New developments associated with the Sarbanes-Oxley Act of 2002 (SOX) have companies changing their compliance processes more than a decade after the law was enacted, according to a new survey report.
Organizations reporting rises in SOX compliance costs and external audit fees in 2012 vastly outnumbered those reporting decreases, according to global consulting firm Protiviti’s 2013 Sarbanes-Oxley Compliance Survey report.
In one emerging development, PCAOB inspections of audit firms are placing increased pressure on external auditors to audit internal control over financial reporting (ICFR) more thoroughly, according to the report. In December, the PCAOB issued a 31-page report on deficiencies found in audits of ICFR to help auditors avoid common problems.
Another development that may require companies to refine how they assure the effectiveness of their internal control systems is the update of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The AICPA is a participating organization in COSO, whose updated framework was issued Tuesday.
The U.S. economy’s slow recovery from the recent financial crisis, and usual business changes such as mergers, acquisitions, and restructuring, also have contributed to the need for improvements in SOX compliance, according to the Protiviti report.
As a result, costs are rising for many of the nearly 300 public companies surveyed for the report. More than one-third (38%) of companies reported that SOX compliance costs rose year-over-year in 2012, while just one in 10 said these costs decreased. But companies said on average that the costs for SOX compliance are not extraordinarily high relative to the objective of quality financial reporting through improved internal controls.
Nearly half (47%) of respondents said external audit fees increased in 2012 over 2011, while just 9% said these fees decreased.
While bearing these costs, companies also are refining their compliance processes and trying to use them to build value in addition to increasing effectiveness, according to the report. Two in three companies reported at least moderate changes or increases in process and control documentation for high-risk processes in the past year.
Six in 10 said they devoted more time in the past year to audit “walkthroughs” to gain and document understanding of key business processes.
The report also says:
- Increasing scrutiny of high-risk processes can increase compliance effectiveness and efficiency.
- Internal audit functions are gaining more SOX compliance oversight duties as more companies shift these responsibilities away from project management offices.
- There are significant opportunities for organizations to automate more of their key controls to create efficiencies.
The good news for companies is that this focus on compliance appears to be generating positive results. Four out of five organizations surveyed said their ICFR structure has improved since SOX Section 404(b) was required for their organization. Almost two in three (64%) said their ICFR structure has improved moderately or significantly in that time.
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.