Trends in SOX compliance programs

The software company Workiva has been surveying practitioners to understand what is happening with SOX programs since 2016. They recently shared a summary of trends over these last five years.

They draw four conclusions.

1. Internal audit is the majority owner of the SOX program.

Comments:

• Technically, management always retains ownership of the SOX program. However, internal audit may perform much of the assessment activity on behalf of management.
• Workiva has not shared how many companies were surveyed or whether they are the same companies each year. As a result, it is somewhat speculative to draw conclusions from the survey results. However, it is not unreasonable to assume that the survey sizes have been significant and at least indicative of the trends asserted by the authors.
• There is a huge difference between performing the testing on behalf of management and planning/managing the entire SOX program (a distinction not drawn in the report). My personal observation supports an assertion that the majority of companies rely on internal audit to perform testing. But saying that they own the program goes perhaps a bit too far.

2. Even when internal audit is not the owner of the SOX program, it is…