For many publicly traded companies, complying with the Sarbanes-Oxley Act has become a growing source of frustration. Though the complexity of their landscape has grown, the maturity of control testing frameworks has not kept pace. To avoid ballooning control testing costs and risk of a failed audit, companies must adapt to an automated controls landscape that focuses on actual risk (violations) rather than potential risk (entitlement conflicts).
We’ve compiled a number of stats that highlight the risk that manual control programs leave unmitigated, and highlighted how continuous controls monitoring (CCM) from Pathlock can help you to reduce risk exposure while also reducing your audit costs.
Since the passing of the Sarbanes-Oxley Act in 2002, the complexity required to remain SOX compliant has consistently increased year over year. Companies have shifted to multi-ERP landscapes, with a growing list of controls needing to be tested across multiple systems:
10 – the number of systems the average employee uses on a given day, across various business critical application categories (Source: https://www.blissfully.com/saas-trends/2020-annual-report/)
50 – average number of entity level controls covered in a SOX audit (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf )
80 – average number of process level controls covered in a SOX audit (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf)
As complexity grows, most organizations are failing to introduce automate their controls landscape. Companies are still employing armies of manual labor to tackle their SOX 404 audits:
65% – average amount of key controls which are still tested manually (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf)
42 – average number of hours spent validating each control, per year (assuming 1x year SOX audit) (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf )
90% – average number of transactions which are not sampled when testing controls manually (Source: https://www.aicpa.org/interestareas/governmentalauditquality/resources/auditpracticetoolsaids/downloadabledocuments/sampling%20executive%20summary%20for%20posting%20to%20gaqc%20web%20site.docx)
9% – average year over year increase in SOX audit and compliance costs (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf)
As manual controls fail, they introduce the risk of failed audits and material weakness filings, which introduce unplanned costs that can grow into the hundreds of millions, or even billions of dollars. Fortunately, most of these costs can be avoided with a comprehensive, automated control testing program:
5% – publicly traded companies report a material weakness every year (Source: https://advisory.kpmg.us/articles/2020/material-weakness-study-2020-non-ipo.html)
27% – of material weaknesses are rooted in a segregation of duties conflict (Source: https://advisory.kpmg.us/articles/2020/material-weakness-study-2020-non-ipo.html)
64% – Average increase in audit fees after filing a material weakness (Source: https://www.armaninollp.com/articles/material-weakness-causes-prevention-and-impact-on-audit-fees/#:~:text=A%20material%20weakness%20will%20increase,remain%20higher%20even%20after%20remediation)
19% – average drop in stock price in a 12-month period following a material weakness filing (Source: https://www.workiva.com/blog/material-weaknesses-stock-price-and-technology)
95% – reduction in manual control testing labor and costs when using Pathlock’s control platform to automate control testing and focus on violatinos
100% – coverage of transactions sampled, with Pathlock’s real-time, automated approach to control testing and enforcement
500+ – number of controls in Pathlock’s pre-built control library, covering controls for SOX, GDPR, CCPA, HIPAA, and other popular compliance frameworks
0 – number of Pathlock customers who have filed for a material weakness related to weak internal controls, including segregation of duties violations
Eager to automate your controls landscape and shift from reactive, manual approaches to compliance to real-time, preventative protection? Check out why more Fortune 2000 finance, internal controls, audit, and application teams trust Pathlock than any other continuous controls trust Pathlock.
Pathlock’s enterprise continuous controls monitoring platform provides:
Contact us for a 1-on-1 demo of Pathlock to transform your controls landscape and realize the benefits that continuous controls monitoring can offer.
Share
The Securities and Exchange Commission's (SEC) new rules on...
The global shortage of skilled accountants has been making ...
U.S. Sugar is an agricultural business that grows and proce...
Esteemed Colleagues in Internal Audit and Risk Management: ...