Businesses Focus on Automation to Achieve SOX Compliance

The fourteenth annual Sarbanes-Oxley (SOX) Compliance Survey, conducted by global consulting firm Protiviti, has found that 74% of organizations are seeking opportunities to further enable automation, while 58% reported an increase in hours spent on SOX compliance in the last year.

Companies are prioritizing investments in automation and broader enabling technologies, such as GRC solutions, as well as advanced technology tools, such as artificial intelligence (AI) and machine learning (ML) to support SOX compliance activities. These technologies help counteract pressure from the PCAOB and external auditors to increase scope and procedures. The SEC’s recently adopted rules related to cybersecurity disclosures and highly anticipated climate disclosure rules only increase the potential for expanded scope.

Companies prioritizing automation as a key tool to moderate rising cost pressures are experiencing increased efficiency, effectiveness and a decrease in business and operational costs. Yet, when faced with automation opportunities, many audit and finance leaders cite lack of time to explore automation and enabling technologies due to other priorities (39%), lack of effort to implement, train, govern and maintain the new systems (34%), and lack funding and/or executive buy-in (31%).

With Generative AI (GenAI) and large language models (LLMs) now a top technological consideration for business, organizations need to focus on areas including data governance, change management and upskilling when pursuing these new technologies. Otherwise, they will struggle to reap the benefits. The increase in hours spent on SOX compliance during the most recent fiscal year underscores the need to create and implement sustainable change through technology tools and automation.

“The investment in technology and automation has the potential to deliver strong ROI – helping to streamline routine tasks, increase the quality and efficiency of communications, enhance the effectiveness of the overall program and allow for a more optimal allocation of resources,” said Andrew Struthers-Kennedy, a Protiviti managing director and global leader of the firm’s Internal Audit and Financial Advisory practice. “There is significant untapped potential through the implementation of automation, enabling technologies and increasingly GenAI and LLMs.”

Cybersecurity & ESG Disclosures Driving Increased Regulatory Scrutiny

Technology and automation have helped companies manage an increasing volume of disclosure requirements from the SEC. The SEC’s recently adopted rules around cybersecurity disclosures highlight the broader changing landscape of non-financial data reporting for SOX compliance and how organizations are preparing for it.

“The SEC rule will inherently increase disclosures related to cybersecurity risk management, governance and material incidents. With a quickly evolving cyber threat landscape and an increasing vulnerability footprint for many organization, cyber risk will remain poised for having a material impact on financial reporting and SOX compliance,” added Struthers-Kennedy.

When looking at ESG more closely, the survey found that 37% of organizations are already disclosing ESG metrics, however, only 16% have added additional controls to address the SEC’s proposed climate change requirements, a number expected to increase significantly in the upcoming years.

The Protiviti report, titled “The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates,” is based on a survey of more than 560 audit and finance leaders, representing a wide range of industries. The survey was conducted with support from AuditBoard, a leading cloud-based audit, risk, IT security, and ESG management platform, in April and May of 2023.