SOX compliance costs rise for many companies, report finds

BY KEN TYSIAC

New developments associated with the Sarbanes-Oxley Act of 2002 (SOX) have companies changing their compliance processes more than a decade after the law was enacted, according to a new survey report.

Organizations reporting rises in SOX compliance costs and external audit fees in 2012 vastly outnumbered those reporting decreases, according to global consulting firm Protiviti’s 2013 Sarbanes-Oxley Compliance Survey report.

In one emerging development, PCAOB inspections of audit firms are placing increased pressure on external auditors to audit internal control over financial reporting (ICFR) more thoroughly, according to the report. In December, the PCAOB issued a 31-page report on deficiencies found in audits of ICFR to help auditors avoid common problems.

Another development that may require companies to refine how they assure the effectiveness of their internal control systems is the update of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The AICPA is a participating organization in COSO, whose updated framework was issued Tuesday.

The U.S. economy’s slow recovery from the recent financial crisis, and usual business changes such as mergers, acquisitions, and restructuring, also have contributed to the need for improvements in SOX compliance, according to the Protiviti report.

As a result, costs are rising for many of the nearly 300 public companies surveyed for the report. More than one-third (38%) of companies reported that SOX compliance costs rose year-over-year in 2012, while just one in 10 said these costs decreased. But companies said on average that the costs for SOX compliance are not extraordinarily high relative to the objective of quality financial reporting through improved internal controls.

Nearly half (47%) of respondents said external audit fees increased in 2012 over 2011, while just 9% said these fees decreased.

While bearing these costs, companies also are refining their compliance processes and trying to use them to build value in addition to increasing effectiveness, according to the report. Two in three companies reported at least moderate changes or increases in process and control documentation for high-risk processes in the past year.

Six in 10 said they devoted more time in the past year to audit “walkthroughs” to gain and document understanding of key business processes.

The report also says:

  • Increasing scrutiny of high-risk processes can increase compliance effectiveness and efficiency.
  • Internal audit functions are gaining more SOX compliance oversight duties as more companies shift these responsibilities away from project management offices.
  • There are significant opportunities for organizations to automate more of their key controls to create efficiencies.


The good news for companies is that this focus on compliance appears to be generating positive results. Four out of five organizations surveyed said their ICFR structure has improved since SOX Section 404(b) was required for their organization. Almost two in three (64%) said their ICFR structure has improved moderately or significantly in that time.

Ken Tysiac ( ktysiac@aicpa.org ) is a JofA senior editor.

SPONSORED REPORT

Questions to ask before committing to the cloud

Cloud computing has its pros and cons. In this report, we answer common questions CPAs may have as they consider transitioning partially or fully to the cloud.

QUIZ

News quiz: Experts offer guidance on accounting standards

Take this short quiz to see how much you know about the news, including a couple of SEC announcements, and facts cited in the guidance experts have offered on accounting standards.

CHECKLIST

Auditing risks in culture

Cultural flaws can seriously damage an organization. Here’s how internal auditors can reduce risks by embedding culture audits into existing audit programs.