I saw a new survey on the evolution of Sarbanes-Oxley compliance and my first reaction was: How quaint – do people really still do that?

First, I apologize for my removed insensitivity. I am removed for a couple of reasons, including the fact that I’ve invested the vast majority of my research time in the past 18 months on risk management: enterprise risk management (ERM), risk culture, risk committee, human risk, model risk, scenario planning, etc.

Also, the term “SOX” sparked a little nostalgia for someone who started writing about SOX compliance the day the act appeared … well before everyone and their mom started writing (or, in many cases, “typing”) about GRC.

Despite the onslaught of GRC content and my own personal focus on risk management lately, SOX compliance continues to evolve, particularly for folks in the trenches who are too busy adding value (the survey suggests) to blog about their process, technology, and relationship work.

A Protiviti survey, which features feedback from 400-plus U.S. professionals across all industries, assesses the current state of SOX compliance, related costs, associated benefits and value, and more. Here’s what the survey finds, just shy of the law’s 8th birthday:

• Nearly 80 percent of all organizations participating in the survey said that they automate less than half of their key controls, indicating an opportunity to increase efficiency. However, most respondents said that their organizations had minimal plans for additional automation.

• More than 70 percent of respondents indicated a high dependency on spreadsheets, making it the top inefficiency negatively impacting SOX compliance efforts.

• 35 percent of respondents plan to use continuous monitoring tools or techniques this year as a key part of their SOX compliance strategy.

• Close to half of respondents perform all of their SOX compliance work in-house. The outsourcing of SOX work is typically highest during the initial compliance years. ###