SOX Compliance: PCAOB Inspections Drive Change in External Audits

Ana Amato, Managing Director Internal Audit and Financial Advisory

What a difference a year makes. Since the Public Company Accounting Oversight Board (PCAOB) began publishing inspection reports on external auditors, Protiviti has been measuring the effect of those reports on Sarbanes-Oxley (SOX) compliance activities in our annual SOX Compliance Survey.

In our most recent survey, we asked companies that experienced significant changes to SOX compliance activities in 2016, “To what extent do you believe those changes are the result of the inspections of the registered accounting firms by the PCAOB?” Three out of four responded “very much so,” or “probably.”

The biggest changes according to the survey were in risk assessment and scoping, which increased to 38 percent from 29 percent; and using the work of others, which increased to 49 percent from 30 percent. Both categories are highly correlated with findings that have come out of the inspection reports.

One of the biggest reported changes this year was an increase in testing information provided by entity (IPE). We know that the PCAOB has issued reports with findings across the board challenging external auditors to “trust but verify” through testing the information provided to them by organizations under audit. In fact, the testing of IPE for data used to execute key controls is a central tenet of the new SOX auditor attestation requirements.

What this means to me is that auditors are going to look at IPE for key controls on at least an annual basis, if not more frequently. That’s a big difference from a couple of years ago, when it was more common to test on a rotation basis every two or three years.

One statistic that jumped out at me from this year’s survey was the fact that 40 percent of non-accelerated filers said they test IPE every time they use it. That’s an exponential increase from 1 percent in 2016 — which suggests to me the large extent to which some of these PCAOB external auditor inspection reports have permeated the reporting spectrum.

Also notable was a 13 percent year-over-year increase in the number of companies indicating that they were required to make a cybersecurity disclosure. While notable, the increase comes as no surprise, given the number of cyber attacks and breaches over the last 12 to 18 months and heightened awareness and scrutiny. I don’t think I’ve attended one board meeting in the last two years that has not addressed cybersecurity as a topic.

What that looks like from a SOX compliance standpoint is that external auditors are developing their own unique cybersecurity control questionnaires to ascertain a company’s process for proactively identifying possible breaches, versus having a more reactive response approach. I see this as an area of focus that will continue to gain traction over the next couple of years. It’s not a stretch to surmise this trend because, after all, this area is a required disclosure.

Finally, and also not surprisingly, we are seeing an increased recognition among survey respondents that while they may be able to save money and resources by outsourcing data processing and infrastructure, they cannot outsource the responsibility for controls over those areas. Our survey found that 95 percent of respondents are receiving at least some SOC 1 reports, with 50 percent requiring them from all of their outside service providers.

Of course, it is not sufficient to just obtain an SOC 1 report. Companies should also have validation procedures in place to ensure that the controls claimed by third-party vendors are both in place and actually effective. In practice, this may require on-site audits and other due diligence, including a formal control mapping process.

My colleague Jeff Tecau has talked about the costs of SOX compliance in some detail, and the overall upward trend for most companies. I see a direct correlation between that and the increased rigor around IPE, as well as the additional procedures associated with cybersecurity questionnaires and anything that needs to be done from an enterprise risk perspective to manage cybersecurity.

For a more in-depth discussion of these topics, I would encourage you to listen to the recording of our July SOX compliance webinar.

Add comment

Subscribe to Topics

Subscribe to Industries