Compliance with the Sarbanes-Oxley Act remains a costly challenge for businesses, as the intensity around modifications continues to increase, according to a recent survey by Protiviti.
The continuing challenge is largely driven by the latest internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission. Also contributing is the Public Company Accounting Oversight Board’s inspection reports of external auditors that are driving these firms to spend more time on audits of their clients’ SOX compliance processes.
In Protiviti's survey, more than 460 audit executives and professionals responded to questions about changes in their organizations' approaches to SOX compliance, and their plans to address new regulatory requirements and industry guidelines for the 2015 fiscal year, as well as the cost of compliance.
The survey found that compliance programs are undergoing substantial changes, particularly in the areas of high-risk processes, baseline testing of IT reports, and entity-level controls. Changes in these areas have increased by 9%, 13%, and 10% respectively, compared to Protiviti’s 2014 SOX survey.
The automation of internal controls remains a key development goal. There is a notable year-over-year increase in large organizations with significant or moderate plans to automate more IT processes and controls. In 2014, 40% of large company respondents reported having significant or moderate automation plans; this year, 58% of large organizations describe their automation plans as significant.
Not only are SOX compliance programs undergoing major modifications, but the level of intensity of these changes has increased significantly since last year. Sixty-seven percent of respondents reported an increase in hours dedicated to addressing SOX compliance; more than half indicated that hours had increased by least 16% or more.
Fees related to external auditing and scrutiny are also increasing. As a result, at least in part, of the PCAOB’s inspection reports of external auditors, the costs of SOX compliance are going up, with 58% of all companies surveyed reporting increased external audit fees in the latest fiscal year. In terms of overall internal compliance costs (excluding external audit fees), 58% of large company respondents spent more than $1 million on SOX compliance in their most recent fiscal year, while 95% of small companies spent less than $500,000.
Three more key findings
Other results of the survey include:
• New framework implemented. Most (78%) used COSO’s new framework to guide their SOX documentation efforts in fiscal year 2014. While 63% of those companies needed to make some refinements to existing documentation and controls, only 10% required remediation work.
• Impact on business processes. 78% of respondents are currently leveraging their SOX compliance efforts to drive improvement of business processes that affect financial reporting—an 18% increase over last year.
• Better controls reported. More than half of the respondents (52%) reported that in following the requirement of SOX Section 404(b), their Internal Control over Financial Reporting (ICFR) structures have significantly or moderately improved within their organizations. Seventy-three percent of companies beyond their second year of SOX compliance reporting also noted similar improvements to their ICFR structure.