Most companies could still wring more efficiency out of their Sarbanes-Oxley compliance efforts, according to a new study, even after four years of practice at SOX compliance and relaxed standards from the Securities and Exchange Commission issued last year.
The report, based on interviews with more than 30 senior finance and internal control professionals, concludes that while much of the potential benefit of the new SEC guidance has already been achieved, opportunities exist to further rationalize the scope and structure of internal control over financial reporting. That’s likely to be an important goal for compliance and financial reporting executives in 2009, as they brace for budget cuts, layoffs, and other diminished resources.
“For the majority of companies, there are still substantial opportunities for further optimization,” says Sanjay Mehta, author of the report and head of risk and advisory services at BMR Advisors. BMR wrote the report along with the Financial Executives Research Foundation.
The study identifies four possible areas of improvement:
Transforming controls to focus less on manual controls and more on automated and entity-level controls;
Consolidating processes into a reduced number of systems or a reduced number of locations, through a shared-services or business process outsourcing approach;
Adopting more sophisticated testing strategies, including remote testing; and
Conducting SOX testing work more deliberately and selectively.
Mehta says accelerated filers, who’ve been complying with SOX’s Section 404 for years, have generally followed the same path: a huge initial effort to achieve compliance; a rationalization program to eliminate waste; and a second effort to pursue a top-down, risk-based approach in line with Auditing Standard No. 5, the relaxed standard for auditing internal controls that the Public Company Accounting Oversight Board published last year.
Most companies are now either considering or have already begun a third round of rationalization, with an eye toward automation, entity-level controls, and improved testing methodologies, he says.
“The overwhelming feedback is that the new approach has indeed driven a significant reduction in SOX costs,” the report states. “However, by no means have all companies reaped the full reward of AS5, and some have shown little or no reduction in scope since the early days of SOX.”
Jonathan Marks, a partner with auditing firm Crowe Horwath, says there’s some hesitance among some companies to migrate to AS5. Instead, they still cling to some version of Auditing Standard No. 2, the far more exacting original standard published in 2003.
“It’s a mixed bag,” Marks says. “Many organizations feel they have a program that gets them to where they need to be,” he says. “It’s not the most efficient, but everyone—the audit committee, the external auditor—is comfortable.”
The FERF report examined two metrics to assess the maturity of companies’ SOX compliance programs: optimization of scope (how well the program has been rationalized to take full advantage of AS5); and optimization of structure (how much the structure of the program meets the needs of the company).
Of the two, Mehta says scope optimization has the more direct—and in most cases, stronger influence—on overall costs. Not surprisingly, that’s where most companies have focused their efforts. Still, a key conclusion of the study is that companies achieve the most efficiency by balancing both factors.
How to Optimize SOX Efforts
A crucial factor that emerged among compliance models is how much companies do or do not centralize the management and execution of SOX compliance. In the early days of SOX, many companies adopted a highly decentralized approach: typically a small central SOX program office, several levels of SOX requirements based on materiality, and management testing executed within business units, often with some review by internal audit. But many companies couldn’t sustain that approach, the report says, because they didn’t have appropriately skilled employees at the ground level.
Centralization of SOX responsibilities, either in the internal audit department or a SOX project management office in the controllership function, is the easiest way to satisfy external auditors that they may rely upon management testing under AS5, according to the report.
Below is an excerpt from FERF’s report, “SOX 404 Optimization: Operational Trends,” examining some opportunities for further optimization:
[M]ost interviewees whose organizations had reached a higher level of SOX maturity were of the view that much of the potential benefit of AS5 and the new SEC guidance has already been realized. Yet all agreed that opportunities for further rationalization of both scope and structure do still remain. The only questions are: How big are those opportunities, and are they worth pursuing? For organizations that are yet to complete their AS5 journey, the potential benefit of more advanced rationalization initiatives is likely to be even more significant.
Transformation of controls
Almost without exception, executives interviewed for this study reported that reengineering their control frameworks to focus less on manual controls and more on (a)
automated and (b) entity-level controls would yield significant efficiencies and savings.
If an entity-level control can be used instead of lower-level transactional controls,
significant savings of effort can be made, because of the simple principle of leverage: a
single entity-level control typically does the job of many lower-level controls. This, of
course, means that the control in question will likely have a higher level of associated
risk, and therefore almost certainly subject to external auditor testing. But still, most
interviewees agreed that efficiencies could be significant.
Automated controls can also sometimes exploit the principle of leverage, but the major
saving here is likely to come from increased testing efficiency, because testing a manual
control typically takes longer than testing an automated one. Across the organizations
interviewed, a typical ratio of manual to automated controls (leaving entity-level controls
out of the equation for the time being) was roughly 85 percent to 15 percent, leaving
ample scope for further optimization.
Consolidation of systems and processes
The main inhibitor of a migration toward more automated controls is likely to be a lack of
an integrated ERP or financials platform. Of the organizations interviewed, those with a
fragmented IT architecture far outnumbered those with an integrated, monolithic ERP or
financials system, by a factor of nearly four to one. In a couple of instances, companies
had been dealing with IT architectures that placed as many as 100 applications in scope
(although in one of those cases, the number has since been cut to 60).
Consolidation of processes onto a single system avoids the situation—all too familiar, in
the experience of many interviewees—in which a control that should in theory be fully
automated requires an unnecessary manual intervention.
It follows that organizations with more streamlined ERP implementations also tend to
have more efficient SOX programs.
Another way in which consolidation can drive efficiency in SOX programs is through the
use of shared-service centers and business process outsourcing providers (BPOs) for
key elements of the finance function. Adoption of a shared-service or BPO model will
commonly go hand in hand with a more streamlined ERP architecture. This really is a
‘double whammy’ in terms of both scope and structural optimization, because not only
does it limit the number of locations that need to be covered, but it also tends to remove
unnecessary ‘semi-automated’ controls that can be associated with fragmented
Naturally, SOX efficiencies are unlikely to have anything more than a very minor
influence on a business decision of such magnitude as a new ERP system or a finance
outsourcing deal. But the fact remains that for SOX leaders, such new directions
generally represent great opportunities.
More sophisticated testing approaches
[I]ncreasingly sophisticated approaches to testing are now being developed by SOX leaders.
Such techniques as the adoption of different testing methodologies according to their
risk rating are increasingly being explored by organizations seeking to further rationalize their programs. And others are now beginning to explore the potential benefits of continuous monitoring, as distinct from traditional sample-based testing.
Some evidence also exists that hybrid organizational models are emerging, which marry
the benefits of both centralized and decentralized approaches to testing.
Such creative approaches are likely only to increase in both number and diversity as
companies find new ways to address SOX within the specific contexts of their unique
FERF’s “SOX 404 Optimization: Operational Trends” (November 2008).
“We found that if people, processes, and technology are in sync, and the company has defined key controls well, centralization is possibly the best way forward unless the business units differ in their structure,” Mehta says.
Confirming what most SOX experts have preached for years, nearly all executives interviewed in the FERF report said they could reap considerable efficiencies and savings by reengineering their control frameworks to focus less on manual controls and more on automated and entity-level ones. That’s because a single entity-level control typically does the job of several lower-level controls, and because testing a manual control typically takes longer than testing an automated one.
Still, despite the potential benefits, most companies have yet to adopt many automated controls. Mehta says he was surprised at the high reliance on manual controls, even at large companies with sophisticated SOX compliance programs.
“The vast majority of companies’ controls continue to be manual,” he says. Among the organizations interviewed, the standard breakdown was 85 percent manual controls and only 15 percent automated (excluding entity-level controls from the equation).
The report cites several possible reasons for the continued reliance on manual controls. Lack of an integrated platform for enterprise resource planning software or financial management is one. But, Marks says, a major reason that many companies don’t make the jump to automated controls is simply cost.
“A lot of people are SOX-costed out,” he says. “They feel comfortable with their approach and they’re not willing to change right now.”
Jim DeLoach, managing director at the consulting firm Protiviti, says companies are likely to try some streamlining to ensure that duplicate controls around lower-risk areas are consolidated. But for now, companies mainly want to be certain they have embraced the principles of AS5 and the interpretive guidance and bring as much of their SOX compliance efforts in-house as possible.
Still, “If there are any more efficiencies to be derived in the compliance process, automation might be where it is,” says Bill Sinnett, FERF director of research. “There’s a lot of potential in automated controls and continuous monitoring and continuous auditing.”
The report also cited shared-service centers and business process outsourcing for some elements of the finance function as another way to wring more efficiency from their SOX programs. The adoption of a shared-service or BPO model, combined with a more streamlined ERP software architecture, is “a double whammy” of scope and structure optimization, the report says, because it limits the number of locations that need to be covered and also tends to remove unnecessary semi-automated controls.
For some companies, SOX compliance could become an outsourced process entirely. The report notes that strategic sourcing, where some elements of the SOX program are sourced externally and internal resources carry out the balance, may be an option, particularly where a centralized model is already in place.
One company that appointed a global strategic sourcing partner, working under the supervision of a designated senior audit manager, reported significant improvements in the consistency and quality of testing outputs after the first year, along with overall year-on-year cost savings in excess of 50 percent.