Key Findings From the 2022 State of SOX/IC Market Survey
Use this report’s findings to begin planning for the future state of your SOX compliance function, one driven by technology enablement and gained efficiencies. We hope you find this year’s report useful as you strive to improve your team’s operations in 2022 and beyond!
- SOX professionals generally enjoy their jobs
The key to success for any SOX compliance function is its people, which means SOX compliance leaders must be able to recruit and retain the best possible talent. This year, we found that most SOX compliance professionals (more than 80%!) are satisfied with both their jobs and overall careers. They enjoy challenges, such as helping organizations reduce risk and working with teams to complete projects.
This means that the “raw material” for a strong team is there, but obstacles still remain. For example, 41% of respondents said remote work has left them feeling less connected to coworkers. Because of this, SOX compliance team leaders need to think about using technology and embarking on innovative risk management projects to keep teams enthusiastic and engaged—as well as staying put.
- The number of key controls fluctuated, but still followed revenue size
In 2020, the SOX Pro Group first identified that a company’s key controls are directly proportional to revenue – higher annual revenues equal better key controls.
That pattern held true again this year, even while the number of key controls fell year over year for some revenue bands. For example, among companies with more than $5 billion in annual revenue, the average number of key controls fell from 536 in 2021 to 490 this year— but this group still had more controls than companies with $2 billion to $5 billion in revenue, which had more controls than those with $750 million to $2 billion in revenue, and so forth.
The question for SOX compliance leaders is how to determine the right number of controls for your organization. As always, this requires a careful analysis of control design, workforce structure, IT capabilities, and strategic objectives for coming years.
- Testing is a burden, but perhaps that isn’t a surprise
Compliance teams struggle with testing. 64% of respondents cite delays in obtaining evidence for testing as a pain point in their audit process, and 38% said their testing control team was under-resourced.
On the other hand, more than 90% of respondents say they use either little or no automation in testing, essentially, unchanged from the 96% who gave that answer in 2021. Coupled with the legacy tools organizations use to collect evidence for testing, perhaps these results aren’t surprising.
Because automation is still so rarely used, compliance teams have an opportunity to gain momentum by implementing automation over the next several years. With well-executed planning, implementation can improve efficiency and alleviate tedious burdens on your team, giving them more time to focus on cybersecurity, control design, and other high-value work.
- Internal audit teams have a complicated relationship with SOX
56% of respondents indicate that internal audit has primary responsibility for SOX compliance, up from 42% in 2021. There is a clear pattern, however, that smaller organizations (those with less than $750 million in annual revenue) depend on internal audit teams for SOX compliance, while large organizations are more likely to use dedicated internal control teams or SOX project management offices.
The crucial question is whether internal audit teams spend too much time on SOX compliance, especially given the relentless rise in cybersecurity risk and other compliance hurdles, such as ESG disclosures. One ominous sign: Among organizations where internal audit is responsible for SOX, 39% say they spend too much time on the task.
Again, this brings up the question of how internal audit teams can “rethink” their time spent on SOX. Team leaders need to consider technology investments and board and senior executives’ objectives to help internal audit focus on risk management overall rather than just on SOX compliance.
- Technology is still a fragmented landscape
This year’s survey respondents continue to report using a wide range of technology tools to perform their SOX compliance tasks. This should be no surprise—we saw the same fragmented landscape in prior years, with traditional tools still playing a dominant role.
For example, 55% of respondents said they use desktop systems for scoping and risk assessments, and 31% said they use legacy tools for controls testing, despite also saying elsewhere that testing is one of the biggest burdens they have.
If SOX compliance leaders want to unshackle their teams and leverage their compliance efforts for better enterprise risk management, more strategic use of technology is the place to start. Compliance teams should consider how to simplify their technology stack, move to collaborative, cloud-based services, and embrace automation. From there, employees can provide better assurance and deliver more insight about business risk, which is precisely what senior management teams need in today’s highly-regulated landscape.