Almost 13 years after the enactment of the Sarbanes-Oxley Act (SOX), companies are grappling even more with the compliance issues raised by a law that President George W. Bush described as “the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt.”
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 probably challenges that declaration, but nonetheless, SOX remains a key challenge.
According to the latest annual Sarbanes-Oxley Compliance Survey by consultancy Protiviti, compliance with the law has been made particularly difficult by the “dynamic nature” of “potent direct and indirect forces.”
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its new Internal Control-Integrated Framework is a direct influence. The Public Company Accounting Oversight Board and its external auditor inspection reports is the indirect force.
But companies that handle these influences the best aren’t focused on perfecting individual compliance actions, the report states. Instead, they seek to improve “upstream business processes” that affect financial reporting and more “mature” compliance efforts.
“As we approach the 13th anniversary of the Sarbanes-Oxley Act, compliance remains dynamic and complicated to master for most companies,” Brian Christensen, an executive vice president with Protiviti and global leader of the firm's Internal Audit and Financial Advisory practice, said in a prepared statement. “This year’s survey shows that a majority of companies are not only spending more time and money on reporting requirements, but are also making significant changes to their compliance programs.”
Here are some survey highlights:
- The larger the company, the greater the SOX compliance costs. Aside from external audit fees, overall internal compliance costs were more than $1 million for 58 percent of large companies during their last fiscal year. Almost all small companies spent less than $500,000.
- Substantial changes in high-risk processes, baseline testing of IT reports, and entity-level controls have increased by 9 percent, 13 percent, and 10 percent, respectively.
- Most companies use the new COSO framework. For 63 percent of them, that has required more refinement than an actual overhaul of internal controls. Ten percent of companies required remediation.
- Though mastering the compliance requirements “remains an elusive state,” 78 percent of companies – 18 percent more than last year – are leveraging their compliance efforts. That’s to improve the business processes that affect financial reporting.