Companies spending more time on SOX compliance

Compliance with the Sarbanes-Oxley Act of 2002 (SOX) was increasingly time-consuming for most U.S. public companies in 2016, but a large portion of company leaders continue to say that the compliance work has improved their internal control over financial reporting (ICFR) structure, a new survey report shows.

More than half of the 468 public companies surveyed by global consulting firm Protiviti said they devoted more time to complying with SOX in 2016 than in 2015. In a breakdown by company revenue, the lowest percentage of respondents reporting time increases was 51% for companies with $1 billion to $4.9 billion in revenue. The $100 million to $499.99 million revenue range had the largest percentage (61%) of companies reporting an increase in time devoted to SOX compliance.

Overall, about two-thirds of the companies reporting an increase in time devoted to SOX compliance said the time spent rose by more than 10%. Top areas of change in companies’ SOX compliance programs included:

• Expansion of scope related to IT general controls (69% with at least moderate change).
• Changes/increase in process control documentation for high-risk processes (69% with at least moderate change).
• Increased scrutiny from external auditors on testing exceptions/deficiencies (68% with at least moderate change).
• Increase in scope to baseline test more IT reports (66% with at least moderate change).

Concerns over the burdens of regulation have led Congress to consider rolling back SOX requirements for at least some companies. One provision of H.R. 10, The Financial CHOICE Act of 2017, would grant certain low-revenue public companies an exemption from SOX Section 404(b), which requires auditors of public companies to attest to, and report on, management’s assessment of its internal controls. The House has passed the bill, but its fate in the Senate is uncertain.

The Center for Audit Quality, which is affiliated with the AICPA, and other investor groups have voiced opposition to any legislation that would erode SOX Section 404(b) requirements. The Protiviti survey showed that SOX compliance efforts have brought benefits to companies. One-third (34%) of respondents said their ICFR structure has significantly improved since SOX Section 404(b) compliance was required for their company. An additional 39% said their ICFR structure has moderately improved.

Almost two-thirds (65%) of respondents said their SOX compliance process has enhanced understanding of control design and control operating effectiveness. And half said SOX compliance has resulted in continuous improvement of their business processes.

“SOX requirements and practices have changed with the times, and we’re pleased to see that many companies are reaping the benefits of their compliance efforts, which is also good news for investors,” Brian Christensen, executive vice president, global internal audit and financial advisory at Protiviti, said in a news release.

“By creating streamlined and lean processes, companies can respond to new and emerging business or regulatory challenges with agility. Conversely, those who aren’t following this model and are instead always playing catch-up may struggle to remain competitive over time.”

Three factors significantly affected SOX compliance in 2016:

• PCAOB requirements. External auditors faced increasing inspection report requirements from the PCAOB, and 64% of respondents said their external auditors are placing more focus on evaluating deficiencies.
• Revenue recognition. Companies are updating controls documentation to comply with FASB’s new revenue recognition standard; 26% reported extensive or substantial increases in testing of controls over application of revenue recognition policies.
• Cybersecurity. Survey respondents showed significant growth in the number of cybersecurity disclosures made in 2016.

—Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is a JofA editorial director.