SOX or the Sarbanes-Oxley Act is a compliance standard introduced in 2002 in the US, with the aim of protecting the general public and common investors from any malicious practices by publicly-listed corporations.
The early years of the 2000s saw a lot of high-level corporate scandals in the US such as WorldCom, Enron, and Tyco International that made investors lose faith in the American securities market. In order to reverse the effects of fraudulent practices in these scandals, SOX compliance was put in place to restore investor confidence, prevent fraudulent financial reporting by corporations, ensure financial data security, and protect the public from any future financial wrongdoings.
The SOX Compliance Act laid out guidelines that made organizations give detailed financial reports every year, provide complete visibility to their financial accounts for auditing, implement SOX internal security controls, and safeguard all sensitive financial information from any possible data breach. SOX Compliance is sometimes considered similar to SOC compliance as it also sets standards for internal controls but specifically for financial data.
SOX compliance is mandatory for a large set of companies, which includes -
Primarily all the above companies need to comply with SOX. Also, the auditing firm that carries a publicly traded company's annual audit, must not be associated with the company for their bookkeeping, banking services, consulting, financial advisory, or in any other way under the SOX compliance rules.
All the other private companies and non-profit organizations though do not need to comply with SOX, but must comply with rules preventing companies from falsifying or destroying financial information. Also, the private companies planning to go public need to get SOX compliant beforehand.
Any organization getting SOX compliant can seem like a very tedious task that requires a lot of time and resources but it is important to maintain accurate financial reporting to ensure investor confidence. Here are the steps for organizations to become SOX compliant.
The company needs to perform a thorough risk assessment based on qualitative and quantitative factors to identify areas that are high-risk and important to the company. This helps in scoping and prioritizing areas that need attention and also identifies areas that can be excluded from SOX monitoring activities.
Based upon the scope and findings of the risk assessment, the organization needs to identify as well as establish a set of policies and controls. This involves upgrading existing controls and establishing new ones.
All the implemented controls should be tested to check whether they are effectively operating. All the controls and testing results need to be well documented to support the yearly external audits.
Make a list of all the issues identified during controls testing that may not be operating effectively and take corrective measures on these controls to improve their effectiveness. Again all the remediated control activities should be documented.
With all the necessary controls in place, an organization must continuously monitor them to stay compliant. Continuous monitoring efforts provide organizations with complete visibility into user actions, enhance auditability, and ensure readiness for annual audits.
Though staying SOX compliant has a lot of benefits for the company, the cost of SOX compliance has always been increasing as well. Since the introduction of SOX Compliance in 2002, most public companies had issues with the high cost of external audit fees and the cost incurred for internal compliance work, as both combined can go as high as $3.5M.
A recent survey conducted in 2022 showed on average it costs an organization about $1.4M annually as an internal cost of SOX compliance. This cost is almost similar for all the companies irrespective of their size and annual revenue. Adding to this, organizations also incur heavy fees that need to be paid to external auditors every year ranging from $181K for smaller organizations to a whopping $1.7M for larger organizations. So staying SOX compliant doesn't come cheap for companies and is a big expenditure, especially for smaller companies with limited resources.
Let's look at the benefits of SOX that justify these costs for companies to stay compliant.
So all these publicly listed companies are obliged to comply with SOX, but what are the benefits of SOX compliance to organizations apart from avoiding heavy penalties in case of non-compliance?
So the major benefits of SOX compliance to companies are -
Annual audits help companies identify any vulnerabilities within their security protocols quickly and they can take necessary steps to mitigate the risk early on.
With strong internal controls in place, all the organization's critical data is securely stored and safeguarded from any external threats.
Annual financial reports and audits help promote investor confidence which enhances the company's reputation and increases capital from investors.
Internal teams responsible for compliance and audits become more accountable and efficient at maintaining necessary documentation and data security controls.
With a lot of benefits of SOX Compliance, there are major challenges and drawbacks to its implementation as well. Getting SOX compliant can be cumbersome and at times can seem like a barrier for private companies planning to go public.
A few major challenges of SOX compliance to organizations are -
Adding technology infrastructure, setting up controls and policies, and maintaining documentation required for SOX internal controls can be an extensive task, especially for smaller organizations.
Getting financial reports, internal checks, and other documentation ready for audits annually requires effort and a lot of valuable time from the organization's resources.
Hiring experienced people for setting up and maintaining internal controls, hiring audit firms annually, and various other contractors for accounting duties is an added responsibility to stay SOX compliant.
The extra technology infrastructure, hiring workforce, contractors, and auditing firms can all be very expensive to the company. Add any unfortunate penalties due to non-compliance to it and these costs can go way up for the company.
So at the end of this article, we ask the question - ‘Is SOX Compliance worth it?’
There have been questions about the increasing cost of SOX compliance to companies since its very inception. But there are a lot of benefits of SOX compliance to the organizations as well. Investor confidence, data security, efficiency, risk mitigation, and the list goes on, and quantifying all these benefits to a monetary value is difficult.
So it would not be an exaggeration to say that SOX compliance has helped prevent the loss of investor money and also safeguarded the companies from any unfortunate events as well. Companies can reduce their costs by automating certain processes, outsourcing internal audits, continuous monitoring, and adopting compliant practices within the company. So no doubt SOX has high running costs but is a necessary compliance practice that organizations must abide by.