After recently passing the 15th anniversary of the Sarbanes-Oxley Act of 2002 (SOX), retrospectives noted the rising cost of compliance. In April, Thomson Reuters released its Cost of Compliance 2017 report. Although the report is for global, systemically important financial institutions, information can be extrapolated across industries. Looking at SOX as indicative of the type of compliance requirement that industries face, this report offers insight about how the rising cost of compliance is something that impacts all industries equally.
What the Cost of Compliance Report Tells Us
Some of the report’s most significant takeaways involve the overlap between increased outsourcing and decreased time spent on compliance.
According to Thomson Reuters, firms increased their outsourcing of compliance. In 2016, 25% of firms contracted with third parties; in 2017, that number increased to 28%. In short, financial institutions recognized the amount of time they spent tracking changes and felt that hiring vendors to streamline the process was cost efficient.
Relatedly, 2016 saw a reduction in the number of firms spending a whole day or more tracking regulatory change. In 2016, 35% of firms fell into this category. By 2017, only 26% of firms spent this much time tracking the regulatory changes. Simultaneously, the report showed a decrease in teams spending more than 10 hours a week on compliance. This number showed the most significant changes over the last four surveys, dropping from 11% in 2014 to 7% in 2015, 4% in 2016, and finally, 3% in 2017.
In spite of these decreases, one problem continues to plague firms. Over the eight years the report has been completed, a lack of coordination between control functions has persisted. Only half of compliance functions spend more than an hour a week on internal audit. In other words, those who are working on compliance aren’t coordinating or talking to those who make the compliance rules.
What the Compliance Report Means Outside of Financial Institutions
Financial institutions sit in a unique regulatory landscape. Some information security compliance regulatory requirements, such as HIPAA and GDPR, offer similar punitives, but most are industry standards that lead only to best practices.
That said, peer pressure and globalization have made information security compliance a de facto requirement for continued business stability. With Sarbanes-Oxley placing penalties on Boards of Directors for lack of oversight, SOC 2 reports have become the functional equivalent to financial institutions having a federal regulator require this.
This means that information technology firms increasingly find themselves spending more time on compliance. For example, the average cost and hours spent on SOX compliance continue to rise. Moreover, more than half of organizations use outside resources to manage process and IT controls. This rising cost of compliance leads companies to finding additional resources to meet needs.
Why SOX Compliance Continues to Affect Organizations
SOX Section 404 requires ongoing governance over internal controls. This places a regulatory penalty on public companies that fail to show that the Board of Directors understand everything happening in the organization. SOX is fifteen years old, but the act continues to impact organizations. Despite the Dodd-Frank Amendment that offered audit attestation relief to smaller organizations under 404b, compliance and review of controls remain necessary for private companies.
With the February Executive Order suggesting an additional rollback of the Dodd-Frank Act, you may be hoping that SOX will disappear. The Harvard Law School Forum on Corporate Governance and Financial Regulation explains,
Sarbanes is so much more than an anti-corporate fraud statute; it has become the keystone of modern corporate governance; the spark to the corporate responsibility environment that remains in force to this day. In a very large sense, it is “where it all began”; i.e., the seismic calibration of corporate direction from the executive suite back to the board. It achieved this in two major ways. First, by means of its express provisions addressing corporate governance. And second, the extent to which it prompted or otherwise influenced related regulatory requirements (e.g., SEC rules); industry guidance (e.g., stock exchange listing requirements); best practices compilations (e.g., the ABA’s “Cheek Report”); professional standards (e.g., AICPA, state rules of professional responsibility) and state corporate law of multiple stripes.
While attempts to remove SOX requirements appear appealing, many of them have become imbedded in other requirements and standards. This means that the rising cost of compliance will likely continue regardless of official regulatory actions.
Rising Cost of Compliance for SOX
SOX compliance requires looking into manual, IT dependent manual, application, and IT general controls. Over the last five years, each of these has become more complex. In addition, compliance costs increase proportionately to expansions in your business.
As your organization grows and adds additional locations, the cost of your manual control reviews increases. More people and locations bring not only greater risk of discrepancies from office to office, but also greater manpower required to coordinate the reviews of these additional locations.
The same holds true for IT dependent manual controls. With more employees comes more review. For example, a user authentication for 100 people is easy for one person to handle, but a review for 1000 people needs additional time or staff.
Business growth also brings more integrated applications to provide solutions. A business that begins as a brick and mortar may expand to online sales. This means that the PCI burden will increase as additional applications are added to meet these new needs. Thus, SOX compliance becomes more complex and costly as the organization expands.
Finally, the IT general control review costs are increasing as evidenced by the increased importance of SOC audits. Comprised of logical access, program change, and physical security, IT general control review becomes more complex as your organization grows and as you add applications. For example, if you choose to incorporate a single sign-on for multiple applications, you need to redefine your login controls. As the technology becomes more sophisticated, the costs of compliance increase.
How to Mitigate the Rising Cost of Compliance with GRC Automation
Based on the information contained in the Cost of Compliance 2017 report in conjunction with the information regarding the rising cost of SOX compliance, one strategy offers the best relief. Saas platforms organize communications across departments and can reduce costs.
SOX 404 reporting means identifying all the controls within your environment. This means that you may find an overlap between the ISO/IEC 27000 series as well as the COBIT framework and PCI DSS standards. Your Board must approve whatever standards are specific to your organization.
This interconnectedness means that continuing to manage compliance on spreadsheets can lead to gaps in your compliance or discrepancies between departments. These discrepancies or gaps then lead to poor audit outcomes. Having a consolidated location for information is, therefore, more important than ever.
When SOX audits and reporting force you to look at your entire landscape, you need to have a single source of truth. GRC automation provides that. With one location housing all your controls, you can easily see the overlaps or divergences between standards and departments.
How to Find the Right GRC Partner
As the statistics show, more companies are outsourcing their compliance efforts. Outsourcing means finding a partner who can meet your needs and remain agile. With this in mind, you need to look for a compliance solution that can negotiate the constantly evolving IT landscape.
To learn how GRC automation can help your organization, read our “Governance, Risk Management and Compliance Software Buyer’s Guide.”