Organizations spent significantly more time and money on Sarbanes-Oxley (SOX) compliance in 2015 than in the previous year – costs hovered at just over $1 million on average. Good news is, the majority of respondents to Protiviti’s 2016 SOX Compliance Survey say they are leveraging these investments to improve internal control over financial reporting and drive continuous improvement of business processes.
More than 1,500 executives and directors from a broad cross-section of industries participated in the survey, and another 1,200 tuned in for our June 9 live webinar discussion of the results. Clearly, this topic is drawing a lot of attention, and with the significant number attached to it, it’s easy to see why.
Annual costs range from more than $2 million for very large companies, to $367,000 for companies with less than $100 million in annual revenue. More than half of respondents from publicly traded companies (55 percent) reported that the number of hours spent on SOX compliance increased in 2015, with two-thirds of those (68 percent) reporting an increase of more than 10 percent.
Among the reasons for the increase include ongoing implementation of the new COSO internal control framework, evolving external auditor requirements for Section 404(b) compliance, and efforts among organizations that currently comply only with Section 404(a) to prepare for the more rigorous auditor attestation-related requirements of Section 404(b). The companies that reported an increase in hours devoted to SOX compliance work were primarily those in their first year of SOX compliance (56 percent); only 11 percent of second-year companies reported such increase. In fact, two-thirds of companies in their second year reported that hours spent on SOX compliance actually decreased – a not entirely unexpected finding, considering the rigorous requirements of first-year SOX compliance.
A similarly sharp difference emerged between accelerated and non-accelerated filers. More than half of large accelerated and accelerated filers reported that their external audit costs increased in 2015. About the same percentage of non-accelerated filers and emerging growth companies reported a decrease. One possible reason for the increased audit fees among large accelerated and accelerated filers is that they face more rigorous demands from external auditors. For example, there has been an increased focus on information produced by entity (IPE).
Another interesting finding: Although the number of hours and dollars invested in SOX compliance increased overall, we observed a decrease in the number of key controls as organizations seem to increasingly value quality over quantity by sharpening their focus on the controls that matter. We attribute that to both an overall increase in the time organizations are having to spend per key control (two to three additional hours), and an effort to rationalize the number of key controls as companies align with the COSO framework. The increase in time per control is due to a variety of factors, including more scrutiny by external auditors as a result of PCAOB’s periodic inspection reports on external auditing firms requiring more rigorous testing procedures in certain areas, obtaining more evidence that IPE is reliable, and directing stronger attention to management’s evaluation processes supporting accounting estimates, among other things. In addition, companies are now spending 6.4 hours on average (7.5 for the largest organizations) on testing management review controls, as the bar has been raised on those controls as well.
With the increasing costs, most organizations look to technology for help. More than half of the respondents, in every category, indicated that they have at least moderate plans to automate manual processes and controls in 2016. This is an especially positive trend among non-accelerated filers and emerging growth companies, which seem to be embracing control automation as a principle rather than a purely cost-recovery measure.
Other items of note in this year’s survey were pointed out earlier:
- IPE testing is now an integral part of control testing at a majority of organizations, with one in five public companies testing IPE every time they test a control.
- Half of public companies reported that the PCAOB’s inspection reports on external auditors have had a significant impact on the costs tied to testing system reports and other IPE, as external auditors become more aggressive about documentation and verification.
We clearly see these developments with our clients.
What about the value achieved from all these efforts? The news is definitely positive here: More than half of all types of organizations, on average, reported moderate to significant improvement in their financial reporting structures. Fewer mid-sized companies, non-accelerated filers and companies still involved in meeting first- and second-year requirements reported that level of improvement but a full two-thirds of pre-IPOs and post-second-year companies did. Again, this makes sense as these are the stages where the SOX compliance process really begins to pay off for companies.
Overall, we found the information in this year’s report to be quite interesting, and it aligns with Protiviti’s field experience as well. You can hear more of our thoughts by accessing the recorded webinar, as well as our podcast. Be sure to listen to the lively discussion during the webinar Q&A session at the end – we will revisit some of those questions and answers here in future posts as they offer some interesting insight and perspectives. As always, you are welcome to let us know what you think in the comment section below.