Rising cost of SOX compliance is pushing companies to rethink compliance strategies

The latest evidence on compliance with Sarbanes-Oxley suggests the meter is still running, with costs continuing to rise for the majority of public companies.

A first-quarter 2016 poll by Protiviti of 1,500 executives, more than half with public companies, shows that 68 percent of public companies devoted 10 percent more hours internally in 2015 to their Sarbanes-Oxley compliance efforts. Half of the large accelerated filers and accelerated filers in the survey group said their external audit fees also increased, along with 41 percent of nonaccelerated filers.

But costs are necessarily not rising for everyone. Nearly 60 percent of those representing nonaccelerated filers said their audit fees had gone down in the most recent fiscal year, and emerging growth companies showed the best numbers, with only 36 percent seeing audit costs increase and 56 percent reporting a drop in audit costs.

The difference is likely tied in large part to the different requirements for accelerated filers compared with smaller companies. Those smaller companies are not subject to the auditor attestation requirement under Section 404B of the Sarbanes-Oxley Act, which requires auditors to issue an opinion on the effectiveness of internal control over financial reporting. Still, many of them are working toward being prepared for such an audit, says Phyllis Deiso, a partner and national SEC practice leader for audit firm RSM, as they may be anticipating growth or acquisition that will subject them to the requirement.

“I found the trends here to be fairly consistent with our anecdotal evidence,” says Deiso. Companies that are subject to the internal control audit are also subject to the increased scrutiny auditors are applying as they continue to adapt their audit methods based on increasingly demanding inspection results by the Public Company Accounting Oversight Board. “There very much appears to be a linkage between the inspection process, the external audit process, and then what companies are doing to respond.”

“There very much appears to be a linkage between the inspection process, the external audit process, and then what companies are doing to respond.”

Phyllis Deiso, Partner, National SEC Practice Leader, RSM

Pat Voll, vice president at consulting firm RoseRyan, says there’s a distinct cut between larger companies that are audited by Big 4 firms compared with smaller companies audited by regional firms. “We’re seeing a big difference in what the regional firms require compared to the Big 4,” she says. “I believe they (PCAOB inspectors) are just pounding on the Big 4 about more robust documentation around what you’re doing, what you’re basing your conclusions on, what evidence you’re looking at, and how you know what you’re seeing is evidence that this is being done,” she says.

With the growth of evidence and documentation demands, Voll says she sees auditors applying those demands across wide swaths of internal controls rather than where the risk is greatest. “It tends to come out as a one-size-fits-all approach,” she says. “That is adding a lot of cost.”

SOX'S PAST, PRESENT, AND FUTURE

RoseRyan President Pat Voll provides an overview of SOX, where companies currently stand, and what the future holds.
Years of SOX compliance have resulted in positive progress. The way companies design controls is far different today than the early days—and how they evidence the execution of controls has matured as well. We see that companies have integrated SOX into their operations—it is not some “thing” off to the side, separate and apart from ongoing operations. And real, tangible benefits are being derived from it. Financial statements are more reliable. There are more checks and balances in place. We see a better defined “tone at the top”—there’s clear integrity and transparency in how SOX-compliant companies do business.
We’ve also seen companies becoming more mature in their operations and documentation of accounting entries. In the past, we were more likely to see journal entries with no supporting documentation. Or we’d find that reconciliations were performed but nobody reviewed them. Now, the level of documentation produced and retained is more robust, and there is more scrutiny of the underlying data itself.
What do they want?
Still, it’s not always clear whether companies are living up to their auditors’ (and their auditors’) expectations. In 2013, some light shone through when the PCAOB released an audit alert following three years’ worth of serious deficiencies in internal-control audits. The general public finally got to hear what the inspectors were seeing beyond their vague inspection reports. The PCAOB expected to see more proof that the auditors were doing what they are supposed to be doing while reviewing internal controls, and those demands have trickled down to the auditors’ clients.
Here’s one example of how it plays out now: When auditors want to look over management review controls (controls that help management identify errors), they need to understand them and then test to see if they are operating at a precise enough level to detect a material misstatement. The potential snafu here is that management documented their review in accordance with their own needs, not the auditors’. The auditor will want sufficient evidence to prove what management looked at, what was investigated and how it was resolved.
Management does not need a stack of paperwork to perform a meaningful budget-to-actual analysis and be comfortable that there are no material misstatements. But auditors want to know for sure that the analysis was done and thoroughly reviewed or else they are hard-pressed to place reliance on that control. Ten years ago, a simple signature on a page was often sufficient evidence. Not so today.
At times it seems audit requests are coming from a “one size fits all” approach rather than a tailored approach based on specific facts and circumstances. Companies end up feeling a need to pile on the documentation to make future audits easier but on areas that have little connection to the possibility of a material misstatement.
What’s next
How the PCAOB goes about its inspections could change. In May, the PCAOB revealed that it may go about the selection of audits to review differently, shifting from a risk-based focus to taking some audits at random (as it is now, the PCAOB tends to review the riskiest/most complex clients in a company’s portfolio).
That change may not address the issue of mismatched expectations but it will certainly get the conversation going, which isn’t a bad thing. As usual, the devil is still in the details. What matters to the regulator—and the firms it audits—will continue to evolve as precedents get set and the bar gets raised. Some areas, such as cybersecurity risks, could attract more focus.
Here’s the bottom line: The evolution could all be for the better, as long as we can use judgment about what adds value and what is merely checking off boxes.
Source: Pat Voll

Daniel Kim, vice president of product at technology firm SOXHUB, says he sees costs rising across the board, consistent with what he experienced when he was managing SOX compliance for a public company only a few years ago. “Regardless of the size of the organization, it’s safe to say 60 to 70 percent of companies are increasing their SOX spend by more than 10 percent,” he says. “That’s a big number.”

Costs are rising because audit testing is on the rise, says Kim, especially in the recent pain points emerging from PCAOB inspection reports around electronic audit evidence, management review controls, or information produced by the entity. “In the past, if you had to test three steps for every key control, now you have to test six steps,” he says. “That means the process owners have to make sure those additional three steps have more audit trail behind them, so that’s additional work for them. It just snowballs into a lot of things.” That means more evidence requests and more administration to track those, for example.

Trent Gazzaway, national managing partner at Grant Thornton, says he believes the increased costs companies have invested to improve financial reporting in recent years are leveling off. “A majority of companies, particularly those that comply with Sections 404A and B, are at a point where they made the necessary changes to comply with the standards, so they should start to see a general leveling off with compliance,” he says.

That being said, Gazzaway doesn’t dismiss the likelihood that more changes are in store down the road as the PCAOB inspection process continues to evolve and as the business environment continues to grow more complex. “There will continue to be things to consider,” he says. “We will always be in an environment where we are improving financial reporting. The changes going forward will be incremental changes associated with changes in the market itself.”

Kim says he hears companies asking if the end is in sight in terms of cost increases. “I think this is kind of the new normal,” he says. In the initial adoption of Sarbanes-Oxley, costs were high, followed by some rationalization, and then the surge in the past few years. “You can expect costs to start to stabilize as companies figure out how to best comply with these new requirements.”

Brian Christensen, executive vice president for global internal audit at Protiviti, likes to steer the questions about cost toward a view of the benefits. “Another way to phrase it is what about the value achieved from all this Sarbanes-Oxley activity?” he says. “The intention was to improve the control around financial reporting. That does require some significant effort.” Two-thirds of pubic companies said through the survey that their controls were significantly or moderately improved since Sarbanes-Oxley.

The survey result suggests, and Kim also sees, companies are asking more questions about automating controls as a way to reduce cost and improve efficiency. A clear majority of companies have plans to either significantly or moderately increase their use of automation in 2016, the survey shows.

“SOX is one of the areas in the enterprise accounting and finance area where companies are spending $1 million to $2 million on headcount costs, and still doing a lot in Excel or manually,” says Kim. “We are seeing a big push in internal audit teams to find technology solutions to help streamline and reduce these costs.”

Voll is telling her clients to push back where they can, but to pick their battles wisely. “Some things are black and white, and they have to be done,” she says. “But that’s not true for everything. There is a difference between a need and a want. Where is the middle ground where you can negotiate? There is a lot of compromise now in those negotiations.”