After four years of focusing on Sarbanes-Oxley compliance, internal auditors are finally starting to feel like they can give their attention to other matters, according to a recent study.

The study, a survey done by the consulting firm Protiviti, found that 40 percent of internal audit departments have been able to decrease the amount of time they spend on SOX compliance activities. Many credit new guidance published last year by the Securities Exchange Commission and the Public Company Accounting Oversight Board to lessen the burden of compliance with SOX’s dreaded Section 404, which requires companies to document and test their internal controls over financial reporting.

That guidance—principally Auditing Standard No. 5, which encouraged internal and external auditors alike to worry most about controls that pose a serious risk to misstatements—has led companies to evaluate their controls more critically, reduce the number of controls they test, and trim the number of locations where testing is done, the survey found.

As a result of these changes, Protiviti says, internal audit departments are “rebalancing” their agendas toward more traditional internal audit responsibilities that include regulatory compliance, as well as being strategic advisers to senior management and the board’s audit committee.


“The guidelines that came out created more clarity,” says Bob Hirth, an executive vice president at Protiviti. “They urged companies and their auditors to challenge and change the scope to focus on more important, higher-risk factors.”

The sharper focus also may be helping to reduce SOX compliance costs. Even before the revised SEC and PCAOB guidelines arrived, companies had been trying to find ways to increase the efficiency of Section 404 testing—whether through using new technology, reorganizing staff, or both.

The resources that companies have saved under the new SOX compliance guidelines mean businesses have been able to trim their compliance budgets. For example, the software company Business Objects (recently acquired by SAP) saw its external auditor expenses for SOX compliance drop from more than half its total bill to less than 20 percent. “It was a dramatic improvement,” says Norman Marks, Business Objects’ vice president of governance, risk, and compliance.

AS5 prods external auditors to rely more on a company’s own testing work, rather than do the testing themselves. Those savings, in theory, then are passed along to the client in reduced audit fees. (Exorbitant audit fees in the early years of SOX compliance were what forced the SEC and PCAOB to relax compliance guidelines last year.)

In addition, AS5 requires audit firms to use a top-down, risk-based approach to defining the scope of work. The logic is that by focusing only on risks that pose legitimate threats to the accuracy of financial statements, the auditors do less work and send smaller bills to their clients.

“You have to find the time to establish and monitor the truly meaningful key performance indicators, so that you can be in a better position to prevent problems from occurring.”

— Bill Nosal,

Director of Compliance Strategy,

SunGuard Financial Systems


Marks gave the example of testing IT controls at Business Objects. Last year, he said, the external auditors tested only one key IT general control and relied on Business Objects’ testing of all other IT general controls and automated controls. “They were able to follow our approach, and we were able to achieve a remarkable reduction in key controls that they agreed with. It was a far more efficient year,” Marks says.

Now Marks wants to streamline compliance even more, through techniques such as continuous monitoring and auditing, he says. That includes redesigning procedures to eliminate some activity-level controls from testing when effective direct-entity level controls already exist. For example, in the payroll function, Business Objects has activity-level controls for adding employees or changing pay rates; those would not need to be tested where there is a more efficient set of controls to test, Marks says.

Consequences of AS5

With companies’ procedural roadmaps in place, and with AS5 reducing the number of controls to be tested, external auditors may find their fees related to internal controls documentation and testing start to decline—if they haven’t already.

“Our audit fees have been reduced,” says Nick Tootle, a principal at the audit firm Kaufman, Rossin & Co. “We noticed it in this past year’s audit. The Dec. 31, 2007, budget dedicated to Section 404 was less than a year before.”


Still, Tootle says he doesn’t expect budgets for Section 404-related fees to decline much further for 2008 because adjustments for AS5 have already been made. Auditors’ total revenue, meanwhile, continues to benefit from the additional services audit firms can provide in business transactions, such as mergers and acquisitions or divestitures.


Which guidance has had more effect on companies’ Section 404 compliance efforts: AS5 or the SEC advice for management? See results from Protiviti’s IT Audit survey below.




Significantly Increased Rebalancing Efforts



Moderately Increased Rebalancing Efforts



No Change



Moderately Decreased Rebalancing Efforts




Protiviti (2008).

According to the Protiviti study, 75 percent of internal audit departments have seen a drop in the number of key controls documented and tested since AS5 and accompanying management guidance from the SEC arrived. Sixty-eight percent have seen a decline in total controls documented and tested.

The Protiviti study also found 39 percent of internal audit departments increased their use of risk-based testing, and 47 percent said their external auditors were relying more on the work of others (usually the company’s own internal audit department).

“Firms are very focused on risk and performance indicators, inasmuch as they are on broader controls,” says Bill Nosal, director of compliance strategy for SunGuard Financial Systems. “But what’s critically important and very challenging today is identifying the real key performance indicators. You have to find the time to establish and monitor the truly meaningful ones, so that you can be in a better position to prevent problems from occurring, not just react to events.”

Protiviti’s study, “Moving Internal Audit Back into Balance,” included 321 respondents, who were largely chief audit executives and audit directors. Most of the respondents worked for companies in the financial services industry, and 86 percent of the businesses represented were public companies. This is the third annual survey Protiviti has conducted.