As the Sarbanes Oxley Act celebrates lucky birthday number 13 this summer, it’s tempting to hold the view that, by now, most public companies have – or should have – mastered the compliance process and achieved a level of stability in the costs and hours required. Unfortunately, this is not the case, largely because of the interestingly dynamic nature of SOX compliance.
Potent external forces continue to exert influence, both direct (e.g., the Committee of Sponsoring Organizations’ [COSO] new Internal Control – Integrated Framework) and indirect (e.g., the Public Company Accounting Oversight Board’s [PCAOB] external auditor inspection reports), on how SOX compliance is governed, executed, audited and regulated. Companies that are able to respond to these considerable changes most effectively and with the most confidence do not focus on perfecting individual compliance activities. Rather, their target is on driving improvements in upstream business processes affecting financial reporting, as well as achieving higher levels of maturity in their overall compliance efforts.
In our 2015 Sarbanes Oxley Compliance Survey, we find that more companies continue to concentrate on strengthening their ability to leverage SOX compliance requirements to achieve improvements in their financial reporting and other business processes. And as part of these efforts, they certainly aspire to achieve broader organizational efficiencies and enhancements. But this remains a moving target: Obstacles continue to emerge, and the costs and hours continue to go up.
Notable findings this year:
SOX compliance costs, together with external audit fees and scrutiny, are increasing – External auditors are enhancing their scrutiny of internal controls and their fees are increasing as a result. Nearly three out of four organisations reported that their external audit firm is placing more focus on evaluation of internal control over financial reporting (ICFR), and external audit fees rose for more than half of companies in the most recent fiscal year. In terms of overall internal SOX compliance costs (excluding external audit fees), 58 percent of large company respondents spent more than $1 million in their most recent fiscal year, while 95 percent of small companies spent less than $500,000. Bottom line: The larger your company, the more you will need to invest in SOX compliance.
A strong majority of companies are now using the new COSO framework, and they required only ICFR refinements rather than a rebuilding effort – The vast majority of organizations moved swiftly to implement COSO’s new Internal Control – Integrated Framework in the past year. For these organisations, our findings show that this implementation turned out to be more a matter of refining their internal controls, rather than having to overhaul them and start from scratch.
Compliance programs are undergoing substantial changes, especially regarding high-risk processes, IT controls and entity-level controls – SOX compliance programs are undergoing major modifications in numerous areas; moreover, the level of intensity of these changes is increasing markedly compared to last year’s survey results. Automation of controls marks another area of important change. There is a notable year-over-year increase among large organisations with significant or moderate plans to automate more IT processes and controls.
While compliance mastery remains an elusive state, more companies are looking to generate value from their compliance activities – In a growing number of companies, required changes to ICFR – driven in part by the new COSO internal control framework and increased external auditor scrutiny resulting from the PCAOB’s inspection reports of external auditors – are being used to drive continuous improvement of business processes related to financial reporting throughout the organisation.
Download the Protiviti 2015 Sarbanes-Oxley Compliance Survey here