The cost for Sarbanes-Oxley compliance isn't cheap, but the outlay of resources tends to stabilize and even drop in ensuing years, according to a new study.

Nine years after the accounting reform law sought to audit auditors in the wake of the Enron and WorldCom accounting frauds, internal control over financial reporting has strengthened, not waned, in spite of staffing issues associated with the struggling economy.

Eighty-nine percent of more than 400 respondents to the "2011 Sarbanes-Oxley Compliance Survey" by Protiviti, an independent global risk and internal audit and advisory firm, said the recession didn't make a dent in compliance, while just under half (45 percent) said that internal control over financial reporting at their companies is better today than a year ago.

There are several reasons for this, says Bob Hirth, executive vice president of Protiviti and leader of the firm's global internal audit and financial controls practice, starting with the experience curve, as organizations go through the auditing compliance process through its fourth and fifth generations. There were also more clarifications that came out in recent years, such as Auditing Standard Nos. 2 and 5.

"You saw the rules get clarified a bit more," says Hirth. "They also got a better understanding of what was important in the auditing and what wasn't."

The findings also revealed an important element about the accounting law: the strategies companies employ are evolving with maturity. Most of the companies polled handle all of their Sarbanes-Oxley compliance work internally. Most began their Sarbanes-Oxley compliance efforts by outsourcing the majority of their work; but in subsequent years, outsourcing to external auditors has shrunk dramatically.

Just as significant, the primary owner of Sarbanes-Oxley compliance initiatives in most organizations still remains the internal audit function, followed by the audit committee and executive management.

"Internal audit was the first group in most companies to get organized in anticipation of SOx and they're able to maintain their objectivity and independent positions because they report to the audit committee," says Hirth. "If internal audit ultimately had to test their own work, they would lose that objectivity."

The genesis of Sarbanes-Oxley was to provide a second set of eyes looking over the shoulders of auditors, but the study suggests it has had several positive unintended consequences. For instance, the compliance efforts have enhanced understanding of control design and control operating effectiveness, while also increasing effectiveness and efficiency of operations. Internal audit, moreover, is able to perform more traditional audits in areas other than financial reporting processes.

Overall, companies said they planned to reduce compliance costs over the year, but that reduction is expected to be nominal -- less than 10 percent on average.

The study also found there are still inefficiencies being worked through. To improve the effectiveness of Sarbanes-Oxley compliance, organizations are using peer benchmarking, using risk-based testing and establishing process owner accountability. There is also significant movement toward increasing the number of automated controls, using continuous monitoring tools and techniques and decreasing the number of manual controls.

"Organizations' systems of internal control over financial reporting need to be dynamic and constantly improved in order to effectively react to and address changes in operations and the external environment, such as new regulations, technology, accounting principles, industry issues and business models," says Hirth.