Survey: Businesses Say SOX Beneficial but Challenging

The annual Sarbanes-Oxley (SOX) Compliance Survey released by global consulting firm Protiviti reveals a new set of challenges facing public companies amid their compliance efforts.

PCAOB audit requirements, new revenue recognition standards and cybersecurity concerns were cited by survey respondents as factors that will influence SOX compliance efforts in 2017. However, companies are seeing the benefits of their SOX compliance work, with 70% reporting that their internal control over financial reporting structure has improved and 50% realizing continued improvement of business processes.

The survey report, Fine-Tuning SOX Costs, Hours and Controls, is based on a survey completed by 468 chief audit executives, and internal audit and finance leaders and professionals in U.S.-based public companies in a wide range of industries in the first quarter of 2017.

Of the respondents’ companies, 72% have annual revenues of $1 billion or more and 78% are beyond their second year of SOX compliance. Respondents looked back on their organizations’ SOX compliance efforts for the prior fiscal year – with attention to the factors potentially influencing observed changes in resources spent. The in-depth Protiviti report maps out the dynamic and evolving compliance landscape, 15 years after SOX was signed into legislation.

“SOX requirements and practices have changed with the times, and we’re pleased to see that many companies are reaping the benefits of their compliance efforts, which is also good news for investors,” says Brian Christensen, executive vice president, global internal audit and financial advisory at Protiviti. “By creating streamlined and lean processes, companies can respond to new and emerging business or regulatory challenges with agility. Conversely, those who aren’t following this model and are instead always playing catch-up may struggle to remain competitive over time.”

The Protiviti 2017 survey report identifies three emerging factors affecting SOX compliance:

  • PCAOB Requirements: Increasing inspection report requirements placed on external auditors by the PCAOB have resulted in stricter compliance activities for many organizations.
  • Revenue Recognition: A narrow majority (56%) of public companies started the process of updating controls documentation in 2016, ahead of the new revenue recognition accounting standard going into effect for most companies in the next fiscal year. Those who completed the antecedent work to meet the new standard have already identified gaps and updated critical accounting policies; 26% noted extensive or substantial increases in testing of controls over application of revenue recognition policies.
  • Cybersecurity: With the growing prevalence of cyberattacks and breaches during the last year came increasing scrutiny from external auditors, management and boards of directors. As cybersecurity grows beyond an IT concern into a fundamental business issue across the enterprise, it’s not surprising that survey respondents showed significant growth in the number of cybersecurity disclosures made in 2016. Of those who issued disclosures, 15% (compared to just 5% in 2015) increased their hours spent on SOX compliance by more than 20%. Overall, of those companies that had to issue a cybersecurity disclosure, nearly one out of three experienced an increase of at least 16% in SOX compliance hours.