SOX 404 Trends for Next Year Beginning to Emerge
As public companies strive to meet compliance deadlines for Section 404 of the Sarbanes-Oxley Act, trends related to how companies will implement an efficient and effective process beyond the initial year of compliance are beginning to emerge, according to the results of a new survey released by Ernst & Young.
The survey, the third in a series, is part of an ongoing study from Ernst & Young's Business Risk Services practice entitled "Emerging Trends in Internal Controls." The study takes an in-depth look at emerging trends in Section 404 compliance, and polls nearly 100 large, public companies
representing a diverse cross-section of industries. This survey provides an update on the progress large public companies are making in 404 compliance and addresses key issues such as the level of effort involved; the amount of testing being done; key areas of remediation; and the extent and frequency of executive and audit committee oversight and communications.
The survey shows a sharp increase in the urgency of public company first-year efforts to meet compliance deadlines, with 46 percent of companies expecting largely to complete evaluation and testing of 404-related controls only one to two months before their fiscal year end, compared to only 13 percent in the previous survey. In addition, 30 percent of companies reported the time they expect to spend complying with Section 404 has increased by nearly 50 percent, due in large part to the increased number of controls identified for testing.
With 404-related controls testing comprising the largest portion of ongoing effort beyond the first year of compliance, trends for addressing this important area are beginning to emerge. In Year 2, companies anticipate that their testing resources will continue to be primarily those dedicated to 404 testing, as well as resources supplied by Internal Audit functions. In many cases, third-party resources are expected to be used to support these functions, in addressing the unique skills and cyclical demands for testing.
Some companies are also using or exploring the potential to use control self assessment (80 percent), continuous controls monitoring and analytics (48 percent), and, to a lesser extent, management self testing to support their Year 2 efforts.
"After dedicating an extraordinary level of effort to meet 404 compliance deadlines, companies are starting to look ahead in towards 404 sustainability while containing costs and finding value in the process," said Tom Bussa, Global Director of Ernst & Young's Business Risk Services.
"Although most are still primarily focused upon first-year compliance, there is increasing recognition that a long-term view and plan are required."
In fact, most companies are now beginning to build the infrastructures and embed the technologies needed to sustain 404 compliance for the long term. In addition, many are also recognizing additional benefits from investments. For example, nearly two-thirds of companies expect to benefit from improved financial processes. Approximately 40 percent expect to extend risk coverage beyond financial reporting, and more than one-third are anticipating benefits stemming from systems enhancements.