According to consulting firm Protiviti’s 2015 Sarbanes-Oxley Compliance Survey, the costs of Sarbanes-Oxley Act compliance continue to increase, even though the statute has been on the books for 13 years. Factors that have prevented SOX compliance costs from reaching a steady state include the new COSO internal control framework (see May 2013 Update) and fallout from PCAOB inspections. These conclusions are generally consistent with last year’s survey (see June 2014 Update). Protiviti states that four “notable findings” of its 2015 survey are –
- SOX compliance costs, together with external audit fees and scrutiny, are increasing. Nearly 75 percent of organizations reported that their audit firm is “placing more focus” on evaluation of ICFR. As a corollary, audit fees rose for 58 percent of companies in their most recent fiscal year. Internal compliance costs rose as well, although, not surprisingly, costs are a function of company size: 58 percent of large companies (with revenues over $1 billion) reported spending more than $1 million in their most recent fiscal year, and 25 percent reported spending over $2 million. At the same time, 95 percent of companies with revenues under $100 million spent less than $500,000.
- A strong majority of companies are now using the new COSO framework, and they required only ICFR refinements rather than a rebuilding effort. Overall, 78 percent of companies in the survey reported that they used new COSO as their ICFR framework in fiscal year 2014. For 63 percent of those companies, the switch from old COSO involved only “refining” their existing controls, rather than an “overhaul” of internal control. However, ten percent of companies required some type of control remediation, and one percent had to rebuild their controls from scratch.
- Compliance programs are undergoing substantial changes, especially regarding high-risk processes, IT controls and entity-level controls. An increasing number of organizations have plans to automate more of their IT processes and controls. Last year, 40 percent of large company respondents reported having significant or moderate automation plans; this year, 58 percent of large organizations described such plans.
- While compliance mastery remains an elusive state, more companies are looking to generate value from their compliance activities. In this regard, 22 percent of respondents said that their ICFR reporting structure has “significantly improved” since the company became subject to the Sarbanes-Oxley ICFR external audit requirement, while an additional 30 percent believe that the company’s reporting structure had “moderately improved.”
As noted above, 58 percent of the 460 companies in the Protiviti study reported that their audit fees rose in 2014, while 12 percent said fees declined and 30 percent indicated that fees stayed the same. For six percent of the companies reporting an increase in audit fees, the amount of the increase was 20 percent or more; for 23 percent, the increase was five percent or less. Significant numbers of respondents reported that the PCAOB’s audit firms inspection reports were having an “extensive/substantial” impact on the costs of their organization’s Sarbanes-Oxley compliance activities. The top three areas in which extensive/substantial cost impacts were reported were “testing review of controls” (51 percent), “testing system reports and other information produced by entity” (46 percent), and “evaluating identified control deficiencies” (31 percent). Protiviti also asked who in the organization had primary responsibility for executive sponsorship of Sarbanes-Oxley compliance and who had primary responsibility for executing SOX compliance efforts. As to sponsorship, 26 percent identified executive management, while 25 percent pointed to the audit committee. “All others” – which excluded executive management, the audit committee, management and/or process owners, and internal audit — placed first in terms of sponsorship at 29 percent. As to execution responsibility for SOX compliance, 52 percent of respondents identified internal audit; audit committees were deemed to have primary execution responsibility by only two percent. Comment: Audit committees may have opportunities to consider whether there are ways to convert some of their company’s SOX compliance costs into an investment in more effective and efficient financial reporting and information gathering processes. Protiviti observes that the companies that have been best able to respond to the challenges of new COSO and the regulatory scrutiny of ICFR “do not focus on perfecting individual compliance activities” but rather target “improvements in upstream business processes affecting financial reporting, as well as achieving higher levels of maturity in their overall compliance efforts.” The survey results indicated that large companies have done better than midsize and small companies at generating value from SOX compliance, although, in Protiviti’s view “companies of all sizes have an opportunity to strengthen ICFR and leverage SOX efforts for business process improvements related to financial reporting over time.”
