In early 2012, with the 10th anniversary of the Sarbanes-Oxley
Act approaching, Protiviti conducted a survey of nearly 600
financial, compliance, internal audit and other executives
(principally from North America) to understand what they really
think about Section 404 of Sarbanes-Oxley. The survey took an
in-depth look at the many issues companies must address related to
Sarbanes-Oxley compliance, from costs and resources to achieving a
stronger internal control environment and improved efficiency and
effectiveness in operations. The survey's participants represent a
constituency that understands the costs, benefits and issues with
the Sarbanes-Oxley compliance process, given their involvement with
the process in the trenches.
|Protiviti managing director
While Sarbanes-Oxley has had its share of controversy in the
past, nearly 70 percent of respondents in the survey reported that
the internal control over financial reporting structure in their
organizations has improved since compliance with Sarbanes-Oxley
Section 404 became a requirement. The good news is that, even 10
years later, companies are still learning and working to improve
continuously the quality of their internal controls, as well as the
effectiveness and efficiency of their compliance processes. Keeping
that overall perspective in mind, when assessing the detailed
findings from this study, we noted several key themes:
• While initial compliance costs and efforts
involved are burdensome for new Sarbanes-Oxley filers, over the
long term, many organizations view the benefits of Sarbanes-Oxley
compliance to outweigh the costs.
• Over the last decade, internal control
structures have improved.
• Automation -- in terms of controls,
processes, etc. -- may represent the "final frontier" for
significant improvement opportunities in terms of greater
efficiencies and long-term savings.
• A growing number of organizations are not in
favor of the decision to exempt certain organizations from having
to comply with Section 404(b) of Sarbanes-Oxley, which is the
provision requiring auditor attestation of internal control over
The remainder of this article provides a more detailed review
and discussion of these survey findings.
Sarbanes-Oxley: 10 Years Later
Nearly one in three organizations view the benefits of
Sarbanes-Oxley to outweigh its costs, with large accelerated filers
(companies with more than $700 million in market capitalization)
holding a slightly more positive view. Approximately half of all
companies believe the costs outweigh the benefits to some degree.
With regard to Sarbanes-Oxley's impact on corporate America,
companies appear to view the legislation in a more negative manner,
suggesting that they see Sarbanes-Oxley as benefitting their own
organizations more than others.
Organizations are divided in their views on whether certain
smaller public companies should be exempt from having to comply
with Sarbanes-Oxley Section 404(b). Nearly 40 percent believe these
requirements should be eliminated for organizations with less than
$1 billion in market capitalization. However, more than half of all
large accelerated and accelerated filers (companies with a market
capitalization of $75 million to $700 million) do not approve of
the current Section 404(b) exemption for non-accelerated filers
(companies with less than $75 million in market
In a large percentage of companies (nearly 70 percent of
respondents), the internal control over financial reporting
structure has improved since compliance with Sarbanes-Oxley Section
404(b) became a requirement. This is a significant assertion,
because it was a key result intended by the U.S. Congress when it
enacted Sarbanes-Oxley in July 2002.
Key Strategies and Metrics for Improving the Compliance
For most organizations, the number of process-level and
entity-level controls dropped significantly between their first
year of compliance and fiscal year 2011, as did the number of
process controls classified as "key controls." These downward
trends in the controls population are to be expected and are likely
due to the emphasis on a top-down, risk-based approach supported by
the U.S. Securities and Exchange Commission in 2007 to narrow the
focus to what really matters.
The reduction in the number of key controls is also expected.
The primary dynamic driving this declining trend is the experience
curve. As their Sarbanes-Oxley compliance processes mature,
companies become better at planning, scoping and recognizing which
controls are most important in reducing the risk of material
misstatements to their financial statements. This is a good thing,
as it focuses attention and monitoring on the controls that really
make a difference.
These findings related to reductions in the controls population
and the number of key controls may vary depending on the length of
time a company has been public. Also, recent Public Company
Accounting Oversight Board (PCAOB) inspection results may reverse
some of this trending in 2012, as audit firms are giving direction
to audit teams in some areas to increase the nature, timing and
extent of audit procedures performed.
For example, we are aware of audit firms that are discussing
with their audit clients a number of areas where more work is
needed, such as (1) increased focus on process documentation,
control design assessments and testing for high-risk processes
(revenue, inventory, etc.); and (2) understanding and documenting
the likely sources of misstatements. These are just two examples;
there are others, some or all of which may be attributable to the
PCAOB inspection findings.
The point is that, if the audit firms expand their scopes, some
companies may reconsider the extent to which they are deploying
additional assistance from outside resources, which could have a
significant effect on organizations in terms of costs and their
deployment of internal resources.
Identifying selected controls related to higher-risk financial
reporting assertions (a result of applying a risk-based testing
approach) is among the strategies employed most frequently to
achieve controls-related reductions is. Other strategies include
deploying a top-down validation approach (beginning with
entity-level controls), eliminating the root cause of exceptions
and errors to build quality into the process and eliminating
activities and tasks that are unnecessary or add no value.
The majority of executives surveyed said they also are focusing
on automation of their companies' internal controls to realize the
full benefit of compliance efforts related to the landmark
legislation. In fact, only 17 percent of respondents said they have
no plans for further automation. This focus is important, because
there continue to be opportunities for organizations to automate
more of their key controls, which establishes a
proactive/preventive tone to the internal control environment and
supports the mission to simplify and streamline business
| 2 Next Page ►