Protiviti’s 2016 Sarbanes-Oxley compliance survey shows increased investment of time and money is paying off
The continued investment in Sarbanes-Oxley (SOX) compliance has enabled organizations to create better systems for internal controls, according to Protiviti’s 2016 Sarbanes-Oxley compliance survey report, Understanding the costs and benefits of SOX compliance. The survey included more than 1,500 respondents at companies of various sizes across a range of industries in the first quarter of this year and examined several factors influencing annual spending on SOX compliance.
‘With the amount of time and money invested in Sarbanes-Oxley compliance on the upswing, we’re pleased to see the growing investment is paying off, with more companies reporting better and more streamlined internal control structures and business processes,’ says Brian Christensen, executive vice president and leader of Protiviti’s internal audit and financial advisor practice. Two-thirds of respondents who say their organizations have mature SOX compliance processes say they believe there have been significant or moderate improvements to internal control over financial reporting as a result of their increased spending on compliance.
On average, organizations spend two to three more hours per key control compared with several years ago, and the report advises that organizations should plan to spend between six and seven hour testing each key control. The average annual cost of SOX compliance ranges from $2.1 million at companies with more than $20 billion in revenue to nearly $1.4 million at companies with $10 billion to $20 billion in revenue, down to $367,000 at firms with revenue below $100 million.
One significant change from last year’s survey is a jump in the portion of respondents who say their companies are challenging the credentials (objectivity and competency) of others performing testing to 28 percent from 17 percent in 2015  ‘I believe that a large part of this is due to the increased focus of the [Public Company Accounting Oversight Board] in the area of external auditor reliance,’ says Keith Kawashima, an internal audit managing director at Protiviti. ‘While the auditors are allowed to rely on the work of others, they can only do so where they can demonstrate that the work was performed by someone who is competent and objective.’ Â
As many as 25 percent of respondents state that their organizations continue to outsource SOX compliance activities related to IT controls beyond their second year of SOX compliance. Kawashima says that because SOX activities aren’t split up evenly across the calendar year and tend to ramp up during peak periods – usually in the last six months of the year – companies don’t need large numbers of knowledgeable people throughout the year. Hiring and retaining individuals in-house who are knowledgeable about SOX requirements, especially in the IT field, is often a concern. ‘The labor market for accountants and IT professionals continues to be extremely tight and is even tighter for those with appropriate backgrounds and qualifications for SOX internal controls knowledge,’ Kawashima says.
Thirty-two percent of respondents say they use co-sourcing beyond the second year of SOX compliance through a combination of in-house personnel and external professionals. Co-sourcing or outsourcing beyond the second year is justified when there aren’t enough qualified internal staff members to meet the needs of IT testing and quality assurance ‘This gap could exist either in the qualifications and skillset of the internal individuals or in the hours available to complete the task,’ says Kawashima. ‘A company may need an individual with very deep knowledge of configurable IT controls, but may only need two weeks of his or her time, so it would not make sense to employ a [permanent, full-time] resource with that specific skill set.’
Outsourcing is a way to find highly skilled individuals who are up to date on SOX compliance. Kawashima suggests that managers interested in determining whether someone is knowledgeable about PCAOB requirements look for certifications like CIA (Certified Internal Auditor) or CISA (Certified Information Systems Auditor) among candidates’ credentials.
There are advantages and drawbacks in continuing to outsource after a couple of years of SOX compliance. Kawashima says that outsourcing ensures that companies get appropriate individuals who are current on Section 404 of the Sarbanes-Oxley Act and knowledgeable about internal controls and PCAOB expectations.
Kawashima cautions, however, that companies need a process or mechanism to capture the information and knowledge provided by outsourced personnel. ‘Often, when these individuals leave the company, they walk out the door and take that knowledge with them.’ Companies need to look closely at how they manage their SOX projects and insure that outsourced personnel document their work before they leave. ‘Typically there is a lead, or PMO (project management officer) for the SOX process who is responsible for establishing requirements for what is captured, as well as company-specific forms and formats, storage locations, file structures, naming conventions, and project status, as well as process improvement opportunities.’