SOX Compliance Benchmarks in 2017 – Costs, Hours, Cybersecurity and More

podcast

SOX Compliance Benchmarks in 2017 – Costs, Hours, Cybersecurity and More

Ana Amato and Jeff Tecau, managing directors with Protiviti and leaders in the firm’s Internal Audit and Financial Advisory practice, review some of the detailed results from Protiviti’s latest SOX Compliance Survey, including costs and hours, control counts, cybersecurity and more.


Protiviti Podcast Transcript Transcript

Kevin Donahue, Protiviti
Kevin 
Hello, this is Kevin Donahue, senior director with Protiviti, welcoming you to a new installment of Powerful Insights. Today, we’re continuing our series of podcasts on Protiviti’s 2017 Sarbanes-Oxley Compliance Survey. I’m pleased to be speaking today with Ana Amato and Jeff Tecau, managing directors with Protiviti’s Internal Audit and Financial Advisory practice, where we’ll be looking at several key issues that emerged from the findings of this year’s survey. Ana, thanks for joining me today.
Ana
Thanks for having me, Kevin.
Kevin Donahue, Protiviti
Kevin 
Jeff, it’s great to speak with you as well. Let me toss the first question to you. I want to start with the SOX topic that’s always top of mind, which is costs. We see in this year’s results that for some companies at least, compliance costs appear to be trending down. What are some of the factors at play here?
Jeff

Yes. That’s a great question, Kevin, and I’d answer that by saying the cost equation is really a mixed bag, but you are right, based on our 2017 SOX survey results. Compared to our 2016 survey release, we’ve seen that costs are down slightly, mainly for certain company types. In general, for companies that tend to be more mature in their SOX compliance, the large accelerated filers and the accelerated-filer groups, we’ve seen that the percentage of those larger companies spending more than $2 million on their annual cost of compliance has trended down.

On the flip side, what we’ve seen is that the percentage of companies spending less than $500,000 annually on compliance, that number has gone up, which reflects better focus on costs, as a higher percentage of companies are achieving compliance for less than $500,000. In particular, with those companies beyond year-one compliance that we’re seeing, we do believe that that the cost trend is continuing to move downward because of a number of factors.

First, we’ve seen a number of companies completely implement the newest release of the updated coso Internal Control — Integrated Framework. Most companies have fully adopted this, and we believe that because the companies are through their full year of implementation, that’s continued to play a factor. Second, we have seen in our most recent survey results that companies are trending toward more use of outside variable-cost resources to support their compliance effort.

We did see a significant increase and the use of outside resources compared to last year’s findings, and what happens here is, we’ve seen organizations replaced fixed costs with variable outside costs, and that does have some impact on cost reduction in certain organizations, particularly in those where outside help is focused on making the compliance process more efficient, where outside help is able to execute quicker than inside help, where outside providers can provide lower-cost resources than the internal fixed-cost resources. We’ve seen that happen through offshoring arrangements or employing these contractors. So, when organizations procure outside help, they only pay for the hours they need. We think that’s had some impact on keeping costs in check.

Finally, many large organizations look at their SOX compliance annually and continue to move up the maturity curve and get better. I will say though, on the opposite side of the equation for certain company types, SOX costs are trending in the other direction. The percentage of our 2017 survey respondents had spent more than $2 million a year on SOX increase this year within the smaller organizations — those with less than $500 million in revenue — and for those in the pre-ipo phase of their first year of compliance.

Kevin Donahue, Protiviti
Kevin 
Thanks, Jeff. As you said, that clearly is a mixed bag of results when we dig deeper into it. Ana, our next question for you, let’s talk a bit about the effects of the pcAOb on SOX compliance. What impact are the board’s periodic auditor inspection reports having on compliance processes?
Ana

There’s definitely been an impact. There’s definitely no secret about that. I mean, the standard had been raised quite a bit in a couple of areas as a direct result of the pcaob inspection reports. There are a couple of trends to highlight, particularly around information provided by [Entity] or IPE and outside service providers. The pcaob has said that the results are definitely improving across the board with the 10 annually inspected audit firms.

Primarily, that has been that over the last few years, what we still call hot topics are really not hot topics anymore, because they’ve been around for a while. So, rather than being a new and emerging thought process, they really have become an expectation, and what that has led to is that a lot of the audit firms have increased their training and their internal quality programs to make sure that all of their teams, regardless of geography, or who the audit partner that they’re working with is, are really having a standard expectation of what should be done in some of these areas.

From an IPE perspective, what we found as a result of our survey is the expectation that you are going to, at least, test all of your IPE annually. I say “at least” because if there have been significant changes in the environment, the expectation is that it will be tested multiple times throughout the audit life cycle. Initially, there was some level of sentiments that you could get away with a rotational approach and kind of prioritize some of your IPE efforts. While that might still be the case for some of the smaller revenue-size clients, the reality is that there should be some level of rationale that’s provided as to why the management team feels that the rationale or that the approach is appropriate.

The other topic that I mentioned was around outside service providers. When we look at our survey results, the good news is about 95 percent of those that responded said that they were receiving at least some SOX1 reports, which is a change in the shift from where folks were two or three years ago. Eighty percent of those are going through some level of a controlled mapping exercise to make sure that the coverage that they’re getting in their SOX report is going to be sufficient to medicate the risk that they’re trying to cover as part of the SOX cycles that are in scope.

The bottom line is that you really can’t outsource the responsibility for control when you outsource certain cycles. They really still are a part of the management-review process, and there needs to be comfort around that, that every risk that would be relevant to the cycle that isn’t in scope to SOX is being addressed appropriately. The good news is also that you can rely on management-review controls for some these things, so you don’t necessarily have to go back to the transactional level or do on-site audits. You can rely on management-review controls, but that’s something that it’s important to have clarity and transparency about in terms of what the expectation is also from your external auditors so that there are no surprises at the end of the audit period.

Kevin Donahue, Protiviti
Kevin 
Thanks, Ana. I want to remind our audience also that to obtain a full copy of our report on this year survey results, please visit Protiviti.com/soxsurvey, where you can find our report Fine-Tuning SOX’s Costs, Hours and Controls. Jeff, let’s turn the conversation back to you. One of the interesting trend lines we see in our results is that while, as we talk about SOX, costs are trending down for some, hours are trending up for almost every organization. Again, what are some of the factors at play here?
Jeff

You’re right, specific to hours. Hours devoted to SOX continue to trend up — at least, that’s what our survey results tell us — and the time devoted to SOX compliance activities increased for a majority of organizations last year. For two out of three of the companies that responded to our survey, hours increased by more than 10 percent, which underscores that compliance continues to remain a time-consuming exercise. There are a number of factors that we see driving this that all companies should be paying attention to.

First, what we’ve seen is that control counts are up. A number of internal controls being reviewed on an annual basis are up. Compared to prior-year results, the percentage of entity-level controls that have been classified as key controls has increased. We believe that that trend was driven by the implementation of the new coso Internal Control — Integrated Framework, and then the pcaob inspection report, as Ana highlighted in your earlier question, has impacted the external auditor’s internal control work, and this has had a direct impact on the hours that companies incurred to comply with SOX, and also to do with the external auditors to the extent they need the internal control opinion on their financials.

Number three, in the current environment, we’ve seen an increased documentation around cybersecurity controls. We expect that focus to continue to remain strong throughout 2017. Fourth, the new ASC 606 revenue recognition transition is underway, and that’s impacting SOX-related hours specific to revenue-cycle controls as internal controls change to respond to the new revenue guidance.

And then, finally, there are some new focal areas that we saw companies prepare for in their 2016 audits, which has impacted hours. Those include the new related-party auditing standard, AS 18, which was recodified as AS 2410. We saw companies get more robust internal-control documentation to support some of the new going-concerns assessment work that the external auditors are subject to nongap disclosures, and the increased focus on nongap disclosures by the SEC has driven some additional internal-control hours around the latest disclosure controls. And then, I’d say, finally, as Ana mentioned, there’s increased intensity in the focus on outsourced SOX reports as we’ve seen companies focused on enhancing documentation of internal controls in these areas. So those things collectively have all led to the uptick in hours across the board.

Kevin Donahue, Protiviti
Kevin 
I know there are many other topics we could address here, but in our time remaining, Ana, I want to ask you the last question. Let’s talk a little bit about another hot topic: cybersecurity. There actually is a cybersecurity disclosure that’s required as part of SOX compliance. Ana, what do we see in this year’s results regarding this disclosure, and, more broadly, how are external auditors addressing the issue of cybersecurity?
Ana
Jeff is absolutely right. There has been an increase when it comes to cybersecurity. There had been a 13 percent increase in our respondents and the number of companies that were required to make a cybersecurity disclosure, which is really not shocking to anyone, right? I mean, considering the number of cyberattacks and breaches over the last 12 months, it’s no surprise that there’s more scrutiny from not just the external auditors, but also the management and the board of directors. I don’t think I’ve attended a board meeting in the last couple of years where cybersecurity wasn’t one of the agenda items to at least discuss and make sure that companies have a program in place to address the event of a breach.
 
In terms of what the cybersecurity disclosure is from the external auditor’s responsibility, we’ve seen a little bit of uniqueness to what each one of the external auditors is doing, but they have come up with cybersecurity-control questionnaires to understand what the company’s process is for identifying possible breaches, and why is that, right? Under the current guidance, a company may determine that it is necessary to disclose cybersecurity risks, and it could be in a couple of different places in Form 10-K. It could be the risk factors, the management’s discussion items, the legal or the business descriptions, or the financial statements.
 
It is the auditor’s responsibility, depending on whether the disclosure is included in the audited financial statements or elsewhere in the form, the level of procedures that they would need to perform to make sure that in all material respects, the financial statements are presented fairly. It’s a little bit of variation in terms of what we’re seeing, but overall, the goal from different external auditors is to get comfort around what the companies are doing to identify possible breaches. A unique checklist, but all definitely an agenda item and something that’s top of mind as they look to make sure that the accuracy of the financial statements is not compromised, that there’s not a potential material misstatement associated to a potential breach.
Kevin Donahue, Protiviti
Kevin 
Ana and Jeff, I want to thank you very much for joining me today to discuss some of the key findings from our SOX survey this year. I want to invite our audience to visit Protiviti.com/SOXsurvey, where you can find our full report on this year’s results. You can also find some other podcasts we’ve recorded with Protiviti leaders, including Executive Vice President Brian Christensen speaking about some high-level issues around SOX and concerns for companies, and Chris Wright, where we talk about revenue recognition and the impact on the SOX process. Again, please visit Protiviti.com/soxsurvey for more information.
SUBSCRIBE TO PODCASTS:

Ready to work with us?

Brian Christensen
EVP, Global Internal Audit
+1.602.273.8020
Linked