Ana Amato and Jeff Tecau, managing directors with Protiviti and leaders in the firm’s Internal Audit and Financial Advisory practice, review some of the detailed results from Protiviti’s latest SOX Compliance Survey, including costs and hours, control counts, cybersecurity and more.
Yes. That’s a great question, Kevin, and I’d answer that by saying the cost equation is really a mixed bag, but you are right, based on our 2017 SOX survey results. Compared to our 2016 survey release, we’ve seen that costs are down slightly, mainly for certain company types. In general, for companies that tend to be more mature in their SOX compliance, the large accelerated filers and the accelerated-filer groups, we’ve seen that the percentage of those larger companies spending more than $2 million on their annual cost of compliance has trended down.
On the flip side, what we’ve seen is that the percentage of companies spending less than $500,000 annually on compliance, that number has gone up, which reflects better focus on costs, as a higher percentage of companies are achieving compliance for less than $500,000. In particular, with those companies beyond year-one compliance that we’re seeing, we do believe that that the cost trend is continuing to move downward because of a number of factors.
First, we’ve seen a number of companies completely implement the newest release of the updated coso Internal Control — Integrated Framework. Most companies have fully adopted this, and we believe that because the companies are through their full year of implementation, that’s continued to play a factor. Second, we have seen in our most recent survey results that companies are trending toward more use of outside variable-cost resources to support their compliance effort.
We did see a significant increase and the use of outside resources compared to last year’s findings, and what happens here is, we’ve seen organizations replaced fixed costs with variable outside costs, and that does have some impact on cost reduction in certain organizations, particularly in those where outside help is focused on making the compliance process more efficient, where outside help is able to execute quicker than inside help, where outside providers can provide lower-cost resources than the internal fixed-cost resources. We’ve seen that happen through offshoring arrangements or employing these contractors. So, when organizations procure outside help, they only pay for the hours they need. We think that’s had some impact on keeping costs in check.
Finally, many large organizations look at their SOX compliance annually and continue to move up the maturity curve and get better. I will say though, on the opposite side of the equation for certain company types, SOX costs are trending in the other direction. The percentage of our 2017 survey respondents had spent more than $2 million a year on SOX increase this year within the smaller organizations — those with less than $500 million in revenue — and for those in the pre-ipo phase of their first year of compliance.
There’s definitely been an impact. There’s definitely no secret about that. I mean, the standard had been raised quite a bit in a couple of areas as a direct result of the pcaob inspection reports. There are a couple of trends to highlight, particularly around information provided by [Entity] or IPE and outside service providers. The pcaob has said that the results are definitely improving across the board with the 10 annually inspected audit firms.
Primarily, that has been that over the last few years, what we still call hot topics are really not hot topics anymore, because they’ve been around for a while. So, rather than being a new and emerging thought process, they really have become an expectation, and what that has led to is that a lot of the audit firms have increased their training and their internal quality programs to make sure that all of their teams, regardless of geography, or who the audit partner that they’re working with is, are really having a standard expectation of what should be done in some of these areas.
From an IPE perspective, what we found as a result of our survey is the expectation that you are going to, at least, test all of your IPE annually. I say “at least” because if there have been significant changes in the environment, the expectation is that it will be tested multiple times throughout the audit life cycle. Initially, there was some level of sentiments that you could get away with a rotational approach and kind of prioritize some of your IPE efforts. While that might still be the case for some of the smaller revenue-size clients, the reality is that there should be some level of rationale that’s provided as to why the management team feels that the rationale or that the approach is appropriate.
The other topic that I mentioned was around outside service providers. When we look at our survey results, the good news is about 95 percent of those that responded said that they were receiving at least some SOX1 reports, which is a change in the shift from where folks were two or three years ago. Eighty percent of those are going through some level of a controlled mapping exercise to make sure that the coverage that they’re getting in their SOX report is going to be sufficient to medicate the risk that they’re trying to cover as part of the SOX cycles that are in scope.
The bottom line is that you really can’t outsource the responsibility for control when you outsource certain cycles. They really still are a part of the management-review process, and there needs to be comfort around that, that every risk that would be relevant to the cycle that isn’t in scope to SOX is being addressed appropriately. The good news is also that you can rely on management-review controls for some these things, so you don’t necessarily have to go back to the transactional level or do on-site audits. You can rely on management-review controls, but that’s something that it’s important to have clarity and transparency about in terms of what the expectation is also from your external auditors so that there are no surprises at the end of the audit period.
You’re right, specific to hours. Hours devoted to SOX continue to trend up — at least, that’s what our survey results tell us — and the time devoted to SOX compliance activities increased for a majority of organizations last year. For two out of three of the companies that responded to our survey, hours increased by more than 10 percent, which underscores that compliance continues to remain a time-consuming exercise. There are a number of factors that we see driving this that all companies should be paying attention to.
First, what we’ve seen is that control counts are up. A number of internal controls being reviewed on an annual basis are up. Compared to prior-year results, the percentage of entity-level controls that have been classified as key controls has increased. We believe that that trend was driven by the implementation of the new coso Internal Control — Integrated Framework, and then the pcaob inspection report, as Ana highlighted in your earlier question, has impacted the external auditor’s internal control work, and this has had a direct impact on the hours that companies incurred to comply with SOX, and also to do with the external auditors to the extent they need the internal control opinion on their financials.
Number three, in the current environment, we’ve seen an increased documentation around cybersecurity controls. We expect that focus to continue to remain strong throughout 2017. Fourth, the new ASC 606 revenue recognition transition is underway, and that’s impacting SOX-related hours specific to revenue-cycle controls as internal controls change to respond to the new revenue guidance.
And then, finally, there are some new focal areas that we saw companies prepare for in their 2016 audits, which has impacted hours. Those include the new related-party auditing standard, AS 18, which was recodified as AS 2410. We saw companies get more robust internal-control documentation to support some of the new going-concerns assessment work that the external auditors are subject to nongap disclosures, and the increased focus on nongap disclosures by the SEC has driven some additional internal-control hours around the latest disclosure controls. And then, I’d say, finally, as Ana mentioned, there’s increased intensity in the focus on outsourced SOX reports as we’ve seen companies focused on enhancing documentation of internal controls in these areas. So those things collectively have all led to the uptick in hours across the board.