Roughly half of the largest companies subject to reporting requirements under Sarbanes-Oxley said their external audit costs increased in 2016 as companies report continued pressure on auditors resulting from regulatory inspections.
Based on responses from nearly 470 finance and audit executives at U.S. public companies, Protiviti’s annual SOX compliance survey found 50 percent of accelerated and large accelerated filers saw their external audit fees tick upward again last year, while one-third of nonaccelerated filers reported the same trend in audit costs. For significant numbers of companies represented in the poll, the increases were measured at 10 percent or greater, Protiviti says.
Companies reported via the survey that external auditors are increasing their reliance on medium- and low-risk processes, but auditors have turned their attention to new areas of focus, like new audit requirements around related-party transactions, new accounting requirements for warning investors if there’s doubt about an entity’s ability to remain a going concern, new concerns around non-GAAP accounting and disclosures, and increased attention to cyber-security.
The survey found half of large accelerated filers and 63 percent of accelerated filers reported they spent more hours internally on SOX compliance in 2016, with the majority in both groups reporting hours increased more than 10 percent. Even 48 percent of nonaccelerated filers and 63 percent of emerging growth companies reported they spent more time on SOX compliance last year.
Protiviti’s poll parsed out the number of hours companies report spending on various aspects of compliance on key controls. Companies said, for example, they spend an average of 4.7 hours creating or updating control documentation on each key control, and 4.3 hours evaluating or re-evaluating control design. Companies spend more time, on average 6.4 hours, testing each key control for operating effectiveness than any other control activity. They spend 5.7 hours on average testing management review controls.
On the horizon, SOX compliance professionals are wincing over three big factors that will affect their efforts in the coming year, the survey found. Some 64 percent said they expect external auditors to continue placing more focus on evaluating various types of deficiencies as a result of inspection results from their regulator, the Public Company Accounting Oversight Board.
Revenue recognition, an area undergoing massive change as companies transition to new accounting requirements, will lead to significant internal control changes. A little more than half of the companies in Protiviti’s poll said they’d begun updating controls documentation in 2016, and 26 percent said they had already seen extensive or substantial increases in testing of controls as a result of the new standard.
Finally, cyber-security is keeping SOX professionals awake at night, with a three-fold increase in the small number of companies the year before who said they had increased their hours devoted to cyber risk by 20 percent or more. Of companies that issued cyber-security disclosure, nearly one-third said they’d increased their hours devoted to SOX compliance by at least 16 percent.