Tracking the Evolution of Sarbanes-Oxley Compliance

Has risk management ever been more of a dominant issue for organizations than it is today? A string of devastating natural and man-made disasters worldwide coupled with continuing aftereffects of a global financial crisis have placed companies in the spotlight of shareholders, governments and the public, all of whom want assurances that companies understand and are managing their risks effectively.

These issues are just the latest in a decade-long movement to enhance risk management in public companies, a trend that began in 2002 with the passage of the Sarbanes-Oxley Act (SOX). That legislation placed new requirements on companies to establish strong and sound internal control over financial reporting. Not only did it require management to report on the effectiveness of these controls, it also required attestation by the company's external auditor. For management and the board of directors at publicly held organizations, a new level of risk management and internal control was required to address financial reporting risk and remains so nine years later.

So where does SOX compliance stand today? Protiviti recently surveyed more than 400 finance leaders to find out. Overall, the results of the firm's annual Sarbanes-Oxley Compliance Survey reveal the news is becoming better for many organizations as their compliance efforts mature.

Impact of Economic Events

According to the survey, 89 percent of respondents said the global recession did not have an adverse effect on their SOX compliance efforts. In fact, 45 percent said internal control over financial reporting in their organizations is better now than it was one year ago – a positive development that indicates organizations continue to enhance the quality of their internal controls and the efficiency and effectiveness of their compliance processes. It may, however, be too early to state definitively how the recession will affect the internal control environment over the long term.

Sarbanes-Oxley Compliance: Cost, Value and Benefits

Compliance costs continue to run the gamut and depend on many variables. According to the survey, by year four of complying with SOX, most organizations spend in the range of $100,000 to $1 million annually on compliance-related activities, depending on size. After year four, few spend more than $1 million. And looking ahead, companies, regardless of size or year of SOX compliance, plan to reduce compliance costs in the coming year, but the reduction will be relatively nominal – less than 10 percent on average.

So is the expense worth it? That answer depends heavily on the maturity of a company's compliance process, according to survey respondents. While first year companies generally say the costs of SOX outweigh the benefits, those in year two and beyond say just the opposite -- the benefits of SOX compliance outweigh the costs. And those benefits most often cited in the survey include an enhanced understanding of control design and control operating effectiveness, increased effectiveness and efficiency of operations and the ability of internal audit to perform more traditional and valuable audits in areas other than financial reporting processes.

Evolving Maturity of the Sarbanes-Oxley Compliance Process

According to Protiviti's survey respondents, Sarbanes-Oxley work is continuing its move in-house. Approximately 50 percent of all companies now handle all of their SOX compliance work internally. These results are relatively consistent across company size, though 26 percent of large organizations rely on at least two external service providers for assistance. Respondents also shared that they typically outsourced the highest percentage of SOX work during the first year of compliance and less in subsequent years.

In looking at how companies handle their Sarbanes-Oxley compliance efforts, a few additional trends emerged:

• The internal audit function remains the primary owner of compliance efforts in most organizations followed by the audit committee and executive management.
• Accelerated filers outsource significantly more of their SOX compliance efforts compared to large accelerated and nonaccelerated filers.
• Most companies are satisfied that their external audit firms are maximizing their reliance on work performed by others for low- and medium-risk processes.

Sarbanes-Oxley Compliance: Strategies and Inefficiencies

Survey respondents agreed on a need for continuous improvement in their compliance efforts. To improve the efficiency and effectiveness of SOX compliance, they are most frequently employing such strategies as maximizing lessons from previous years and peer benchmarking, using a risk-based testing approach and establishing process owner accountability. And more often, finance leaders are considering technology as a way to streamline their efforts. Responses indicate there continues to be significant opportunities for organizations to automate more of their key controls and gain significant competitive advantage. In fact, more than one in three organizations are planning to automate more of their controls.

Perspectives from Nonaccelerated Filers

A majority of nonaccelerated filers believe they would be in good shape if they had to comply with SOX in the near future. According to the survey, 56 percent of nonaccelerated filers – who became exempt from having to comply with Section 404(b) of SOX (the auditor attestation of internal control over financial reporting) with the passage of the Dodd-Frank Act in July 2010 – reported their organizations were “very prepared” to comply with Section 404(b) when Dodd-Frank pulled the plug on the requirement, while 29 percent said they were “somewhat prepared.” These filers, however, also noted areas related to IT and automation – including IT general controls, spreadsheet controls and segregation of duties – would have required the most attention if they were required to comply with Section 404(b).

Bob Hirth is executive vice president of Protiviti's global internal audit practice.