If you work at a publicly-traded company, you’re likely familiar with SOX. The Sarbanes-Oxley Act aims to protect investors and improve financial transparency. Congress passed the SOX Act in response to several major accounting scandals in the early 2000s, such as those at Enron, Worldcom, and Tyco. 

Investors aren’t the only ones benefitting from SOX compliance. It also helps companies by strengthening their data security and preventing fraud. Despite its upsides, SOX compliance can be time-consuming and costly. Let’s take a look at some of the most common challenges, along with strategies to address them. 

Overview of the Sarbanes-Oxley Act 

The SOX Act covers various areas of financial reporting and oversight. However, the most labor-intensive provision is Section 404: Management Assessment of Internal Controls. This section requires management to annually evaluate the effectiveness of the company’s internal controls, reporting the results in Form 10-K. For larger companies, it also mandates that an external auditor independently determine whether the management’s assessment is accurate. 

Common SOX Compliance Challenges 

Compliance with Section 404 can be tedious, as it requires outlining all of your company’s internal controls, testing them, and thoroughly documenting the results. Here are some difficulties that companies may face, along with possible solutions.

Issues with identifying key controls 

Financial controls are present in areas including accounts payable, inventory management, revenue recognition, and payroll, among others. Given the complexity of business processes at public companies, determining which internal controls are key to preventing material financial errors can prove difficult. 

While not legally required, the COSO framework is often used for the management assessment of internal controls. This framework can streamline the identification of controls and the assessment process. Developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the 2013 Internal Control - Integrated Framework covers five components of internal controls: the control environment, risk assessment, control activities, information and communication, and monitoring activities. 

High costs

SOX compliance is increasingly expensive for several reasons, some of which are the need for thorough testing and documentation of internal controls, talent shortages, and external audit fees. While the cost of SOX compliance can vary greatly due to company size, the 2023 KPMG SOX report found that the average budget for SOX programs is $1.6 million. 

One of the best ways to lower SOX costs is through investing in technology, such as governance, risk, and compliance (GRC) software. GRC applications can automate repetitive SOX tasks, such as data gathering, report generation, and workflow development. PwC research found that increasing automation by just 15% reduces compliance costs by 10%. This allows more financial resources to be allocated to higher-risk areas. 

Lack of communication

People are crucial to every SOX program. Sometimes, departments within a company operate within silos, lacking the necessary collaboration to ensure that all pertinent information is gathered and shared. There can also be communication issues at the top, with senior executives not providing adequate guidance and updates. Communication with external auditors is also critical for establishing a strong working relationship and fostering transparency. 

To prevent inefficiencies or conflict caused by a lack of collaboration, companies can develop a culture of openness and accountability. Management can ensure that critical departments, such as finance, IT, legal, and HR, are aligned in their goals and have clear responsibilities. 

Absence of necessary expertise

SOX compliance can be highly complex, involving vast amounts of data and advanced technologies. Companies that are newly public can struggle greatly with meeting all of the necessary provisions of the Sarbanes-Oxley Act. Smaller companies can face significant hurdles, as they often don’t have any employees with SOX expertise. 

To prevent knowledge issues in the SOX compliance process, it’s important to thoroughly research and understand the requirements before an IPO. Bringing in a skilled consultant can also help to streamline compliance and prevent potential issues before they arise. 

Ongoing monitoring of internal controls

Internal control systems should constantly evolve to keep up with emerging risks in both the internal and external data environments. Instead of waiting until a glaring issue arises, it’s important to regularly monitor your company’s financial controls. This way, you can proactively detect any weaknesses, potentially preventing devastating financial losses. Despite its advantages, monitoring controls can often seem time consuming and costly. 

A strategic way to monitor controls on an ongoing basis without draining your resources is to use continuous controls monitoring (CCM) software. Traditional monitoring techniques, such as periodic testing using data samples, can overlook weaknesses in your internal controls system, and they can be costly to manually execute. CCM improves accuracy by monitoring all controls all the time through automation. 

Take Action to Improve Your Company’s SOX Program

While SOX compliance can be a tedious and time-consuming process, strategic resource allocation can improve outcomes. By leveraging automation, clear guidelines, and enhanced communication, your company can lower SOX costs while strengthening your internal controls system.