Fine-tuning the SOX compliance process

The annual Sarbanes-Oxley (SOX) Compliance Survey released by Protiviti reveals a new set of challenges facing public companies amid their compliance efforts.

PCAOB audit requirements, new revenue recognition standards and cybersecurity concerns were cited by survey respondents as factors that will influence SOX compliance efforts in 2017. However, companies are seeing the benefits of their SOX compliance work, with 70 percent reporting that their internal control over financial reporting structure has improved and 50 percent realizing continued improvement of business processes.

The survey report is based on a survey completed by 468 chief audit executives, and internal audit and finance leaders and professionals in U.S.-based public companies in a wide range of industries in the first quarter of 2017. Seventy-two percent of respondents’ companies have annual revenues of $1 billion or more and 78 percent are beyond their second year of SOX compliance.

Respondents looked back on their organizations’ SOX compliance efforts for the prior fiscal year – with attention to the factors potentially influencing observed changes in resources spent. The in-depth Protiviti report maps out the dynamic and evolving compliance landscape, 15 years after SOX was signed into legislation.

“SOX requirements and practices have changed with the times, and we’re pleased to see that many companies are reaping the benefits of their compliance efforts, which is also good news for investors,” said Brian Christensen, executive vice president, global internal audit and financial advisory at Protiviti. “By creating streamlined and lean processes, companies can respond to new and emerging business or regulatory challenges with agility. Conversely, those who aren’t following this model and are instead always playing catch-up may struggle to remain competitive over time.”

Three emerging factors affecting SOX compliance

PCAOB requirements: Increasing inspection report requirements placed on external auditors by the PCAOB have resulted in stricter compliance activities for many organizations. In fact, 75 percent of firms whose external auditors required significant changes to SOX compliance activities attribute this increase to PCAOB changes. In particular, 64 percent of survey respondents say their external auditors are placing more focus on evaluating deficiencies.

Revenue recognition: A narrow majority (56 percent) of public companies started the process of updating controls documentation in 2016, ahead of the new revenue recognition accounting standard going into effect for most companies in the next fiscal year. Those who completed the antecedent work to meet the new standard have already identified gaps and updated critical accounting policies; 26 percent noted extensive or substantial increases in testing of controls over application of revenue recognition policies.

Cybersecurity: With the growing prevalence of cyberattacks and breaches during the last year came increasing scrutiny from external auditors, management and boards of directors. As cybersecurity grows beyond an IT concern into a fundamental business issue across the enterprise, it’s not surprising that survey respondents showed significant growth in the number of cybersecurity disclosures made in 2016. Of those who issued disclosures, 15 percent (compared to just 5 percent in 2015) increased their hours spent on SOX compliance by more than 20 percent. Overall, of those companies that had to issue a cybersecurity disclosure, nearly one out of three experienced an increase of at least 16 percent in SOX compliance hours.