The 2025 KPMG SOX Survey
Insights based on a 2025 survey of approximately 150 SOX professionals across industry sectors
Share
KPMG LLP is pleased to present the findings from our new 2025 SOX survey. This report provides a detailed look at the SOX programs implemented by companies of varying industries and sizes, from governance and strategy to details on execution and costs.
Our report presents summary findings and key measures from the survey data and is designed to provide insight, useful direction, and provides a basis for comparison and further analysis.
Key findings:
Increase in budget and level of effort
- In FY24, 45% of organizations reported a rise in their SOX program costs compared to the previous year (FY24 average cost of $2.3 M compared to FY22 average cost of $1.6 M), and a 32% increase in hours incurred for the program (FY24 average hours of 15,580 compared to FY22 average hours of 11,800)
- Over the past two years, the average number of systems in scope more than doubled, which is a key driver in cost and budget increases
- Only 28% of organizations are using offshore resources, despite 42% noting a strategy of reducing the cost of compliance
Increase in number of in-scope systems, but no increase in percentage of automated controls
- Even though the average number of in-scope systems rose from 17 in FY22 to 40 in FY24, automated controls only accounted for 17% in FY24, declining from 21% in FY22
- This suggests a potential opportunity for further leveraging technology to drive process efficiency and making the overall control environment more robust
External auditors have a narrower focus; reliance related fee savings remain unclear
- Over half (56%) of organizations noted their external auditors had fewer in-scope controls than they did
- Although organizations adjusted their testing approach by using external auditor templates and modifying sample sizes, 90% of organizations cannot quantify fee savings from auditor reliance
Decrease in satisfaction with current tools and technologies
- There was a notable dip in organizations’ satisfaction with their current SOX program technology, dropping from 92% of respondents identifying as satisfied in FY22 to 58% identifying as satisfied in FY24
- The decrease in satisfaction highlights significant opportunity to enhance SOX technology capabilities and user experience
Key observations:
Program Budget:
Year-over-year cost
- 45% of organizations reported an increase in the year-over-year cost of their SOX program, Notably, the HCLS sector had the highest percentage (69%) of respondents reporting this trend
- Organizations indicated that the increase in cost was driven by an increased number of controls and inflationary impacts of resources
Budget
- The SOX program's average budget was reported as $2.3 M, with an average time effort of 15,580 hours
- Both the average cost budget and the average time spent have substantially increased by 44% and 32%, respectively, over the past two years
Average hours spent
- In FY24, average testing hours per control for ToE (Test of effectiveness) increased to 16 hours, compared to 12 hours in FY22
― FS sector organizations spent highest average hours to test transactional controls (29 hours)
Outsourcing
- 58% indicated that outsourced providers accounted for more than 20% of their SOX program efforts, indicating further opportunity for organizations to focus more on internal audit execution rather than SOX compliance
- Only 28% of respondents reported that their organizations used offshore resources (lower cost location) for SOX testing, indicating significant opportunity to lower the cost of compliance
Program structure /governance:
Level of maturity
- Majority of respondents (68%) reported their SOX programs in the maturing stage, up from 47% two years before, indicating significant progress toward compliance
― This trend was consistent across organizations from all sectors and revenue size
Objectives
- About half (51%) of organizations said the common objective for their FY24 SOX program was to re-review what were their key controls, followed by reducing compliance cost (42%)
External auditor reliance
- 56% of respondents indicated that the external auditor had less controls in-scope than their organization
- Most organizations across sectors and revenue sizes, stated that external auditors relied on 50% or less of their internal business process control testing
Financial impact
- 90% were unable to quantify fee savings from external auditor reliance in FY24, compared to 85% in FY22
Control environment:
Systems in-scope
- Only 17% of total controls were noted as automated, and 45% were noted as manual controls, highlighting the opportunity to migrate more controls to automated and IT dependent manual controls, thereby making the overall control environment more robust
- Average number of in-scope systems in FY24 was 40, compared to 17 in the previous FY22 survey, reflecting growing compliance complexity
Control portfolio
- The average number of SOX key controls increased by 18% in FY24 (546) compared to FY22 (463)
- 69% of organizations modified their control portfolios, with 55% reported increasing in-scope control counts
Integration of non-financial risk and controls
- Only 23% expanded their control environment to include non-financial risks to SOX standards, with a key focus on cyber/IT risks (73%) and third-party risks (70%)
Documentation of control environment
- 83% of organizations used risk and control matrices, while 70% used flowcharts, to document their control environment
Testing:
Test of operating effectiveness (TOE)
- In FY24, 63% of organizations performed their TOE in two phases each year, closely aligned with FY22 responses
- 57% modified their TOE sample size and testing procedures based on risk associated with controls
Testing location and problematic areas
- Only 28% of organizations indicated using offshore resources (lower cost location) for SOX testing, highlighting potential for greater offshore (lower cost location) utilization and corresponding cost efficiencies
- 62% of organizations test key reports every year
- IPE/C&A remained problematic areas to a moderate extent for 55% of organizations
- MRCs continued to pose moderate challenges (41%)
Audit committee communications and testing walkthroughs
- 42% of organizations had audit committee reporting focused on high level summary with key updates
- 48% of organizations performed walkthroughs in a combination of independent execution and collaboration with their external auditor
- 70% of walkthroughs were predominantly conducted at the control and sub-process levels, with only 28% of organizations adopting an end-to-end approach
Technologies and tools:
GRC technology
- 68% of organizations reported using GRC technology in their SOX programs, which is consistent with the FY22 survey results (69%)
- Organizations identified Workiva (39%), AuditBoard (37%), and MS Excel (29%) as the top technologies used in their SOX programs
Satisfaction level
- The percentage of organizations satisfied with their SOX technology dropped from 92% in FY22 to 58% in FY24, indicating unmet expectations with current tools and an opportunity for improvement
Dive into our thinking:
The 2025 SOX survey
Download PDFExplore more insights
The evolving landscape of SOX: Survey results and the agentic shift
September 18, 2025 | The Evolving Landscape of SOX: Survey Results and the Agentic Shift
Insight
Seize the future: The agentic shift in SOX compliance
The future of SOX is here - and it's powered by AI agents
Insight
Trends in Material Weaknesses
A 2024 KPMG study of non-IPO companies reveals common themes and business process areas associated with material weaknesses.
Insight
2024 IPO material weakness study
A KPMG study of traditional IPOs reveals common themes and business process areas associated with material weaknesses
The Future of SOX insights
The latest SOX trends and insights organizations need to know about
Meet our team
Sue King
Partner and US SOX Solution Leader
Sue King
Partner and US SOX Solution Leader