Sarbanes-Oxley compliance once was thought to be a relatively static, predictable process that organizations could rely on to be routine and, for the most part, static. Yet market and regulatory changes continue to make this a more dynamic process, with costs and hours continuing to rise for many organizations.
How can companies face the future with confidence by managing costs, hours and expectations regarding their Sarbanes-Oxley compliance processes? It starts with understanding not only their organizations and business transformation efforts, but also the requirements set forth by the PCAOB and the revised internal control framework, as well as evolving expectations of the external auditors.
Protiviti's annual Sarbanes-Oxley compliance survey looks deeply into areas including costs, hours and control environments of a broad spectrum of organizations.
Among the notable findings this year:
- Sarbanes-Oxley costs vary…a lot: Overall, nearly one in three organizations spends $500,000 or less annually on Sarbanes-Oxley compliance, and just under half spend less than $1 million. Yet this doesn’t tell the whole story. A significant number of large companies spend $2 million or more per year, as well as organizations from industries including insurance and telecommunications.
- External audit fees continue to rise for many: However, this also varies significantly by organization size and Sarbanes-Oxley filing status, among other factors.
- Hours continue to rise: Many organizations devoted more hours to SOX compliance in their latest fiscal year compared to prior years. One possible explanation is that organizations invested more time to ongoing implementation of the new COSO internal control framework.
- Internal control structures and business processes have improved as a result of Sarbanes-Oxley compliance: A majority of organizations with mature SOX compliance processes have improved their internal control over financial reporting, and most organizations are leveraging their SOX compliance efforts to drive continuous improvement of their business processes.
- Many organizations are planning to automate controls: Well over half of organizations, in every category shown, have at least moderate plans to automate manual processes and controls in fiscal year 2016.
Throughout our report, in addition to results by different organization sizes and types, we provide overall findings that are results for publicly held companies. This differs from prior years of this survey, in which we provided results for all survey respondents. In assessing our study and the feedback from the market, it was determined that overall results that focus specifically on public companies (as opposed to private, not-for-profit, educational and governmental organizations) provide a more accurate and realistic view of Sarbanes-Oxley compliance and data trends.