How SOX Compliance Is Evolving in the Face of Business Change and New Regulations

While some leaders may not view SOX compliance as an area of opportunity for innovation, a growing number of organizations are investing in automation and advanced technology tools to support their SOX activities amidst unrelenting disruption. See the results of Protiviti’s 2023 Sarbanes-Oxley Compliance Survey in this report, which analyzes SOX costs, hours, controls, the use of technology, and other trends.

Many board members and C-suite executives don’t consider SOX compliance as a hotbed for process innovation or cutting-edge technology — but they may want to rethink this perspective. More companies are embracing a new “next-generation” SOX compliance mindset, one that prioritizes introducing tools and technology to support the company’s internal controls systematically and efficiently. Companies are tackling the rising cost of compliance by taming the complexity of their control environment and exploring options to tech-enable controls and testing activities.

Protiviti’s annual Sarbanes-Oxley Compliance Survey, conducted in partnership with AuditBoard, explores trends in compliance costs, hours, technology, automation, and the impact of business conditions. Some of the key findings from this year’s survey include:

1. Costs: While the increasing cost of SOX compliance is a recurring concern, factors such as organizational size, complexity, process maturity, and the state of SOX compliance predominantly determine these costs.
2. Hours: Time spent on SOX continues to climb, likely a result of efforts to create and implement more sustainable change in SOX compliance programs, as well as the increasing complexity of regulatory environments and the integration of new technologies and processes throughout the organization, all of which require additional controls and risks to be managed.
3. Automation and Technology: The use of these tools continues to rise, delivering value-added benefits. More than 60% of SOX compliance programs use an audit management and GRC platform to enable compliance, and three out of four organizations are seeking opportunities to further enable automation in their program.
4. ESG Reporting: A majority of organizations have initiated efforts to address the SEC’s proposed climate change disclosure rules. More than one in three organizations (37%) disclose ESG metrics and apply ICFR-type processes to that information, and we expect this number to increase significantly in the coming years, regardless of regulatory activity.
5. Source Code Reviews: External auditors increasingly require review of the source code underlying automated controls. Driven in part by increased scrutiny from the PCAOB, this is prompting auditors to adopt a more comprehensive evaluation of automated controls to ensure their effectiveness and integrity.

Download a copy of The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates to read detailed results and see how your organization compares.

Whitepaper from