An overwhelming majority of finance and audit executives say that the global recession didn’t impact their Sarbanes-Oxley (SOX) compliance efforts, according to new research from Protiviti. In fact, 45 percent of respondents to Protiviti’s 2011 Sarbanes-Oxley Compliance Survey say that internal control over financial reporting in their organisations is better now than it was one year ago.
The business consulting and internal audit firm's survey – which includes feedback from a combination of more than 400 executives, corporate SOX leaders and audit professionals across a variety of industries – assesses the current state of SOX compliance, related costs, associated benefits and value, as well as how to achieve a desired state of verifiable compliance and sustainability. This is the second year the survey has been conducted, and this year it includes two new sections focusing on the impact of the economic events of 2009 on ongoing compliance with SOX requirements and the exemption of non-accelerated filers from Section 404(b) compliance as stipulated in the Dodd-Frank Act.
“Our survey results demonstrate that nine years after the passage of Sarbanes-Oxley, companies remain committed to continuously improving their compliance efforts – despite ongoing economic challenges and global instabilities,” says Bob Hirth, Protiviti executive vice president and leader of the firm’s global internal audit and financial controls practice. “Organisations’ systems of internal control over financial reporting need to be dynamic and constantly improved in order to effectively react to and address changes in operations and the external environment, such as new regulations, technology, accounting principles, industry issues and business models.”
The vast majority, 89 percent, of respondents said the global recession did not have an adverse effect on their SOX compliance efforts. “In reality, it may take a number of years to gain a clear picture of the effects the global economic crisis may have created,” Hirth says. “If an organisation reduced its workforce or streamlined its processes with a resulting effect on its internal control structure, mistakes may increase over time. Given this, it will be interesting to monitor these survey results over the next few years to see what patterns develop.”
According to the survey, by year four of SOX compliance, most organisations spend in the range of US$100,000 to $1 million annually on SOX compliance-related activities. More than 80 percent of small companies spend less than $100,000 annually, and nearly 70 percent of mid-sized companies spend less than $500,000 on SOX compliance.
Companies, regardless of size or year of compliance, plan to reduce SOX compliance costs in the coming year, but that reduction is expected to be nominal – less than 10 percent on average, finds the survey.
Compared to 2010 survey results, more organisations are applying COSO’s guidance on monitoring internal control systems, and one in three reports this is having a positive impact on their SOX compliance activities.
About 50 percent of organisations handle their SOX compliance efforts internally; this statistic is relatively consistent regardless of company size.
Fifty-six percent of non-accelerated filers – who became exempt from having to comply with Section 404(b) of SOX (the auditor attestation of internal control over financial reporting) with the passage of the Dodd-Frank Act in July 2010 – reported their organisations were “very prepared” to comply with Section 404(b) when Dodd-Frank pulled the plug on the requirement, while 29 percent said they were “somewhat prepared.” These filers, however, also noted that areas related to IT and automation – including IT general controls, spreadsheet controls, and segregation of duties – would have required the most attention if they were required to comply with Section 404(b).
“While non-accelerated filers currently are exempt under law from the need to comply with Section 404(b), the question is whether this exemption is permanent,” says Jim DeLoach, Protiviti managing director and the firm's senior SOX practice leader as well as a key survey architect. “If restatements by these filers were to trend upwards and restatements by companies complying with Section 404(b) were to continue trending downward, Congress could decide to revisit whether a new law should be enacted to mandate compliance. In addition, an organisation cannot rule out the possibility that it could grow beyond non-accelerated filer status and, as a result, be compelled to comply with Section 404(b).”
The survey also finds that organisations are increasingly looking to IT solutions to improve the effectiveness and efficiency of their compliance efforts. Among the top three strategies respondents plan to employ in 2011 and beyond:
1. Increasing the number of automated controls
2. Using continuous monitoring techniques
3. Decreasing the number of manual controls
MORE ARTICLES ON AUDIT