by Roy Harris

What Recession? Sarbox Compliance Appears Unhurt By Pressure

Jun 21, 20114 mins
ComplianceIT LeadershipIT Strategy

The recession's many corporate pressures didn't have any impact on the Sarbanes-Oxley compliance work of finance and audit executives, according to research by the internal audit and consulting firm Protiviti.

The recession’s many corporate pressures didn’t have any impact on the Sarbanes-Oxley compliance work of finance and audit executives, according to research by the internal audit and consulting firm Protiviti.

The results were definitive, with 89% of the more than 400 respondents to its “2011 Sarbanes-Oxley Compliance Survey” saying that compliance wasn’t hurt, and 45% actually saying that internal control over financial reporting at their companies is better now than a year ago.

Companies represented in the research, compiled in the first quarter, have a range of annual revenues from lower than $100 million to more than $20 billion. And the respondents tend to have significant Sarbox experience, with 79% of them having worked for companies in at least their fourth year of compliance, and with 83% or them representing large or accelerated filers. Besides executives, respondents were corporate leaders of Sarbox-related work, and audit professionals from a number of industries.

Strategies and Tactics

The survey was designed to assess “the strategies and tactics companies have employed to derive value” from the Sarbox compliance process, according to Proviti, a unit of Robert Half International. The research also looks at related costs and associated benefits. The second edition of the two-year-old report added a section on the impact of 2009’s economic events on compliance, and on the exemption of non-accelerated filers under Section 404(b) as stipulated in the Dodd-Frank Act.

Nine years after Sarbox’s passages, the research shows that “companies remain committed to continuously improving their compliance efforts — despite ongoing economic challenges and global instabilities,” said Bob Hirth, Protiviti executive vice president and leader of the firm’s global internal audit and financial controls practice. “Organizations’ systems of internal control over financial reporting need to be dynamic and constantly improved in order to effectively react to and address changes in operations and the external environment, such as new regulations, technology, accounting principles, industry issues and business models.”

Hirth added, though, that “it may take a number of years to gain a clear picture of the effects the global economic crisis may have created. If an organization reduced its workforce or streamlined its processes with a resulting effect on its internal control structure, mistakes may increase over time. Given this, it will be interesting to monitor these survey results over the next few years to see what patterns develop.”

Spend a Little, Spend a Lot

The research also indicated that most organizations are spending from $100,000 to $1 million a year on Sarbox compliance activities, with more than 80% of small companies in that lowest spending category, and nearly 70% of mid-sized companies spending less than $500,000 on Sarbox compliance.

Regardless of size of the length of their compliance process, companies plan to reduce compliance costs in the coming year, but that reduction is expected to be nominal — less than 10% on average.

Among other findings:

* Compared to 2010 survey results, more companies are applying COSO (Committee of Sponsoring Organizations) guidance on monitoring internal control systems, and one in three reports this is having a positive impact on their Sarbox compliance activities.

* About 50% of organizations handle Sarbox compliance internally, a relatively consistent statistic regardless of size.

* Among non-accelerated filers — which became exempt from having to comply with Section 404(b) of Sarbox (auditor attestation of internal control over financial reporting) with last July’s passage of the Dodd-Frank Act — 56% reported their organizations were “very prepared” to comply when the Dodd-Frank exemption was declared, while 29% said they were “somewhat prepared.” These same filers, however, noted that areas related to IT and automation — including IT general controls, spreadsheet controls, and segregation of duties — would have required the most attention had they been required to comply with Section 404(b).

“While non-accelerated filers currently are exempt under law from the need to comply with Section 404(b), the question is whether this exemption is permanent,” said Jim DeLoach, Protiviti managing director and the firm’s senior SOX practice leader as well as a key survey architect.

“If restatements by these filers were to trend upwards and restatements by companies complying with Section 404(b) were to continue trending downward,” he added, “Congress could decide to revisit whether a new law should be enacted to mandate compliance.” Further, “an organization cannot rule out the possibility that it could grow beyond non-accelerated filer status and, as a result, be compelled to comply with Section 404(b).”