Early this summer I participated in a webinar to discuss the results of Protiviti’s 2017 Sarbanes-Oxley (SOX) Compliance Survey, an annual look at how publicly traded companies are complying with the 2002 law. Protiviti began assessing SOX impact on company resources eight years ago, in addition to delineating how the law impacts organizations based on size, maturity and industry. Protiviti’s 2017 survey also considered how a company’s complexity and number of locations influences the compliance burden. Following are highlights from the webinar, specific to the cost and time trends we observed this year.
The survey’s 460 respondents revealed that long-term trends remain in place but with some nuances. The largest organizations continue to face the highest internal compliance costs. Over 50 percent of companies with annual revenue greater than $20 billion reported average annual costs in excess of $2 million, for example, and 80 percent of companies with annual revenues under $100 million spent less than $500,000 on annual compliance.
Many organizations saw their SOX compliance costs rise. Expenses in 2017 were significantly higher than they were in 2015. However, on average, larger and more mature organizations tended to enjoy slightly lower costs compared with 2016. We attribute the year-over-year decrease for larger organizations spending less than $2 million to increased efficiency and to completion of the transition to the updated 2013 COSO Internal Control—Integrated Framework. Our survey suggested that that the greater use of outside resources, such as offshoring and outsourcing accounting and compliance functions, also contributed to the reduction.
Next, the survey found that emerging growth companies (EGCs), defined as companies with annual gross revenues of $1.07 billion or less in the most recent fiscal year, shoulder some of the heaviest compliance costs. The U.S. Congress created EGCs as part of the JOBS Act of 2012 and provided such organizations with more flexible and less burdensome registration and filing requirements to encourage IPOs. On average, EGCs reported that internal SOX compliance costs totaled more than $1.2 million in 2017. That amount slightly exceeded the average costs incurred by large accelerated filers. Additionally, a greater percentage of EGCs had costs of more than $2 million in 2017 (18 percent) compared to 2016 (4 percent).
We believe the Public Company Accounting Oversight Board’s (PCAOB) push for external audit firms to exact more precise information from companies is playing a role in those upward trending costs. Similarly, our survey results showed that organizations tackling SOX for the first time and building out compliance infrastructure accrue higher expenses that typically moderate in later years.
Considered by industry, annual costs of compliance ranged from an average of $960,500 for consumer products and retail to an average of $1.3 million for financial services. Costs are dependent on the number of company locations as well. Our first look into this organizational aspect during the 2017 survey revealed that the greater the number of unique locations and the greater the decentralization of revenue streams, the higher the annual compliance costs. In fact, the majority of the least complex organizations, those with 1-3 locations, saw less than half a million in annual costs, while nearly a third of organizations on the opposite end of the spectrum (those with 12 or more locations) saw costs in excess of $2 million.
Regardless of size, filing status and complexity, the majority of respondents indicated that external audit costs increased by more than 10 percent in 2017 over 2016. What’s more, fully two-thirds of companies reported that hours devoted to compliance also increased by more than 10 percent in 2017 over 2016. We attribute that additional time consumption to drivers such as Accounting Standard No. 18, changes to the going concern assessment, non-GAAP disclosure requirements, increased documentation related to cyber controls, and heightened scrutiny of outsourced opinions of Service Organization Control Reports.
Despite the growing amount of resources that most companies are allocating to SOX, three out of four survey respondents in 2017 expressed a belief that their internal control over their financial reporting had improved as a result of complying with Section 404 of the Act.
Fifteen years after SOX became the law of the land, SOX compliance remains dynamic and the subject of much interest, particularly among financial and audit leaders who continue to seek information on costs, hours, controls and other data to create a more efficient compliance process. Protiviti’s annual surveys provide insight to those benchmarks and we thank all of the participants in our surveys over the years for making this insight possible. You can download our latest one here. I also recommend listening to the archived webinar, which includes discussions by my Protiviti colleagues Brian Christensen, Chris Wright and Ana Amato on developments such as the new revenue recognition standard, PCAOB inspections, cybersecurity, and more. Register to listen, free, at this link.