In early 2012, with the 10th anniversary of the Sarbanes-Oxley Act approaching, Protiviti conducted a survey of nearly 600 financial, compliance, internal audit and other executives (principally from North America) to understand what they really think about Section 404 of Sarbanes-Oxley. The survey took an in-depth look at the many issues companies must address related to Sarbanes-Oxley compliance, from costs and resources to achieving a stronger internal control environment and improved efficiency and effectiveness in operations. The survey's participants represent a constituency that understands the costs, benefits and issues with the Sarbanes-Oxley compliance process, given their involvement with the process in the trenches.

Protiviti managing director Jim DeLoach.

While Sarbanes-Oxley has had its share of controversy in the past, nearly 70 percent of respondents in the survey reported that the internal control over financial reporting structure in their organizations has improved since compliance with Sarbanes-Oxley Section 404 became a requirement. The good news is that, even 10 years later, companies are still learning and working to improve continuously the quality of their internal controls, as well as the effectiveness and efficiency of their compliance processes. Keeping that overall perspective in mind, when assessing the detailed findings from this study, we noted several key themes:

• While initial compliance costs and efforts involved are burdensome for new Sarbanes-Oxley filers, over the long term, many organizations view the benefits of Sarbanes-Oxley compliance to outweigh the costs.

• Over the last decade, internal control structures have improved.

• Automation -- in terms of controls, processes, etc. -- may represent the "final frontier" for significant improvement opportunities in terms of greater efficiencies and long-term savings.

• A growing number of organizations are not in favor of the decision to exempt certain organizations from having to comply with Section 404(b) of Sarbanes-Oxley, which is the provision requiring auditor attestation of internal control over financial reporting.

The remainder of this article provides a more detailed review and discussion of these survey findings.

Sarbanes-Oxley: 10 Years Later

Nearly one in three organizations view the benefits of Sarbanes-Oxley to outweigh its costs, with large accelerated filers (companies with more than $700 million in market capitalization) holding a slightly more positive view. Approximately half of all companies believe the costs outweigh the benefits to some degree. With regard to Sarbanes-Oxley's impact on corporate America, companies appear to view the legislation in a more negative manner, suggesting that they see Sarbanes-Oxley as benefitting their own organizations more than others.

Organizations are divided in their views on whether certain smaller public companies should be exempt from having to comply with Sarbanes-Oxley Section 404(b). Nearly 40 percent believe these requirements should be eliminated for organizations with less than $1 billion in market capitalization. However, more than half of all large accelerated and accelerated filers (companies with a market capitalization of $75 million to $700 million) do not approve of the current Section 404(b) exemption for non-accelerated filers (companies with less than $75 million in market capitalization).

In a large percentage of companies (nearly 70 percent of respondents), the internal control over financial reporting structure has improved since compliance with Sarbanes-Oxley Section 404(b) became a requirement. This is a significant assertion, because it was a key result intended by the U.S. Congress when it enacted Sarbanes-Oxley in July 2002.

Key Strategies and Metrics for Improving the Compliance Process

For most organizations, the number of process-level and entity-level controls dropped significantly between their first year of compliance and fiscal year 2011, as did the number of process controls classified as "key controls." These downward trends in the controls population are to be expected and are likely due to the emphasis on a top-down, risk-based approach supported by the U.S. Securities and Exchange Commission in 2007 to narrow the focus to what really matters.

The reduction in the number of key controls is also expected. The primary dynamic driving this declining trend is the experience curve. As their Sarbanes-Oxley compliance processes mature, companies become better at planning, scoping and recognizing which controls are most important in reducing the risk of material misstatements to their financial statements. This is a good thing, as it focuses attention and monitoring on the controls that really make a difference.

These findings related to reductions in the controls population and the number of key controls may vary depending on the length of time a company has been public. Also, recent Public Company Accounting Oversight Board (PCAOB) inspection results may reverse some of this trending in 2012, as audit firms are giving direction to audit teams in some areas to increase the nature, timing and extent of audit procedures performed.

For example, we are aware of audit firms that are discussing with their audit clients a number of areas where more work is needed, such as (1) increased focus on process documentation, control design assessments and testing for high-risk processes (revenue, inventory, etc.); and (2) understanding and documenting the likely sources of misstatements. These are just two examples; there are others, some or all of which may be attributable to the PCAOB inspection findings.

The point is that, if the audit firms expand their scopes, some companies may reconsider the extent to which they are deploying additional assistance from outside resources, which could have a significant effect on organizations in terms of costs and their deployment of internal resources.

Identifying selected controls related to higher-risk financial reporting assertions (a result of applying a risk-based testing approach) is among the strategies employed most frequently to achieve controls-related reductions is. Other strategies include deploying a top-down validation approach (beginning with entity-level controls), eliminating the root cause of exceptions and errors to build quality into the process and eliminating activities and tasks that are unnecessary or add no value.

The majority of executives surveyed said they also are focusing on automation of their companies' internal controls to realize the full benefit of compliance efforts related to the landmark legislation. In fact, only 17 percent of respondents said they have no plans for further automation. This focus is important, because there continue to be opportunities for organizations to automate more of their key controls, which establishes a proactive/preventive tone to the internal control environment and supports the mission to simplify and streamline business processes.

1 | 2 Next Page ►