The 2025 KPMG SOX Survey

Insights based on a 2025 survey of approximately 150 SOX professionals across industry sectors

KPMG LLP is pleased to present the findings from our new 2025 SOX survey. This report provides a detailed look at the SOX programs implemented by companies of varying industries and sizes, from governance and strategy to details on execution and costs.

Our report presents summary findings and key measures from the survey data and is designed to provide insight, useful direction, and provides a basis for comparison and further analysis.

Increase in budget and level of effort

In FY24, 45% of organizations reported a rise in their SOX program costs compared to the previous year (FY24 average cost of $2.3 M compared to FY22 average cost of $1.6 M), and a 32% increase in hours incurred for the program (FY24 average hours of 15,580 compared to FY22 average hours of 11,800)
Over the past two years, the average number of systems in scope more than doubled, which is a key driver in cost and budget increases
Only 28% of organizations are using offshore resources, despite 42% noting a strategy of reducing the cost of compliance

Increase in number of in-scope systems, but no increase in percentage of automated controls

Even though the average number of in-scope systems rose from 17 in FY22 to 40 in FY24, automated controls only accounted for 17% in FY24, declining from 21% in FY22
This suggests a potential opportunity for further leveraging technology to drive process efficiency and making the overall control environment more robust

External auditors have a narrower focus; reliance related fee savings remain unclear

Over half (56%) of organizations noted their external auditors had fewer in-scope controls than they did
Although organizations adjusted their testing approach by using external auditor templates and modifying sample sizes, 90% of organizations cannot quantify fee savings from auditor reliance

Decrease in satisfaction with current tools and technologies

There was a notable dip in organizations’ satisfaction with their current SOX program technology, dropping from 92% of respondents identifying as satisfied in FY22 to 58% identifying as satisfied in FY24
The decrease in satisfaction highlights significant opportunity to enhance SOX technology capabilities and user experience

Program Budget:

Year-over-year cost

45% of organizations reported an increase in the year-over-year cost of their SOX program, Notably, the HCLS sector had the highest percentage (69%) of respondents reporting this trend
Organizations indicated that the increase in cost was driven by an increased number of controls and inflationary impacts of resources

Budget

The SOX program's average budget was reported as $2.3 M, with an average time effort of 15,580 hours
Both the average cost budget and the average time spent have substantially increased by 44% and 32%, respectively, over the past two years

Average hours spent

In FY24, average testing hours per control for ToE (Test of effectiveness) increased to 16 hours, compared to 12 hours in FY22

― FS sector organizations spent highest average hours to test transactional controls (29 hours)

Outsourcing

58% indicated that outsourced providers accounted for more than 20% of their SOX program efforts, indicating further opportunity for organizations to focus more on internal audit execution rather than SOX compliance
Only 28% of respondents reported that their organizations used offshore resources (lower cost location) for SOX testing, indicating significant opportunity to lower the cost of compliance

Level of maturity

Majority of respondents (68%) reported their SOX programs in the maturing stage, up from 47% two years before, indicating significant progress toward compliance

― This trend was consistent across organizations from all sectors and revenue size

Objectives

About half (51%) of organizations said the common objective for their FY24 SOX program was to re-review what were their key controls, followed by reducing compliance cost (42%)

External auditor reliance

56% of respondents indicated that the external auditor had less controls in-scope than their organization
Most organizations across sectors and revenue sizes, stated that external auditors relied on 50% or less of their internal business process control testing

Financial impact

90% were unable to quantify fee savings from external auditor reliance in FY24, compared to 85% in FY22

Systems in-scope

Only 17% of total controls were noted as automated, and 45% were noted as manual controls, highlighting the opportunity to migrate more controls to automated and IT dependent manual controls, thereby making the overall control environment more robust
Average number of in-scope systems in FY24 was 40, compared to 17 in the previous FY22 survey, reflecting growing compliance complexity

Control portfolio

The average number of SOX key controls increased by 18% in FY24 (546) compared to FY22 (463)
69% of organizations modified their control portfolios, with 55% reported increasing in-scope control counts

Integration of non-financial risk and controls

Only 23% expanded their control environment to include non-financial risks to SOX standards, with a key focus on cyber/IT risks (73%) and third-party risks (70%)

Documentation of control environment

83% of organizations used risk and control matrices, while 70% used flowcharts, to document their control environment

Test of operating effectiveness (TOE)

In FY24, 63% of organizations performed their TOE in two phases each year, closely aligned with FY22 responses
57% modified their TOE sample size and testing procedures based on risk associated with controls

Testing location and problematic areas

Only 28% of organizations indicated using offshore resources (lower cost location) for SOX testing, highlighting potential for greater offshore (lower cost location) utilization and corresponding cost efficiencies
62% of organizations test key reports every year
IPE/C&A remained problematic areas to a moderate extent for 55% of organizations
MRCs continued to pose moderate challenges (41%)

Audit committee communications and testing walkthroughs

42% of organizations had audit committee reporting focused on high level summary with key updates
48% of organizations performed walkthroughs in a combination of independent execution and collaboration with their external auditor
70% of walkthroughs were predominantly conducted at the control and sub-process levels, with only 28% of organizations adopting an end-to-end approach

GRC technology

68% of organizations reported using GRC technology in their SOX programs, which is consistent with the FY22 survey results (69%)
Organizations identified Workiva (39%), AuditBoard (37%), and MS Excel (29%) as the top technologies used in their SOX programs

Satisfaction level

The percentage of organizations satisfied with their SOX technology dropped from 92% in FY22 to 58% in FY24, indicating unmet expectations with current tools and an opportunity for improvement

Dive into our thinking:

The 2025 SOX survey

Download PDF