SOX Compliance Survey Shows Need for More Scrutiny on High-Risk Processes

Demand for added attention to high-risk processes, growing costs, and the increasing role of IT controls and testing reports are some of the key changes and challenges companies faced over the last year as they worked to meet Sarbanes-Oxley (SOX) requirements, according to findings in the 2013 Sarbanes-Oxley Compliance Survey by global consulting firm Protiviti.

When executives and professionals involved in SOX compliance were asked what was driving the most change in their SOX compliance processes, 66 percent said there was at least moderate change due to demand for increasing process and control documentation for high-risk processes. Additionally, 60 percent of respondents indicated that the increased amount of time required for walkthroughs and documentation around processes was also driving moderate change.
 
"To continue to improve their SOX compliance efforts, companies need to intensify their scrutiny of high-risk processes, such as financial reporting, accrual processes, stock options and equity, and taxes," said Brian Christensen , Protiviti's executive vice president for global internal audit. "The study shows that companies are beginning to adjust in that direction, and the shift aligns with guidance from the SEC and PCAOB."
 
"It's important to note that SOX compliance programs and processes should remain agile and ready to change course if public companies are to adhere to the law in an effective and cost-efficient manner," said Christensen. "As demonstrated by regulators, providers of ongoing guidance (e.g., COSO), and rapidly changing business conditions, the achievement of sustainable, cost-effective, and value-enhancing compliance processes remains an ongoing journey that requires continual vigilance."
 
With regard to the new COSO internal control framework, 66 percent of the Protiviti survey respondents were aware of the revision process. Not surprisingly, the vast majority (85 percent) were against early implementation in 2013. If given an adoption option, respondents were fairly evenly split across several potential implementation schedules, including fiscal year 2014 and adoption after 2014.
 
Shifting Responsibility to the Internal Audit Function
Year-over-year findings about which area within an organization is responsible for overseeing SOX compliance showed a sizeable shift toward the internal audit function and away from project management. In 2012, the survey found that 30 percent of organizations housed this responsibility with the internal audit function, while 25 percent handled SOX compliance through their project management office. However, in this year's survey, 45 percent of respondents said internal auditing managed SOX compliance (up 15 percent), while only 10 percent said it was handled by project management (down 15 percent).
 
One reason for this shift is the willingness of external auditors to rely on the work of internal audit departments rather than other functions. In 2013, only 25 percent of respondents said there was an increase in external auditors' reliance on documentation, walkthroughs, and testing performed outside of the internal audit function, while 39 percent said there was an increase from external auditors in having the same work done by internal audit departments.
 
Additional Survey Findings
  • Eighty percent of respondents indicating they have seen improvements in internal control over financial reporting structure since Sarbanes-Oxley Section 404(b) was first required for large accelerated and accelerated filers in 2004. This is especially true for large accelerated filers, with 87 percent saying there have been improvements.
  • More than one-third of companies (38 percent) reporting a year-over-year increase (from 2011 to 2012) in SOX costs. Nearly half of the companies surveyed (47 percent) also reported a year-over-year increase in external audit fees during the same period. That said, on average, the costs for SOX compliance are not extraordinarily high relative to the objective of quality financial reporting to investors through improved internal controls. For most organizations, the cost of SOX compliance remains at a manageable level.
  • Automation of controls continues to be an area of increased focus, with 90 percent of companies surveyed indicating they have plans to automate IT processes and controls for SOX compliance (up from 83 percent in 2012).
About the Survey
In its fourth edition, Protiviti's 2013 Sarbanes-Oxley Compliance Survey gathered insights from 297 executives and professionals at companies with gross annual revenues ranging from less than $100 million to more than $20 billion. The survey was conducted in late 2012 and early 2013, and respondents included chief audit executives, chief financial officers, corporate Sarbanes-Oxley and project management office leaders, chief compliance officers, and others involved with SOX. The survey is available for complimentary download. Additionally, a video featuring Protiviti's Brian Christensen discussing key trends in SOX compliance based on the survey results is available.
 
Source: Protiviti
 

You may like these other stories...

Regulators struggle with conflicts in credit ratings and auditsThe Public Company Accounting Oversight Board (PCAOB), which was created by the Sarbanes-Oxley Act in 2002, released its third annual report on audits of...
Regulatory compliance, risk management and cost-cutting are the big heartburn issues for finance execs in the C-suite. Yet financial planning and analysis—a key antacid—is insufficient.That's just one of the...
A review of Financial Accounting Standards Board (FASB) guidance on share-based payment transactions found that the 2004 standard achieves its purpose and provides useful information to investors and other users of financial...

Already a member? log in here.

Upcoming CPE Webinars

Aug 26
This webcast will include discussions of recently issued, commonly-applicable Accounting Standards Updates for non-public, non-governmental entities.
Aug 28
Excel spreadsheets are often akin to the American Wild West, where users can input anything they want into any worksheet cell. Excel's Data Validation feature allows you to restrict user inputs to selected choices, but there are many nuances to the feature that often trip users up.
Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.