Significant opportunities exist to transform Sarbanes Oxley compliance functions

02.09.2011

Significant opportunities exist to transform Sarbanes-Oxley compliance functions

London, 2 September 2011: Companies can reduce their Sarbanes-Oxley (SOX) compliance challenges and find opportunities for operational improvement, according to a new report ‘Thinking outside the SOX box’ by Ernst & Young.
The survey of 225 global executives uncovers key concerns and challenges of SOX compliance and proposes methods to potentially reduce costs, make and apply quicker decisions and free up resources for strategic initiatives. The report also outlines the benefits of automated testing, outsourcing resources, leveraging information technology investment and innovation.

Gerry Dixon, Ernst & Young Global Risk Leader, says: “Many organizations still treat the SOX function as a difficult compliance exercise. There is an opportunity to channel innovative approaches and practices, which can help a company build value into its operations. Strategic evaluation and realignment of SOX execution can directly impact decision making and efficiency; enhancing competitive advantage.”

According to the survey, only three percent of executives have fully automated more than half of their key controls. More than a third (35%) indicated they had more than 1000 controls, with 61% of respondents spending at least five hours just testing each control. Almost 40% of executives surveyed consider one of their major SOX challenges to be cost. In fact, 37% of respondents spend up to US$2 million on SOX testing, and 14% spend up to US$5 million every year on SOX overall.

Dixon adds: “Testing is the most time-consuming process related to SOX controls. Most respondents agree automation would free up both time and money.”

Half of the survey respondents said they use outside providers for some part of their SOX compliance. That said, 81% of executives surveyed said that internal audit was involved with SOX in some capacity. Moreover, 40% of indicated their internal audit department devoted at least a quarter of their budget and capacity to SOX testing alone, even as 66% of respondents used outside resources for testing.

Survey respondents suggest reducing costs by automating and off-shoring SOX-related activities, thereby allowing in-house resources to be applied more strategically. Off-shoring is cited for its fit in follow-the-sun operations to create even more efficiency, though only a very small percent of respondents use offshore resources for SOX processes.

A small percentage of those surveyed use innovative IT techniques to manage SOX compliance, such as data analytics regularly (21%); 12% use predictive modeling; 65% do not use third-party applications to automate continuous controls monitoring and 90% of survey participants still use Excel ® for their scoping exercise.

Dixon comments: “According to our report, IT investment can be a tremendous asset in gaining a competitive advantage and be beneficial when applied to SOX functions. Certainly, increasing automation will help drive down the cost and effort to comply with SOX. But let’s be clear: leveraging your IT investment goes far beyond turning on various automated controls in the systems and automating testing. There is a real opportunity to use technology more strategically.”

More than half (52%) surveyed said they conducted an innovation exercise regarding SOX in the last year. Interestingly though, 58% do not use Control Self-Assessment, 63% do not use peer reviews and only 52% of respondents incorporate SOX into enterprise risk management.

Creating more entity-level controls is another way to apply innovation to SOX yet, 94% of survey respondents stated that less than a quarter of their key controls were entity-level controls.

Bob Cullen. Ernst & Young Global Internal Control Leader, concludes: “One effectively designed and robust entity-level control can significantly reduce the number of manual transactional level controls tested. Companies can significantly reduce the testing workload by focusing on top-down critical risks and designing effective entity-level controls.”

Thinking outside the SOX box reveals four actions companies can take to create fundamental advantages in their sectors:

  • Automate testing
  • Off-shore for lower-cost resources
  • Leverage IT investment
  • Innovate strategically

For a full copy of the report and survey results, please visit: www.ey.com


Back to the list