July 28, 2022

Sarbanes-Oxley Compliance: Costs Still Haven’t Peaked

Protiviti recently released its annual “Sarbanes-Oxley Compliance Survey,” which benchmarks companies’ compliance efforts, associated costs & hours, and the impact of current business conditions. This year’s survey says that SOX compliance hasn’t been immune to the Pandora’s Box of market disruptions we’ve experienced over the past two years. Twenty years in, the costs for many companies are still on the upswing – and the hours commitment continues to grow.

Here’s an excerpt with some of the key takeaways:

Costs continue to climb due to a range of factors: A combination of internal and external factors creating volatility — technology-driven transformation and innovation, talent shortages, strategic pivots and more — is contributing to rising SOX compliance costs. More companies spend $2 million or more on compliance while fewer spend $500,000 or less. A surge in the number of smaller companies spending $2 million or more in SOX compliance costs likely reflects last year’s significant increase in initial public offerings (IPOs), driven by special
purpose acquisition companies (SPACs).

Hours on the rise as well: A majority of organizations increased the number of hours logged for SOX compliance during their most recent fiscal year. This growth is driven by the same factors contributing to rising compliance costs. SOX compliance teams are also spending more time responding to higher volumes of more detailed information requests from external auditors, whose scrutiny is intensifying in response to actions of and guidance from the Public Company Accounting Oversight Board (PCAOB).

A growing number of companies are deploying automation to support SOX work; more should follow suit: Automation platforms and applications bring greater efficiency to SOX compliance activities. The deployment of process mining, advanced analytics, robotic process automation (RPA) and continuous monitoring, along with other advanced technological tools, can significantly reduce the volume of manual compliance tasks as well as retention risks associated with subjecting internal full-time staff to heavy loads of repetitive, task-driven work.

A widespread desire for efficiency is kindling interest in centers of excellence and alternate sourcing strategies: The ongoing goal to moderate SOX compliance cost increases makes alternative delivery models for SOX compliance services more appealing. In addition to investing in supporting automation, efficiency-minded compliance and internal audit leaders are evaluating and adopting internal shared services models as well as partnerships with third parties that operate external centers of excellence for controls testing.

Protiviti remains optimistic that automation and technology will eventually bring down (or at least slow the increase in) compliance costs. I don’t doubt that there’s been more adoption since I wrote about that same optimism three years ago, but at this juncture it seems like the improvements from automation have been outweighed by new complexities and challenges.

If you’ve been able to rein in your compliance costs and have words of wisdom for others who are looking to do the same, shoot me an email at I would love to collect & share real-world pointers as we head into the even more demanding compliance environment that will accompany anticipated SEC rulemaking on climate & human capital disclosure.

Liz Dunshee