average time spent per key control in hours

But now comes the bitter comparison. Applying Protiviti’s 2019 data to the same graph, it’s staggering to find out that every category has actually increased in terms of the time required to fulfill the task.

average time spent per key control in hours

Why such an increase, you may ask?

According to the report, the reasons behind this continued increase in the time to perform controls – and in the sheer number of controls themselves – are associated with new accounting standards, new guidance concerning management review of controls, and finally, requirements for considering cyberthreats when implementing and testing controls.

What can be done? Back to basics!

When I first started working on GRC software solutions 15 years ago, it was clear that the market was driven by SOX requirements and by associated corporate governance regulations worldwide. The introduction of COSO II ERM somewhat changed the path and refocused the requirements on a more proactive approach based on risk management. But control was still at the heart of things, of course.

Since then, many regulations have been published and new guidelines issued that put more focus on one GRC area or another, and control management was deemed sufficiently mature, in many cases.

Nevertheless, it’s still surprising, for me at least, to see that key SOX basics like segregation of duties management are still mostly performed manually.

In today’s more and more hybrid IT landscapes, with processes being performed in different platforms – some in the cloud and some on premises – I believe that we need to refocus our efforts by implementing a revised control practice that will automatically monitor information in the source system where the process is being applied.

In 2002, we didn’t have the right technology to do so. After-the-fact control was the best option. Today, we can place the control directly in the process execution, therefore making it much more proactive. And we can automate it, hence making it less resource-intensive.

If you are interested in hearing more about this or just having an open discussion, please come and see me at the SAP Conference on Internal Controls, Compliance, and Risk Management in Copenhagen March 3–4, 2020, which will explore the theme “Connected Controls and Risks.”

I look forward to meeting you there or reading your thoughts and comments on Twitter @TFrenehard.

This article originally appeared on SAP Community and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter) | LinkedIn | FacebookYouTube


Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.