The Sarbanes-Oxley Act of 2002 required public companies to set up internal controls over financial reporting and have them audited by accounting firms, but with costs rising due to inflation, accountants are finding ways to save money.
Big Four firm Deloitte released a
"In the years since this federal law was enacted, there have been significant developments in technology, methodology, and business and operating environments; however, the SOX program at many companies may not have evolved at the same pace, or at all," said the report. "Over the years, some SOX programs may have even continued to layer on additional controls while spending the same amount or more to achieve compliance without being able to extract value from the program. Organizations in this scenario could be testing too many controls or may not be focused on the areas that matter most, so they may not actually be attaining reasonable assurance over the operating effectiveness of internal control over financial reporting. This could ultimately result in unexpected deficiencies."
After 20 years, it's probably a good idea for companies to take a fresh look at their SOX compliance programs, but they need to avoid the risk of cutting out the controls they should keep in place.
"We are trying to talk with companies who haven't really refreshed or kept up with the changes in things like technology, operating environment, changes in their businesses, through growth or other organic changes in the business," said Lindsay Rosenfeld, a managing director with Deloitte who co-authored the report. "They haven't really stepped back to refresh or rethink what they've been doing from a SOX compliance perspective over the years. One of the key points we talk to companies about is that, while they have maintain their compliance and mitigate risks, there are ways to modernize where they achieve efficiencies, provide deeper insights into the organization and potentially lower their cost of compliance through modernizing, through use of operating model enhancements, programming enhancements, tools and technologies."
Companies are hoping to find ways to modernize their SOX compliance, as well as reduce their costs if possible.
"When we talk to clients, they're always focused on 'We want to find efficiencies, we want to lower the cost of compliance, we want to provide insights,'" said Patty Salkin, managing director and internal audit SOX modernization leader at Deloitte, who co-authored the report with Rosenfeld. "Many companies have had the program for 20 years, but really just have layered on and haven't refreshed it, so it's very impactful to share leading practices with clients so they can figure out how to create a more efficient program, and provide insights and lower the cost of compliance and ultimately reduce the amount of controls they're testing or whatever method it is they're using."
To be sure, the desire to ease internal controls shouldn't come at the expense of SOX compliance or lead to misstatements on their financials, much less outright fraud.
The Public Company Accounting Oversight Board, which was established by SOX in the wake of a string of accounting and auditing scandals in the early 2000s involving companies like Enron and WorldCom, is looking to reinvigorate enforcement and inspections, as well as roll out newer standards, many of which haven't been updated since the PCAOB inherited the older auditing standards from the American Institute of CPAs. The PCAOB's new chair, Erica Williams, spoke about the board's plans last month, a day after SEC chair Gary Gensler called for updating auditing standards and increasing auditor independence requirements in separate webcasts commemorating the 20th anniversary of SOX (
The Deloitte executives declined to comment on the remarks by Gensler and Williams, but they see their advice as still being in keeping with the SOX requirements.
"What I like to talk to clients about is what the SOX requirements are, which are to provide reasonable assurance over financial reporting and not absolute assurance," said Salkin. "When we take them through the modernization techniques, it's a focus on transitioning from a compliance mindset to a risk-based lens so that they will still be in compliance with the regulations and perform the testing that they need to test, to test the right things — not to test all things. When we talk about refreshing and rethinking the SOX program, that's exactly what we're doing. We're trying to help clients get to what they need to do to still maintain reasonable assurance."
She noted that much has changed since SOX was enacted, including changes in operating models. For example, clients outsource to third parties such as accounting and consulting firms to perform some of the processes, and there have been significant changes in technology as well. Companies may want to take a risk-based approach to SOX compliance to focus on what matters from a financial reporting perspective and avoid a misstatement.
"Think about controls in place to mitigate risks of material misstatements," said Rosenfeld. "Sometimes we'll see that companies maybe have operational controls in their SOX framework, and it's not to say that they shouldn't have those operational controls in place because they're so important to running their business, but when you have a control in your SOX framework, you have to take it one step further and actually need to test the operational effectiveness of that control. So to the extent that they have operational controls instead of financially relevant controls that are intended to address the risk of a material misstatement in a financial statement, they may end up testing things that aren't financially relevant from that financial reporting lens."
For example, she pointed to HR payroll controls over hiring and termination practices.
"Those are important controls for companies to have from an operational perspective," said Rosenfeld. "But maybe from a financial risk perspective, they can look at higher-level payroll fluctuation analysis or higher-level monitoring controls over payroll expense that would be sufficient to mitigate material risk of misstatement in their financial statements and not call those operational controls relevant for their SOX program environment."
Deloitte helps some of its clients with their internal audit programs and with setting up governance, risk and compliance programs, including GRC technology, but the firm needs to be careful not to do that for its external auditing clients, since that would run afoul of the independence and conflict-of-interest requirements.
"When we're the external auditors, we don't help our external audit clients stand up their internal control frameworks," said Rosenfled. "That would be independence impairing. Either we're the external auditor of the firm or we perform these control advisory services."
Clients decide for themselves what technology they will implement for SOX compliance.
"Companies will opt to determine whether they want to implement the GRC platform," said Salkin. "On the audit side, the audit clients make their own decisions as to what platform they want to use. But we work with many different clients, and we do talk to audit clients about modernization as well."
Even if Deloitte isn't the external auditor, it still needs to work closely with the other auditing firm on implementing the technology.
"When we're providing advice to clients on on how to manage their SOX program, it is always important to coordinate and liaison with their external auditors so that whatever changes are being made to either the risk assessment and scoping, or changes to technology or the operating environment, that the companies share that information on a real-time basis with their external auditors so that there can be alignment," said Rosenfeld. "That's critical because when companies are putting in place their SOX program, it has to be auditable by the external auditor, and by internal audit or whoever is maintaining SOX compliance in an organization. As companies are looking to modernize an organization, they want to make sure that the changes they are making to their environment are done in an auditable way and that their external auditors are along for the journey and can provide inputs into how that will affect their external audit."
