The annual Sarbanes-Oxley (SOX) Compliance Survey released by global consulting firm Protiviti reveals a new set of challenges facing public companies amid their compliance efforts. PCAOB audit requirements, new revenue recognition standards and cybersecurity concerns were cited by survey respondents as factors that will influence SOX compliance efforts in 2017. However, companies are seeing the benefits of their SOX compliance work, with 70 percent reporting that their internal control over financial reporting structure has improved and 50 percent realizing continued improvement of business processes.
The survey report, Fine-Tuning SOX Costs, Hours and Controls, is based on a survey completed by 468 chief audit executives, and internal audit and finance leaders and professionals in U.S.-based public companies in a wide range of industries in the first quarter of 2017. Seventy-two percent of respondents’ companies have annual revenues of $1 billion or more and 78 percent are beyond their second year of SOX compliance. Respondents looked back on their organizations’ SOX compliance efforts for the prior fiscal year – with attention to the factors potentially influencing observed changes in resources spent. The in-depth Protiviti report maps out the dynamic and evolving compliance landscape, 15 years after SOX was signed into legislation.
“SOX requirements and practices have changed with the times, and we’re pleased to see that many companies are reaping the benefits of their compliance efforts, which is also good news for investors,” said Brian Christensen, executive vice president, global internal audit and financial advisory at Protiviti. “By creating streamlined and lean processes, companies can respond to new and emerging business or regulatory challenges with agility. Conversely, those who aren’t following this model and are instead always playing catch-up may struggle to remain competitive over time.”
The Protiviti 2017 survey report identifies three emerging factors affecting SOX compliance today:
- PCAOB Requirements: Increasing inspection report requirements placed on external auditors by the PCAOB have resulted in stricter compliance activities for many organizations. In fact, three-quarters of firms (75 percent) whose external auditors required significant changes to SOX compliance activities attribute this increase to PCAOB changes. In particular, 64 percent of survey respondents say their external auditors are placing more focus on evaluating deficiencies.
- Revenue Recognition: A narrow majority (56 percent) of public companies started the process of updating controls documentation in 2016, ahead of the new revenue recognition accounting standard going into effect for most companies in the next fiscal year. Those who completed the antecedent work to meet the new standard have already identified gaps and updated critical accounting policies; 26 percent noted extensive or substantial increases in testing of controls over application of revenue recognition policies.
- Cybersecurity: With the growing prevalence of cyberattacks and breaches during the last year came increasing scrutiny from external auditors, management and boards of directors. As cybersecurity grows beyond an IT concern into a fundamental business issue across the enterprise, it’s not surprising that survey respondents showed significant growth in the number of cybersecurity disclosures made in 2016. Of those who issued disclosures, 15 percent (compared to just 5 percent in 2015) increased their hours spent on SOX compliance by more than 20 percent. Overall, of those companies that had to issue a cybersecurity disclosure, nearly one out of three experienced an increase of at least 16 percent in SOX compliance hours.
“Looking forward, the new FASB lease accounting standard goes into effect in two years, and there’s no doubt we’ll see another round of significant accounting and SOX control program changes in preparation for compliance,” added Christensen.
Detailed findings about the cost, hours, control counts and other SOX compliance metrics of the surveyed companies can be found in the Protiviti report, available for complimentary download here. Protiviti will conduct a free 90-minute webinar with Christensen along with Protiviti Managing Directors Chris Wright, Ana Amato and Jeff Tecau to further explore the survey results on June 27, 2017 at 10:00 a.m. PDT. Please click here to register for the webinar. Additionally, an infographic with survey highlights and a short video are available here.