A carefully worded report from Protiviti about Sarbanes-Oxley Act (SOX) compliance issues indicates that the law’s impact on the C-suite has been costly and time-consuming – and likely more than executives bargained for.
According to Fine-Tuning SOX Costs, Hours and Controls: Assessing the Results of Protiviti’s 2017 Sarbanes-Oxley Compliance Survey, SOX compliance “continues to not only be dynamic, but also a subject of ongoing interest. Chief audit executives, chief financial officers, and other finance and internal audit leaders eagerly seek benchmarking data on costs, hours, control counts, and much more, as they determine how and where to streamline compliance activities while addressing numerous regulatory and market changes.”
Here’s a closer look at five key issues that are having an effect on SOX compliance today:
1. Time. A majority of organizations spent more time on SOX compliance activities last year. For two out of three of these companies, hours rose more than 10 percent, underscoring that compliance remains a time-consuming exercise.
“New focal areas for the 2016 audit which had an impact on the increase in hours include the related party audit standard AS 18 (recodified as AS 2410), the going concern assessment, non-GAAP disclosures and the associated disclosure controls, increased documentation around cybersecurity, and increased intensity in the focus on outsourced Service Organization Control reports,” Protiviti says in the report.
2. Outside resources. The time factor is why a large number of public companies now outsource or co-source their SOX compliance work. Some companies may find that stabilizes costs even though hours continue to rise, according to the report.
However, the report states, “third-party providers that replace control activities performed within the business are not captured under the SOX compliance budget, but rather under the business unit budget, because internal transaction controls shift to controls that are reviewed through providers. Thus costs are dispersed and not necessarily captured as part of SOX compliance activities. Nevertheless, management should understand how and where these compliance costs are being incurred in the organization.”
3. Costs. Most companies have now completed implementation of the updated COSO 2013 Internal Control—Integrated Framework, a $50,000 to $100,000 requirement, according to the report.
Still, compliance costs have risen sharply in the last two years. While some companies report a decrease – likely because of outsourcing the work – there’s an increase over last year in the number of companies that are spending $2 million or more.
Financial services companies spend more than those in other industries, followed by energy/utilities, manufacturing, and technology/telecommunications.
What’s more, the survey this year introduced the number of unique locations a company has. The greater the number of locations, the higher the compliance costs – with as much as a $1 million swing between companies with the least and greatest number of locations.
Thirty-two percent of companies with more than 12 locations spent $2 million or more on compliance, followed by 21 percent of companies with 10 to 12 locations, and 12 percent of companies with four to six locations.
On the flip side, 60 percent of companies with one to three locations spent $500,000 or less on compliance, followed by 44 percent with four to six locations, and 31 percent with seven to nine locations.
4. Control counts. Likewise, the greater the number of company locations, the greater the control counts. This year, the percentage of entity-level controls classified as key controls increased. That’s likely because of implementation of the updated COSO framework.
5. Compliance influences. SOX compliance efforts continue to be impacted by new and emerging influences – from the Financial Accounting Standards Board’s (FASB) new revenue recognition standard and cybersecurity concerns to the Public Company Accounting Oversight Board’s (PCAOB) inspection reports on external auditors and the resulting effects on audits of internal control over financial reporting, according to the report.
For example, the new revenue recognition rules’ biggest impact on SOX compliance will come a year after it takes effect, and companies should expect another round of significant accounting preparation and SOX compliance program changes two years from now when the FASB’s new lease accounting standard takes effect, the report states.
Fifty-six percent of public companies started the process of updating controls documentation in 2016, ahead of the new revenue recognition standard going into effect for most companies in 2018. Those that completed the antecedent work to meet the new standard have already identified gaps and updated critical accounting policies; 26 percent noted extensive or substantial increases in testing of controls over application of revenue recognition policies.
Turning to PCAOB requirements, 75 percent of firms whose external auditors required significant changes to SOX compliance activities attribute this increase to PCAOB inspection reports. In particular, 64 percent of organizations say their external auditors are placing more focus on evaluating deficiencies.