Workload needed for Sarbanes-Oxley (SOX) compliance continues to rise
It has been fifteen years since Sarbanes-Oxley (SOX) became a law. New research from Protiviti finds that time devoted to SOX compliance activities increased for a majority of organisations, and for two out of three of these companies, hours increased markedly underscoring that compliance remains a key focus area of operations.
The study, conducted by the global consulting firm among over 450 chief audit executives, and internal audit/finance leaders and professionals in US listed public companies, explores the impact of SOX on businesses and how they are dealing with the law in terms of regulatory compliance. The law, also known as the ‘Corporate and Auditing Accountability, Responsibility, and Transparency Act’, was accepted in 2002 as a federal law, and set stricter compliance requirements for all US public company boards, management and public accounting firms. SOX – which is relevant for US companies operating across the globe – also includes a number of provisions that apply to privately held companies. SOX’s main elements focus on improved financial reporting, management governance, accountability, and auditor independence.
The key takeaway from the study is that hours required for SOX compliance continue to go up. Time devoted to SOX compliance activities increased for a majority of organisations, across all filer types. Half of the large accelerated filers (companies with a public float of >$700 million) saw their workload rise, while also accelerated filers (firms with a public float in the range of $75 million to $700 million) and emerging growth companies (a company which at the time of its initial public offering [IPO] had total annual gross revenues of less than $1 billion; its status lasts for the first five years within the IPO or until revenues exceed $1 billion) saw their SOX compliance increase, at 63% of firms. At just under half of the population, 48% of non-accelerated filers (companies with a public float of less than $75 million) had to spend more time to comply to SOX requirements.
Across the board, for two out of three of these companies, hours increased by more than 10%, underscoring that despite technological advancements touted by analysts as the next big thing for internal audit, compliance remains a time consuming exercise. Even for companies beyond their second year of compliance, while hours required for SOX are level compared with pre-IPO and first-year filers, a majority in this category still saw their total hours increase.
Workload drivers
Several drivers explain the growing workload for compliance teams. 35% of the organisations surveyed highlight that they have witnessed an increase in the requirements for process control documentation for high risk areas, up from 31% last year. In addition, the percentage of entity-level controls classified as key controls has increased – a trend likely resulting from implementation of the updated COSO Internal Control-Integrated framework, highlights Protiviti. In addition, the workload resulting from increased scrutiny from external auditors has gone up, while organisation are also upping their internal testing efforts to ensure compliance in light of the growing risks and demands looming in the marketplace.
New SOX aspects which had an impact on the increase in hours include the related party Audit Standard AS.18 (recodified as AS.2410), the going concern assessment, non-GAAP disclosures and the associated disclosure controls, as well as increased intensity in the focus on outsourced SOC reports. In addition, some higher-level controls around management review have been broken down into more granular controls, further adding to overall SOX compliance efforts.
The role of the PCAOB also adds to the workload. Increasing inspection report requirements placed on external auditors by the PCAOB have resulted in stricter compliance activities for many organisations. In fact, three-quarters of firms whose external auditors required significant changes to SOX compliance activities attribute the workload increase to PCAOB changes.
Cybersecurity is another reason why more time was spent on SOX compliance. With the growing prevalence of cyberattacks and breaches during the last year – estimated to have unleashed more than $280 billion in damages – compliance has come under increasing scrutiny from external auditors, management and boards of directors.
As cybersecurity grows beyond an IT concern into a fundamental business issue across the enterprise, it is according to the researchers not surprising that survey respondents showed significant growth in the number of cybersecurity disclosures made in 2016. Of those companies that had to issue a cybersecurity disclosure, nearly one out of three experienced an increase of at least 16% in SOX compliance hours.
“SOX compliance efforts continue to be shaped by new and emerging influences, from the new revenue recognition standard and cyber-security concerns to the PCAOB’s inspection reports on external auditors and the resulting effects on audits of internal control over financial reporting”, said Brian Christensen, Executive Vice President of Global Internal Audit and Financial Advisory at Protiviti.
In the study, the authors further looked into who in the organisation is involved with SOX testing, finding that 75% of the work is carried out by either internal audit or management/process owners.
SOX maturity on the rise
The added investment into SOX compliance is however proving fruitful. Companies are seeing the benefits of their SOX compliance work, with 70% reporting that their internal control over financial reporting structure has improved and 50% realising continued improvement of business processes. “SOX requirements and practices have changed with the times, and we’re pleased to see that many companies are reaping the benefits of their compliance efforts, which is also good news for investors,” remarked Christensen. “By creating streamlined and lean processes, companies can respond to new and emerging business or regulatory challenges with agility. Conversely, those who aren’t following this model and are instead always playing catch-up may struggle to remain competitive over time.”
Hours up, but costs down?
Interestingly, Protiviti finds that vis-a-vis the previous year the costs incurred to realise SOX compliance have decreased. Under large accelerated filers, the share of companies that spent $2 million or more dropped by 10 percentage points to 18%, while also under accelerated filers the share of big spenders fell, from 14% in 2015 to 10% in 2016. While the total spending of non-accelerated filers and emerging growth companies in this spending bracket did rise, conversely, the share of these organisations that saw spending of under $500,000 on SOX compliance grew by a much wider margin, suggesting that across the board, total spending for this group has edged downwards.
A possible explanation for the trend relates to the growing use of third-party providers, said Christensen. In cases where the business has outsourced business processes and corresponding controls to outside (third-party) providers, a growing trend in the landscape, the costs associated with the outsourcing deal are in the majority of situations not captured under the SOX compliance budget, because internal transaction controls shift to controls that are reviewed through providers. “Thus costs are dispersed and not necessarily captured as part of SOX compliance activities. Nevertheless, management should understand how and where the compliance costs are being incurred in the organisation”, commented Christensen.
As it stands, 11% of the companies outsource their SOX activities related to process controls, while the number is 8% higher for IT related controls. For both domains, around 40% of the companies highlight that they use some form of input from external parties to manage their task to abide by the requirements, dubbed as co-sourcing by the authors.
A broader view however shows that the trend line for SOX compliance costs remains to move up. Today more than half (51%) of the respondent base (72% of respondents’ companies have annual revenues of $1 billion) spend more than $2 million on SOX. Size of course matters, 53% of organisations with a revenue of more than $20 billion spend $2 million or more on SOX, with the number dropping to 7% for firms that generate an income of between $100 to $500 million. Not surprisingly, the cost level closely correlates to the number of unique locations an organisations has – the greater the number of locations, the higher its annual SOX compliance costs are, with a nearly $1 million average swing between the least and most complex organisations (based on number of unique locations).
Looking ahead, mounting PCAOB audit requirements, new revenue recognition standards and cybersecurity concerns are cited by survey respondents as the main factors that will influence SOX compliance efforts in the months to come.