Companies across the country have made major strides toward improving their internal control processes since the Sarbanes-Oxley Act became law 12 years ago. But there are still challenges – and new hurdles that continue to emerge, according to Protiviti’s 2014 Sarbanes-Oxley Compliance Survey.
The most surprising finding is that many organizations have not yet begun to implement the COSO new 2013 Internal Control-Integrated Framework internal control processes. COSO (Committee of Sponsoring Organizations of the Treadway Commission) consists of five components: control environment, risk assessment, control activities, information and communication, and monitoring.
Nearly half said they had not started to map the COSO 2013 framework principles to focus on the organization’s key controls. Only 16 percent were 75 to 100 percent complete.
One in five firms surveyed said they had no plans to use COSO’s 2013 framework in the next year, and another one in five were unsure.
Organizations need to get the COSO process going sooner rather than later, Protiviti said, so “they can understand what precisely will be involved in transitioning to the updated framework and how to undertake the transition process successfully.”
The Protiviti study, Keeping Pace with SOX Compliance: COSO, Costs and the PCAOB, included the input of more than 600 executives and professionals. Protiviti is a global risk and business consulting firm.
More organizations are continuing to automate their processes, although there is a slight decline in the number who plan to automate IT processes and controls in the coming year. This year, 83 percent said they had plans in place to automate – 7 percent less than last year.
Compliance costs are increasing – 41 percent of respondents said costs had increased more than 20 percent during the past year, and another 43 percent said costs had increased by at least 10 percent.
Of large organizations ($10 billion or greater annual revenues), more than half spend over $1 million a year in SOX compliance. Of all companies surveyed, nearly two-thirds spend $500,000 or less on SOX compliance.
The study also found that many external auditors are making changes to their auditing processes as a result of what they believe are PCAOB inspection reports. Nearly half said they “very much” believed significant changes to Sarbanes-Oxley compliance activities resulted from PCAOB inspections. Only 16 percent felt that was not the case.
Approximately one-third of respondents said there has been an increase in the reliance their external auditor places on documentation, walkthroughs and testing in both the management and internal audit areas.
In the management area, 14 percent saw a decrease in reliance, and 11 percent had a decrease in the internal audit area.