It’s been 12 years since the passage of the Sarbanes-Oxley Act and, depending on the organization, approximately a decade since companies have been required to comply with the internal control over financial reporting standards as set forth in SOX Section 404. In many respects, companies have made notable strides in automating and standardizing their controls and processes to make the SOX compliance effort as effective and efficient as possible. Yet, different hurdles continue to emerge. As revealed in the results of Protiviti's 2014 Sarbanes-Oxley Compliance Survey, the Public Company Accounting Oversight Board’s (PCAOB) Staff Audit Practice Alert 11, “Considerations for Audits of Internal Control Over Financial Reporting” (which reports on the board’s inspections of 2012, 2011 and 2010 audits of internal control over financial reporting as performed by external audit firms), along with the introduction of COSO’s new 2013 Internal Control – Integrated Framework, is introducing new dynamics that organizations are continuing to address.
Interestingly, many companies appear to be moving rather slowly to adopt the new COSO framework, even though it is recommended for fiscal year-end dates beginning on or after December 15, 2014. Of note, the Securities and Exchange Commission (SEC) has specifically pointed out that it is monitoring the transition by issuers to the new framework as part of their documenting internal control over financial reporting. In this report, we offer detailed breakdowns of this and numerous other findings by filer status and company size.
Our key findings this year include: Companies are getting started, albeit slowly, with implementing the new COSO framework; There is measurable fallout from the PCAOB’s inspection reports; Compliance costs are going up but are still manageable for many; Organizations continue to automate more processes and controls.