Streamlining SOX Compliance and 404 Audits with Continuous Controls Monitoring (CCM)
Kevin Dunne
June 30, 2021

For many publicly traded companies, complying with the Sarbanes-Oxley Act has become a growing source of frustration.  Though the complexity of their landscape has grown, the maturity of control testing frameworks has not kept pace. To avoid ballooning control testing costs and risk of a failed audit, companies must adapt to an automated controls landscape that focuses on actual risk (violations) rather than potential risk (entitlement conflicts).   

We’ve compiled a number of stats that highlight the risk that manual control programs leave unmitigated, and highlighted how continuous controls monitoring (CCM) from Pathlock can help you to reduce risk exposure while also reducing your audit costs. 

Explore the Infographic:

The growing complexity of the controls landscape 

Since the passing of the Sarbanes-Oxley Act in 2002, the complexity required to remain SOX compliant has consistently increased year over year.  Companies have shifted to multi-ERP landscapes, with a growing list of controls needing to be tested across multiple systems: 

10 – the number of systems the average employee uses on a given day, across various business critical application categories (Source: https://www.blissfully.com/saas-trends/2020-annual-report/)

50 – average number of entity level controls covered in a SOX audit (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf )

80 – average number of process level controls covered in a SOX audit (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf)

Increasing costs of manual control testing 

As complexity grows, most organizations are failing to introduce automate their controls landscape.  Companies are still employing armies of manual labor to tackle their SOX 404 audits: 

65% – average amount of key controls which are still tested manually (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf)

42 – average number of hours spent validating each control, per year (assuming 1x year SOX audit) (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf )

90% – average number of transactions which are not sampled when testing controls manually (Source: https://www.aicpa.org/interestareas/governmentalauditquality/resources/auditpracticetoolsaids/downloadabledocuments/sampling%20executive%20summary%20for%20posting%20to%20gaqc%20web%20site.docx)

9% – average year over year increase in SOX audit and compliance costs (Source: https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-protiviti.pdf)

Manual control testing introduces risk of cost overruns 

As manual controls fail, they introduce the risk of failed audits and material weakness filings, which introduce unplanned costs that can grow into the hundreds of millions, or even billions of dollars.  Fortunately, most of these costs can be avoided with a comprehensive, automated control testing program: 

5% – publicly traded companies report a material weakness every year (Source: https://advisory.kpmg.us/articles/2020/material-weakness-study-2020-non-ipo.html)

27% – of material weaknesses are rooted in a segregation of duties conflict (Source: https://advisory.kpmg.us/articles/2020/material-weakness-study-2020-non-ipo.html)

64% –  Average increase in audit fees after filing a material weakness (Source: https://www.armaninollp.com/articles/material-weakness-causes-prevention-and-impact-on-audit-fees/#:~:text=A%20material%20weakness%20will%20increase,remain%20higher%20even%20after%20remediation)

19% – average drop in stock price in a 12-month period following a material weakness filing (Source: https://www.workiva.com/blog/material-weaknesses-stock-price-and-technology)

Reducing risk and cost through Continuous Controls Monitoring 

95% – reduction in manual control testing labor and costs when using Pathlock’s control platform to automate control testing and focus on violatinos 

100% – coverage of transactions sampled, with Pathlock’s real-time, automated approach to control testing and enforcement 

500+ – number of controls in Pathlock’s pre-built control library, covering controls for SOX, GDPR, CCPA, HIPAA, and other popular compliance frameworks 

0 – number of Pathlock customers who have filed for a material weakness related to weak internal controls, including segregation of duties violations 

Explore the leading platform for Continuous Controls Monitoring

Eager to automate your controls landscape and shift from reactive, manual approaches to compliance to real-time, preventative protection? Check out why more Fortune 2000 finance, internal controls, audit, and application teams trust Pathlock than any other continuous controls trust Pathlock.

Pathlock’s enterprise continuous controls monitoring platform provides:

  • Integration to 140+ applications including SAP, Oracle, NetSuite, Workday, Salesforce and more, with cross application translation of security models and data structures
  • Pre-built rule set of hundreds of SOD, SOX compliance, GDPR, HIPAA, and other controls to provide turnkey compliance
  • Real-time monitoring of both access level (entitlement) and transaction level (activity) based control violations, with built-in mitigation workflow
  • Rich, easy to share reports providing control evidence to satisfy internal and external audits (the Big 4 trusts Pathlock’s reports)
  • Automated responses to trigger alerts, escalations, and even prevent risky behavior with transaction blocking and session termination

Contact us for a 1-on-1 demo of Pathlock to transform your controls landscape and realize the benefits that continuous controls monitoring can offer.