Public companies are confronting significant new compliance challenges from a combination of Sarbanes-Oxley requirements, Public Company Accounting Oversight Board inspections of their auditing firms, and COSO’s new internal control framework, according to a new survey.
The survey, by the consulting firm Protiviti, polled more than 600 audit executives and professionals and found that 48 percent of the respondents said their organization has yet to begin applying the new internal control framework from the Committee of Sponsoring Organizations of the Treadway Commission to their key controls. More than half (52 percent) of those who indicated they have begun to implement the COSO framework reported that this effort will increase the amount of resources their organization devotes to SOX compliance.
“A surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls,” said Brian Christensen, executive vice president at Protiviti and leader of the firm’s Internal Audit and Financial Advisory practice. “Our survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”
Of the companies that said they faced significant changes to their SOX compliance programs, the majority attributed the changes to the impact of the PCAOB’s audit firm inspection reports that found deficiencies in recent audits of internal control over financial reporting. Forty-seven percent of these survey respondents said that they “very much” believed that these reports were a cause for significant changes. The SOX compliance areas most affected by the PCAOB inspection reports were testing review of controls (26 percent indicated an extensive or substantial impact, while 32 percent indicated a moderate impact) and IT considerations (25 percent said there had been an extensive or substantial impact, while 30 percent said there was a moderate impact).
These two areas also ranked highest in terms of the additional time and effort required based on the impact, which drives up the cost of compliance. Nearly half the respondents reported that these costs are rising, with 41 percent reporting increases of 20 percent or more, a significant year-over-year jump based on past survey results. This is the fifth SOX Compliance Survey that Protiviti has conducted.
“The PCAOB inspection reports had a tremendous impact on the way companies handled SOX compliance in 2013, and we foresee that continuing,” said Christensen. “However, the costs are still expected to be manageable going forward, in part because companies are continuing to work to improve their efficiency.”
The survey also found an increasing amount of audit committee involvement in SOX compliance. Organizations that said their audit committee has primary responsibility for SOX compliance increased from 11 percent in 2013 to 18 percent in 2014. Conversely, organizations that said they give their project management office primary responsibility decreased from 10 to 5 percent.
Automated controls remain powerful tools in ensuring a strong internal control environment, Protiviti noted, and over time prove not only highly effective, but efficient as well. According to the survey results, 83 percent of organizations have plans in place to automate either a broad range or selected IT processes and controls.
The survey report, along with an infographic and video of survey highlights are available at www.protiviti.com/soxsurvey.