Estimated reading time: 5 mins
Following the recent passing of the Sarbanes-Oxley Act of 2002 (SOX) 15th anniversary, retrospectives raised the issue of increasing cost of compliance. The cost of Compliance 2017 report was released earlier in April by Thomas Reuters, which offered some insights on the rising cost of compliance, stating that this cuts across all industries equally.
The Cost of Compliance Report
According to the Cost of Compliance Report, companies raised their outsourcing compliance. In fact, in 2016 alone, 25% of companies contracted with third parties, with the number increasing steadily in 2017 to stand at 28%. Looking at these figures, one can deduce that financial institutions acknowledged that hiring vendors to help streamline process was not only time-saving but also cost-efficient.
Moreover, there was a decrease in the number of companies spending a day or more tracking regulatory change in 2016, with the figures of firms falling into this category being 35%. By 2017, the number of companies spending this much time to track the regulatory changes fell even lower to 26%. The report also revealed a drop in teams pending over 10hrs a week when it comes to compliance. The percentage in 2017 (3%) was much lower compared to findings over the previous four surveys, which had recorded 11% in 2014, 7% in 2015, and 4% in 2016 respectively.
Even with this notable decrease, there’s still one challenge that many firms still face. Over a period of eight years when the report has been released, there has been a persistent lack of coordination between control functions. Considering that only about half of compliance functions spend over one hour a week to conduct an internal audit, it can be deduced that those working on compliance are not talking to or coordinating with those who are responsible in making compliance rules.
Compliance Report outside the Financial Institutions
Financial institutions are heavily regulated. While some regulatory requirements for security compliance such as GDPR and HIPPA offer similar penal s, they are meant to provide industry standards for best practices.
Globalization and peer pressure have thus made information security compliance a genuine requirement for the stability of businesses. With Boards of Directors facing penalties placed by Sarbanes-Oxley, SOC 2 reports have become an important consideration for financial institutions, especially considering that federal regulators have made it a requirement.
This means merely that IT firms have had to spend a lot of time on compliance, with the average hours and cost dedicated to SOX compliance rising continuously. This has forced companies to look for additional resources outside to meet their needs. In fact, over half of such companies have resulted in using outside resources to manage IT controls and process effectively
Why Organizations are Continuously Affected by SOX Compliance
At the basic level, SOX Section 404 stipulates the requirements for continuing governance over internal controls, placing a regulatory penalty on public firms that don’t adequately show that their Board of Directors understands all that’s happening in their organizations. Even with the Dodd-Frank Amendment that looked to offer some relief to organizations under 404b when it comes to audit attestation, review controls and compliance remain necessary for private firms.
Many are hoping that SOX will be withdrawn with the February Executive Order proposing more rollback of the Dodd-Frank Act. On this matter, the Harvard Law School Forum on Corporate Governance and Financial Regulation stated that Sarbanes had become the basis for modern corporate governance, guiding corporate responsibility. It further noted that Sarbanes achieves this by the express provisions that address corporate governance and the extent to which it influenced any related regulatory governance like SEC rules as well as industry guidance and best practices compilations.
While efforts to have SOX requirements disappear seem attractive, many of them have become part of other standards and requirements already. This means that regardless of any official action of SOX, the cost of compliance will probably continue to rise.
Increasing Cost of Compliance for SOX
SOX compliance entails looking into IT general controls, application, IT-dependent manual, and manual. Each of these factors has become more complex over the last five years, meaning that organizations have had to deal with increased compliance cost when expanding their businesses.
As you grow your business to other areas, it’s likely that you’ll be faced with an increased cost of manual control reviews, because more locations will bring a more significant risk of discrepancies and greater manpower will be needed to coordinate the reviews.
This is also the case for IT-dependent manual controls. More employees will mean more review and a higher cost for SOX compliance. As revealed by the SOC audits, the costs for IT general control review – which comprises of physical security, program change, and logical access – are rising because of the complexity involved as your business expands to new regions and need for more applications arise.
How to Effectively Mitigate the Increasing Cost of Compliance
Considering the increasing cost of SOX compliance and the information provided by the Cost of Compliance report, there’s a strategy that offers relief. SaaS platforms need to streamline communication across various departments.
SOX 404 requires you to identify all controls within your organization, which means that you may come across an overlap between the PCI DSS standards and the ISO/IEC 27000 series or COBIT framework. Your Board must approve any standards that relate to your business.
Managing this compliance on traditional methods such as spreadsheet could be catastrophic as discrepancies between various departments could come up or gaps could emerge in your compliance. Such issues could mean poor audit results.
The best way to go about it is having a consolidated location where all such information can be relayed. You need to have a tool that will help you achieve this, allowing you to have a single source of evidence where all our controls are housed to see any divergences and overlaps between your departments and standards.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.