15 years after the act was initially created, the Sarbanes-Oxley Act is still costing companies huge amounts of money in both labor costs and overall dollars.
Protiviti consulting surveyed 468 chief audit executives and internal audit and finance leaders in an effort to gain insight on how much SOX compliance costs them. The results were interesting, companies spend anywhere from $657,383 to $1,292,000 per year which, believe it or not, is down from last year. Not surprisingly, financial services have the highest overall costs associated with SOX compliance while consumer products and retail has the lowest associated costs.
The survey also found that the overall amount of hours spent dealing with SOX compliance is rising, regardless of company size. This is forcing many companies to outsource their SOX compliance work in an effort to stabilize compliance costs coupled with the hours they dedicate toward compliance activities. In fact, two out of three companies surveyed had increased their hours by more than 10%, further affirming that compliance is a time-consuming process.
Although companies are forced to spend more hours managing the daily activities of SOX compliance, the work involved continues to be viewed as having a positive effect. Three out of four organizations reported that their internal control over financial reporting structure has improved since they originally began complying with Sarbanes-Oxley, specifically section 404.
From a control perspective, the percentage of entity-level controls classified as key controls increased and, not surprisingly, organizations with a higher number of locations have a higher number of key controls associated with them. According to an audit director for a large public financial services company, "The design of existing controls has prevented fraud in some parts of the business. Dedicated SOX team involvement in providing advice on process improvement and system implementation have contributed in enhancing existing processes."
While compliance policies become more strict with their regulations, organizations of any size are forced to spend more of their time complying. This is especially true with the now 15-year-old Sarbanes-Oxley Act.