Higher Costs, More Satisfaction, Unabated Interest – SOX Compliance Has It All

By Jeffrey Tecau, Managing Director
Internal Audit and Financial Advisory




Early this summer I participated in a webinar to discuss the results of Protiviti’s 2017 Sarbanes-Oxley (SOX) Compliance Survey, an annual look at how publicly traded companies are complying with the 2002 law. Protiviti began assessing SOX impact on company resources eight years ago, in addition to delineating how the law impacts organizations based on size, maturity and industry. Protiviti’s 2017 survey also considered how a company’s complexity and number of locations influences the compliance burden. Following are highlights from the webinar, specific to the cost and time trends we observed this year.

The survey’s 460 respondents revealed that long-term trends remain in place but with some nuances. The largest organizations continue to face the highest internal compliance costs. Over 50 percent of companies with annual revenue greater than $20 billion reported average annual costs in excess of $2 million, for example, and 80 percent of companies with annual revenues under $100 million spent less than $500,000 on annual compliance.

Many organizations saw their SOX compliance costs rise.  Expenses in 2017 were significantly higher than they were in 2015.  However, on average, larger and more mature organizations tended to enjoy slightly lower costs compared with 2016. We attribute the year-over-year decrease for larger organizations spending less than $2 million to increased efficiency and to completion of  the transition to the updated 2013 COSO Internal Control—Integrated Framework. Our survey suggested that that the greater use of outside resources, such as offshoring and outsourcing accounting and compliance functions, also contributed to the reduction.

Next, the survey found that emerging growth companies (EGCs), defined as companies with annual gross revenues of $1.07 billion or less in the most recent fiscal year, shoulder some of the heaviest compliance costs. The U.S. Congress created EGCs as part of the JOBS Act of 2012 and provided such organizations with more flexible and less burdensome registration and filing requirements to encourage IPOs. On average, EGCs reported that internal SOX compliance costs totaled more than $1.2 million in 2017. That amount slightly exceeded the average costs incurred by large accelerated filers. Additionally, a greater percentage of EGCs had costs of more than $2 million in 2017 (18 percent) compared to 2016 (4 percent).

We believe the Public Company Accounting Oversight Board’s (PCAOB) push for external audit firms to exact more precise information from companies is playing a role in those upward trending costs. Similarly, our survey results showed that organizations tackling SOX for the first time and building out compliance infrastructure accrue higher expenses that typically moderate in later years.

Considered by industry, annual costs of compliance ranged from an average of $960,500 for consumer products and retail to an average of $1.3 million for financial services. Costs are dependent on the number of company locations as well. Our first look into this organizational aspect during the 2017 survey revealed that the greater the number of unique locations and the greater the decentralization of revenue streams, the higher the annual compliance costs. In fact, the majority of the least complex organizations, those with 1-3 locations, saw less than half a million in annual costs, while nearly a third of organizations on the opposite end of the spectrum (those with 12 or more locations) saw costs in excess of $2 million.

Regardless of size, filing status and complexity, the majority of respondents indicated that external audit costs increased by more than 10 percent in 2017 over 2016. What’s more, fully two-thirds of companies reported that hours devoted to compliance also increased by more than 10 percent in 2017 over 2016. We attribute that additional time consumption to drivers such as Accounting Standard No. 18, changes to the going concern assessment, non-GAAP disclosure requirements, increased documentation related to cyber controls, and heightened scrutiny of outsourced opinions of Service Organization Control Reports.

Despite the growing amount of resources that most companies are allocating to SOX, three out of four survey respondents in 2017 expressed a belief that their internal control over their financial reporting had improved as a result of complying with Section 404 of the Act.

Fifteen years after SOX became the law of the land, SOX compliance remains dynamic and the subject of much interest, particularly among financial and audit leaders who continue to seek information on costs, hours, controls and other data to create a more efficient compliance process. Protiviti’s annual surveys provide insight to those benchmarks and we thank all of the participants in our surveys over the years for making this insight possible. You can download our latest one here. I also recommend listening to the archived webinar, which includes discussions by my Protiviti colleagues Brian Christensen, Chris Wright and Ana Amato on developments such as the new revenue recognition standard, PCAOB inspections, cybersecurity, and more. Register to listen, free, at this link.

Trade, Populism and the Price of Progress: How Is Your Industry Adjusting?

Even as technology makes the world smaller and more interconnected, the current rise of nationalism in Western countries reminds us that progress is rarely linear and disruption rarely without consequence.

With the growing trend toward digitalization of supply chains and warehouses, the potential for cost-effective, efficient global trade has never been greater. At the same time, political agendas in the United States, United Kingdom and the EU threaten current trade agreements. With the Trans-Pacific Partnership already abandoned by the United States, provisions for a replacement agreement are unclear. Further changes in existing trade agreements may lead to higher tariffs, delays in delivery and increased red tape, impacting the cost and speed of global supply chains. Recent elections and legislative decisions have heightened the probability that longstanding trade agreements, economic partnerships, and policies and regulations would become vulnerable to populist ideologies.

These topics, and more, are subject of the August edition of PreView, Protiviti’s emerging risks newsletter. This publication also focuses on the implications of these trends for key industries.

Domestically in the United States, for example, the populist bid to reduce the reach of government and restrict trade and immigration has far-reaching implications for healthcare, agriculture and manufacturing, as evidenced by the current uncertainty over health insurance, commodity prices and labor supply.

Another emerging risk, and one of the drivers of the populist trend, is the stagnation of incomes, a perceived scarcity of opportunities for upward mobility, and a growing concern over projections that the gap between the rich and the poor will continue to widen.

In developed countries especially, jobs involving routine tasks, such as clerical work, are increasingly replaced by technology, leading to job displacement or underemployment of middle income workers. At the same time, approximately 22 percent of the global workforce works more than 48 hours each week. A 2011 study found that household income increased by approximately 40 percent in the period between 1979 and 2007 for those in the middle, while income for the top one percent grew 275 percent. Currently, there are no signs suggesting that this trend does not continue unabated.

History has shown that such disparities contribute to social unrest, initially in the form of financial crises as consumers overextend themselves reaching for lifestyles they can’t afford, and later as civil and political unrest when more basic items like healthcare, education, training, food and shelter become less attainable and the increasingly disadvantaged lose all hope. Such developments lead nations to become more insular and provincial and less global as their leaders seek to create more opportunities for their people.

These global trends carry huge implications for industries that have become, by now, inextricably interconnected through their global supply chains and geographically dispersed partners and vendors. These industries must keep an eye on the changing landscape and adjust their risk models accordingly. They must also keep an eye on the opportunities that arise when long-established models start shifting.

Such opportunities include development of new resources and supply chains in new locales, and investments in projects deemed priorities in the new political climate — such as rebuilding of the infrastructure in the U.S. Innovative, technology-driven ways of tackling the current challenges will be the winning ticket for coming ahead in the turbulence. We offer such examples in our newsletter.

The macro issues of trade, populism, income disparity and infrastructure are spurring discussions right now, in Washington and capitals around the world, and the decisions will reverberate through business and society for generations to come. More risks are on the horizon, for sure — gender equality and energy independence are on our radar for upcoming discussions. We will continue to monitor these issues with an eye toward raising awareness and elevating the level of meaningful conversation on these and other emerging risks. You can follow along with our series, and read our current and previous issues, on our emerging risks page on our website.


Transitioning to the New Revenue Recognition Standard Will Likely Be Harder Before It Gets Easier

By Chris Wright, Managing Director
Internal Audit and Financial Advisory




The new revenue recognition accounting standard from the Financial Accounting Standards Board (FASB) is going into effect for most public companies in their next fiscal year, and a year later for everyone else. This fast-approaching deadline explains the increased interest and focus on the standard in Sarbanes-Oxley initiatives. The focus also showed up more demonstrably in our 2017 SOX survey than it has in the past. A majority of respondents (56 percent) indicated they are well into the transition process and have begun to update their controls documentation.

In theory, the new standard is intended to simplify revenue recognition by replacing years of accumulated industry-specific guidance with a single global model. It includes a number of disclosure requirements intended to enable users of financial statements to understand timing and judgments related to revenue recognition.

This may appear simple to some companies in industries not substantially affected by the new standard, but many other organizations will still have to work through some uncertainty in the few months remaining between now and the effective date as they analyze current processes to identify gaps, and design and implement new processes and procedures to the extent necessary. And for those organizations for whom the apparent change will be substantial, the actual change may be even more substantial than first impressions, as well.

The new standard provides a five-step revenue recognition framework in which companies must:

  1. Identify customer contracts
  2. Identify performance obligations
  3. Determine the transaction price
  4. Allocate the transaction price to each performance obligation, and
  5. Recognize revenue as each performance obligation is met

There are a number of changes that companies need to plan for. Multiple-element arrangements (arrangements in which companies deliver more than one thing — goods, services and after-market services; hardware with software that requires upgrades, etc.) need to be looked at in terms of whether or not each individual element should be considered a distinct element requiring revenue and expense recognition.

The ability to use estimated selling prices across all industries is also new and, for many, quite welcome. Some would say this is an easier way to allocate selling price than prior models, particularly for software companies. Similarly, companies that regularly receive performance bonuses at the end of a contract, or some other variable form of consideration, may now be able to recognize that revenue earlier, provided that they have experience and good data documenting previous outcomes. Transitioning to this new standard, even if the result is an easier future process, will nevertheless take effort to get there.

For example, identifying contracts and designing and implementing new controls and procedures can be a tedious and time-consuming process. Many companies are seeking guidance with their transition efforts with the goal of defining and implementing an approach that results in a smooth transition and sustainable processes. We held a SOX compliance webinar last month, in which we outlined a structured approach for the transition. The nine key elements of this approach are grouped by transitional phase (Analyze, Design, and Implement).

In the Analyze phase, organizations form a steering committee — which should include not just accounting and finance staff but legal, IT and internal audit as well, among others — to perform a gap analysis of current processes compared to the new standard, determine the transition method and assess reporting capabilities against the new requirements.

Once the process and reporting gaps have been identified, the transition enters the Design phase. This is where remediation recommendations are honed into a transition strategy and assigned to a project management office (PMO) for implementation.

During the Implementation phase, the PMO, with guidance from the steering committee, works with process owners to update and test critical accounting policies and financial reporting controls, and produces the updated financial statements and other reports required under the new standard.

Some early adopters in industries for which the accounting change is substantial have been surprised by the amount of documentation required to substantiate their findings under the new standard. This will continue to be a topic of increasing concern in the weeks and months ahead as we move toward the first quarter of 2018 and as smaller companies, which may lack the project management infrastructure of some of the early adopters, move closer to implementation. A good starting point for those still in the early stages is our recorded webinar. And we are happy to answer your questions, in the comment section below.

Internal Audit’s Role Will Be Key in the GDPR Journey


By Jeff Sanchez, Managing Director
Technology Consulting

Andrew Struthers-Kennedy, Managing Director
Technology Audit


Over the next nine months, organizations will spend billions of dollars to comply with the General Data Protection Regulation, or GDPR — a European data protection and privacy regulation with the potential to be as disruptive to companies that conduct any kind of personal data exchange with the EU as the financial reforms created by the Sarbanes-Oxley Act were back in 2002. For starters, it is estimated that over the next year, companies in Europe will hire 28,000 data protection officers (DPOs) — one of the requirements of the GDPR. And that’s just one of the changes companies will have to make.

Protiviti held a popular webinar last month to discuss what GDPR is, how it will affect companies and how companies should prepare for this significant change. Scott Giordano of Robert Half Legal and Jeff Sanchez provided an overview of the regulation in a previous post. Here, we want to focus on GDPR’s implication for internal audit specifically. Two-thirds of the attendees at our webinar were from the internal audit function — not a surprise, as this is the group that will be providing assurance over the new controls once they are implemented, and is well positioned to provide guidance during their design and implementation.

The effects of this new law will be felt across all organizational departments, affecting policies, procedures, marketing, analytics, vendor contracts and customer transactions, among other things. The internal audit function, by virtue of its deep departmental access, compliance and risk knowledge, and board-level credibility, can play a significant role in both preparing for the change and monitoring compliance after the law is enforced, beginning May 25, 2018.

Between now and May 2018, internal audit can play a key role in guiding company strategy, serving as a strategic partner, helping the DPO, raising awareness of the new law, talking about potential risks, identifying gaps in the company’s compliance program, and helping to drive change within the organization.

Results from participants in Protiviti’s GDPR webinar

The majority of attendees we polled during the webinar (66 percent) said their companies are still in the early planning and discovery phase — conducting privacy risk assessments, identifying applicable laws, mapping data and trying to understand requirements. This is an area where internal audit can make a big difference.

Once the risks and compliance requirements have been identified, internal audit can add value by facilitating a gap analysis. With roughly a quarter of companies at this stage, common gaps we have seen so far include:

  • General lack of awareness related to the GDPR requirements (in particular among customer-facing functions, e.g., sales)
  • Lack of comprehensive inventory of personal data and mechanisms for how such data is being captured, stored, processed, and transmitted
  • Poor data mapping, or a lack of priority in privacy design
  • CRM systems not designed to accommodate the rights of data subjects
  • Third-party contracts that don’t reflect new regulatory requirements, and insufficient vendor management
  • Historical data that may not meet GDPR consent requirements
  • Insufficient accountability in data security and privacy across all users and applications
  • Security vulnerabilities during data processing
  • Slow or insufficient breach reporting and communication

Only after the requirements and compliance gaps have been identified can the organization begin to implement changes and move toward compliance. Our polling questions revealed that j ustone in ten companies has made it to this phase. Internal audit can add value here by helping to shape a compliance roadmap and advising on appropriate practices to meet the requirements of GDPR.

Of course, after the regulation takes effect, internal audit will play a pivotal role in assessing the compliance posture of an organization, testing the compliance framework and the timely reporting of data breaches, challenging management assumptions and making sure the organization is truly compliant. Data protection, specifically related to GPDR, might well be a focus point for all integrated audits that are conducted.

Companies and their internal audit departments should not underestimate the effort involved in complying with this law. The cost of complying is estimated at more than $1 million for 17 percent of U.S. companies, with larger companies likely to see higher costs. Now is the time to raise awareness among all functions that will be affected, inventory personal data, review data policies thoroughly, conduct a risk assessment and identify gaps, and engage with vendors. As with any business initiative of this scope, proper governance and oversight (including executive sponsorship and a dedicated steering committee) is going to be key to the success of the GDPR program.

For more information, we strongly encourage you to watch our free archived webinar, subscribe to our blog to be part of future discussions, and try to attend a roundtable near you. It’s not too late to start, but that won’t be the case for long.

AI in AML, Consumer Protection Developments Discussed in Protiviti’s Latest Compliance Insights Podcast (Now Available)

Christine Bucy of Protiviti’s Risk and Compliance practice joins Steven Stachowicz in this latest podcast to discuss the next frontier in  AML compliance — artificial intelligence. Also hear Steven’s take on the latest in consumer protection activity from the Consumer Financial Protection Bureau. This discussion is in addition to what you’ll find in the complete July issue of Compliance Insights, available for download here.



In-Depth Interview, Compliance Insights [transcript]
July 27, 2017 at 10:09 AM

Kevin Donahue: Hello. This is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. Today, we’re going to be discussing some of the highlights from the July issue of Protiviti’s Compliance Insights newsletter. I’m pleased to be joined today by Steven Stachowicz, a Managing Director with Protiviti’s Risk and Compliance practice, and Christine Bucy, an Associate Director with Protiviti’s Risk and Compliance group.

Continue reading

GDPR: Strict New EU Data Privacy Rules Have Global Reach


By Jeff Sanchez, Managing Director
Security and Privacy

and Scott Giordano, Director
Robert Half Legal – Data Protection Practice


European regulators are giving individuals new rights to control how their personal data is used. A new law, the General Data Protection Regulation (GDPR), scheduled to become effective May 25, 2018, is the most important change in data regulation to come from European Union (EU) regulators in 20 years. It introduces strict new rules for the protection of the personal data of EU citizens, and applies to any company that collects or processes such data. Organizations with customers or employees in the EU should prepare now to avoid big fines and potential legal liability.

We’ve been getting a lot of interest in this topic and will be doing our best to keep you advised and informed on this important change so that you can be prepared when the regulation becomes effective. Not surprisingly, given the scope of change this regulation will require, our GDPR webinar on July 18 was very well attended. Below is an overview of part of that discussion.

GDPR expands the scope of previous EU regulations to include any data processor or data controller that processes the personal data of EU residents. It mandates data portability, imposes stricter conditions for consent and data retention, and dramatically increases fines and penalties for violations.

U.S. companies, take note: Compliance with GDPR is going to require some heavy lifting. The regulation only allows data transfer between countries with “adequate” data protection laws. Currently, the United States does not meet this requirement, which means U.S. companies will have to employ data transfer mechanisms (such as Privacy Shield) if they want to continue doing business — even online — with EU data subjects.

Other notable changes include:

  • A requirement that EU citizens must specifically “opt in,” or grant permission for their data to be captured. Under the GDPR, consent may be revoked at any time, and implicated data must be erased.
  • The mandatory appointment of a data privacy officer (DPO) in some circumstances.
  • 72-hour breach notification requirements (common in the U.S. but not in Europe until now).

Companies will feel these changes throughout their functional areas, but particularly in their legal, IT security, business, sales, data collection and marketing departments. There are no exceptions: GDPR applies to companies of all sizes, regardless of whether data is kept in-house or in the cloud. GDPR applies to existing customer data, not just new customers.

What will this sweeping change cost? We estimate the cost of compliance to be in excess of $1 million for companies with more than 10,000 employees. The cost of not complying, however, is even higher, with the penalty cap raised from 500,000 euros to 20 million euros or 4 percent of annual global revenue, whichever is greater. In addition, consumers will be allowed to claim compensation for damages resulting from breaches of their personal data.

There are several steps companies should be taking now to ensure that they will comply with GDPR by the 2018 deadline. Protiviti has been working with many companies to develop a roadmap to compliance. In addition to appointing a DPO, we recommend:

  • Inventorying all personal data
  • Conducting a data protection impact assessment
  • Identifying compliance gaps
  • Protecting personal data by design and by default
  • Developing a framework for GDPR compliance

We will be discussing these preparations both here on The Protiviti View and in future publications. Bookmark our website or subscribe to follow us here to stay abreast of developments.

Internal audit is uniquely suited to help organizations assess compliance, determine scope and recommend changes. We will be exploring internal audit’s role in this transition in more depth in a follow up post.

It is hard to overestimate the impact of GDPR, which has the potential to do for data privacy what Sarbanes-Oxley did for financial regulation. This is not a matter of updating a few policies. There will be need for changes to applications, as well as changes to contracts and third-party relationships. And we haven’t even touched on data portability.

If you haven’t yet begun the assessment process, there is still time, but the window of doing so comfortably is closing.

Protiviti will be holding a series of roundtable discussions in major cities around the United States. We encourage you to attend one if you can. Details are available on our website.

SEC Clarifies Revenue and Lease Deadlines for Private Entities Included in Public Filings

By Charles Soranno, Managing Director
Internal Audit and Financial Advisory




With transition deadlines fast approaching on new revenue recognition and lease accounting rules from the Financial Accounting Standards Board (FASB), the Securities and Exchange Commission (SEC) has opted to clarify some confusion among certain private businesses regarding their specific deadlines for the new standard. One specific area that was unclear was the deadline for private companies whose financial statements are being filed with the SEC solely as part of another public company’s filing, such as an initial registration statement, or an IPO.

FASB requires public business entities (PBEs) to adopt new revenue recognition requirements for annual reporting periods beginning December 15, 2017 (or January 1, 2018 for calendar-year reporting companies). Private businesses have an additional year before they have to comply. The deadline for PBEs to comply with FASB’s lease accounting rule is December 15, 2018 (effectively January 1, 2019 for calendar-year reporting filers) — again, with an additional year granted to private companies. Chris Wright and I wrote about the new lease standard here.

The confusion stemmed from FASB’s definition of a PBE, which includes all entities whose financial information is included in an SEC filing. This raised a question among a certain segment of companies that operate as private entities, except for the fact that their financial statements were to be included in another company’s filing. SEC rules, for example, require companies going through an IPO, to provide financial statements for all significant recent acquisitions.

Although such companies technically meet FASB’s definition of a PBE, the SEC has gone on record that it would not object to such companies adhering to the private companies’ deadline for the revenue recognition and lease accounting requirements. The SEC staff announcement was included in the FASB Emerging Issues Task Force’s July 20 meeting agenda, and can be found at this link.

It also should be noted that the new FASB revenue and lease rules still apply to all business entities. The SEC ruling merely offers private companies in transition during the implementation period the option of adhering to the later, private company deadline.

As Chris Wright and I wrote in May, getting the accounting standard transition process started early will enable management to develop an efficient and timely plan, as well as involve internal auditors early and enable them to have a voice at the table and offer strategic guidance to ensure orderly controls transition and project management monitoring. The one year extension for certain companies should be seen not as a “reprieve” but as an opportunity. An early start will provide sufficient lead time to enhance processes, upgrade support systems and prepare stakeholders for the coming change.

Certainly, this ruling will be welcome relief to those companies who, in prepping for an IPO, have a number of initiatives on their plate; but although this affords companies a bit more time to prepare for the revenue recognition and leases deadlines, it is not in any way intended as an exemption or carve out. Our Guide to Public Company Transformation is a good “IPO user manual” and can be found here.