The pros and cons of different SOX compliance program models
Every publicly traded company is legally obligated to comply with the Sarbanes-Oxley (SOX) Act, and that compliance inevitably comes at a cost.
The key to controlling that cost is to maximize the value of the SOX program by investing in resources that cost-effectively position the business to achieve compliance now and in the future. This raises a question that most decision-makers face sooner or later: Is there more value in managing SOX compliance in-house, outsourcing it entirely or co-sourcing it to fill certain expertise and resource gaps?
Every business is different and therefore stands to gain varying amounts of value from the three different structures; however, knowing the potential pros and cons of each option can go a long way toward clarifying which is best for your company.
To that end, this overview provides a brief explanation of the three models for sourcing SOX compliance expertise and resources, and the pros and cons of each.
Insourcing is when companies hire internally to handle all of their SOX-related activities. From scoping and risk assessment, documentation of processes/controls, testing of design and operating effectiveness to advising process and control owners on best practices, and providing summary readouts to executive management and the audit committee – all SOX compliance program activities are managed by company employees.
- Insourcing makes sense for larger, more complex companies where compliance work – in SOX and in other areas – demands full-time personnel.
- An in-house SOX compliance program director will have ample opportunity to build relationships with key stakeholders, get plenty of facetime with different process and control owners, and help set a tone of transparency, compliance and continuous improvement.
- Staffing every area of expertise in-house is not necessarily practical from a cost or workflow perspective.
- Human resources and people management challenges can lead to workflow continuity issues (e.g., employee turnover, promotions and other potentially disruptive HR occurrences). This can be especially problematic for highly specialized areas, such as trying to hire or replace IT audit expertise.
- Capacity and capability limitations can lead to competing priorities among managers.
- An entirely insourced SOX program can be more difficult to scale than an outsourced model.
- Policies and procedures may become stale if the company becomes too set in its ways (e.g., not staying abreast of emerging trends and leading practices, or failing to regularly provide control-owner training).
Outsourcing entails hiring a third-party partner to functionally build, operate and maintain the SOX compliance program. The provider will usually appoint a SOX Project Management Office (PMO) leader along with a dedicated team to handle all elements of SOX compliance, including baseline diagnostics, risk assessments, project management and execution, coordination with external auditors and, in many cases, performing the broader responsibilities of an internal audit function such as assisting with updating control documentation and performing control testing.
- Greater flexibility in staffing resources which makes the program easier to scale.
- Access to subject-matter experts who can be consulted on specific topics, such as cybersecurity; this is more practical than hiring specialists in every conceivable area.
- Few concerns regarding HR and people management; third-parties have the advantage of consistent, high-value, as-needed resourcing and less risk of workflow disruptions in the event of turnover.
- External audit firms tend to be more comfortable with the expertise and objectivity of a third-party provider, increasing the likelihood of them relying on the work performed. Work, such as testing the design and operating effectiveness of controls, that has already been done by the third-party SOX provider may not have to be repeated, which ultimately drives down the external audit fee.
- Experience performing SOX functions for other organizations, providing a strong sense of what works and an ability to execute more efficiently and cost-effectively.
- Familiarity and experience overseeing non-routine events such as business mergers and ERP implementation.
- Outsourcing can end up costing more money in the long-run than insourcing – especially once you have successfully built a sustainable and repeatable SOX compliance program. This is particularly true for big companies that have enough SOX and other compliance work to keep full-time employees busy throughout the year.
- The SOX program may become overly dependent on the outside firm, which could make it more difficult to move to a co-sourced or insourced model down the road.
- Relationships with process and control owners may not be as strong as those capable of being established by a full-time, always-on-site SOX team.
The co-sourcing model is a hybrid between insourcing and outsourcing in which a third party is brought into the fold, most commonly to help get the SOX program up and running, to provide arms and legs for testing, and/or to support more technical areas of specialization (e.g., tax, IT, technical accounting). Under this structure, a public company typically has an in-house chief audit executive or director in the SOX compliance realm to set the tone for the company, organize risk assessments, interact with key stakeholders – including the audit committee and external auditors – and perform other oversight activities. Alternatively, co-sourcing is often used in providing remediation support services, since third parties are well-equipped to solve specific problems in tight time windows such as addressing a material weakness or filling particular people, process or technology gaps.
- Senior executives, CFOs and controllers still dictate the tone of the compliance program and help build relationships with the business and IT stakeholders, audit committee and external auditors.
- A co-sourced firm can deliver baseline diagnostics in terms of how many controls exist, where it might make sense to hire someone in-house, where gaps exist, etc.
- Management has more freedom to choose which projects or functions it wants to outsource – IT, cybersecurity and/or data privacy components, system implementation advice, integrating the controls of a new acquisition, and so on; this helps simplify cost structures for as-needed resources.
- Co-sourced providers can introduce improvements and leading practices to the internal control environment much faster than in-house personnel acting alone.
- Companies feel less obligated to staff every area of expertise, which can save money on recruiting and people management and other long-term staff investments.
- There is some risk of confusion over responsibility and accountability, depending on the co-source provider’s project management capabilities and positioning/profile within the company.
The bottom line
One program structure is not necessarily better than another. The primary factors that determine the best approach are the size of the company and the maturity and complexity of the processes.
For a startup or newly public company of any size, for example, outsourcing may be more cost effective since the company has not yet established a framework to manage SOX compliance and is therefore unlikely to have the breadth of resources necessary to establish a well-rounded and compliant program. However, as the company’s SOX program expands and matures, it is important to evaluate the pros and cons of each model. In some cases, a co-sourced model may enable the company to achieve the best of both worlds.
Particularly for smaller and mid-market companies (usually defined as having revenues less than $1 billion annually), the full outsourcing model often provides the greatest combination of specialized expertise and infrastructure to support a SOX compliance program in a manner that is more cost-effective than building an internal team.
As companies grow in size and processes mature, it is appropriate to continually assess the model that makes the most sense for current and projected needs, which for larger companies, often includes a co-sourcing or insourced model.
The question then becomes: What will be the extent of the outside firm’s involvement, and for how long? Will you functionally insource your entire program and only call upon external resources on an ad-hoc basis? Alternatively, will management develop a more comprehensive relationship with the outside partner – not just for SOX, but to perform broader, deeper and more complex services that extend to other areas of governance and risk management?
There is no right or wrong answer, as long as you take the time to understand your company’s resources, expertise and capacities.