SOX Standardization Elusive The 2016 State of the SOX/Internal Controls Market Survey

By Mike Rost
The internal controls over financial reporting (ICFR) burden for financial executives has increased at an accelerating pace in the last decade. And although public and private companies grapple with evolving mandates, a survey by The SOX & Internal Controls Professionals Group highlights a gap in uniform approaches to achieve standardization.
The group — a U.S.-based organization of professionals involved in implementing and managing SOX compliance or internal controls — conducted the survey in June 2016 to examine the views of SOX and internal controls professionals on their challenges and the state of SOX compliance today.
The results reflect various levels of process maturity and evolving process discipline as practitioners aspire to modernize and make SOX and internal controls processes more efficient.

Respondents were based primarily in the United States, with 31 percent working in organizations with more than $5 billion in market capitalization, and 28 percent representing organizations with less than $700 million in market capitalization.
Respondents represented all organizational levels, with 82 percent holding the title of manager or above. Of these, 36 percent were at the title of director or higher, including 11 percent of the most senior respondents holding the title of vice president or C-level executive. Some of the key findings include:
External audit fees are increasing. While the cost of compliance varies across industries and company sizes, external audit costs are increasing due to heightened focus by the Public Company Accounting and Oversight Board (PCAOB) on inspections and continued organizational control failures.
Changing requirements from external auditors is a significant challenge. Increased scrutiny and inspections from the PCOAB, and continuous development of the COSO internal control framework, has forced external audit to evolve its expectations and information requests.

Organizations’ SOX/IC processes vary in complexity. There is clearly no one-size-fits-all process for SOX and internal controls. Respondents show a wide range of complexity in the number of controls and time spent on the process.

Improving efficiency of the SOX function is the top priority. 80 percent of survey respondents reported improving the efficiency of the SOX function as their top priority for the coming year — but many struggle to figure out how best to do this.
Challenges and Priorities
Respondents reported their top three compliance challenges to be:
  • Changing requirements from external audit
  • Increased focus on cyber and IT control
  • Increased focus on risk management

With increased scrutiny and inspections from the Public Company Accounting and Oversight Board (PCAOB) and continuous development of the COSO internal control framework, it is no surprise to see an evolution in external audit’s expectations from their clients. These changing expectations can cause an increase in audit fees.
What are the most significant SOX/IC compliance challenges that you see for the year ahead?

Respondents said one of the largest SOX-related costs is the amount spent on compliance, including external resources such as consultants and auditing fees.
What is the company’s annual spend for SOX/IC compliance, including any consulting and external audit fees?

Over 61 percent of respondents reported spending $1.5 million or less annually, while another 15 percent spends over $1.6 million. The remaining 24 percent of respondents do not know their organization’s annual spend.
For your previous fiscal year, what change (if any) did you experience in your external audit fees?

Asked about changes in external audit fees, 58 percent of respondents reported an increase from the previous fiscal year, 9 percent indicated in a decrease in fees, and the remaining 33 percent noted no change in external audit fees. The increases or decreases in external audit fees ranged from 1–15 percent.
Increases in external audit fees could be caused by several factors, including control failures and changing requirements from external audit as a result of increasing pressure from PCAOB inspections.
What are your top priorities for the year?

80 percent of survey respondents identified improving the efficiency of the SOX function as their top priority for the coming year. This is followed by:
• Ensuring compliance with SOX and other regulators
• Strengthening organizational relationships across SOX owners
• Building on talent and skills
What’s most interesting about this information is how it aligns to the challenges the SOX and internal controls market faces today. Ensuring compliance is a top objective as well as a challenge, which increasingly includes cyber/IT security and risk management efforts.

Efficiency gains in a mature function are, by nature, difficult to achieve. The benefits of these efficiency gains are both tangible and intangible, resulting in improved controls and lower cost structures. Yet the means of attaining such efficiencies remains a challenge. Many organizations are starting to pursue new technology as a means of increased efficiency and productivity.
Process Complexity
As with the challenges, the complexity of the internal controls environment highlighted by respondents varied considerably. A little less than half, 44 percent, reported their organizations manage between 101–250 controls. 25 percent of the respondents reported they manage 500 or more controls, with 5 percent managing over 1,000 controls.
What are the total number of controls in your environment?

What percentage of your control tests are related to IT processes or cyber/information systems?

When asked what percentage of those controls related to information technology (IT), over half of respondents selected zero to 25 percent.
What is the total number of controls that are tested internally (i.e., without external third-party assistance)?

41 percent of survey respondents reported they test between zero and 100 controls, 27 percent test 251–500 controls, and 23 percent test 101–250 controls internally.
On average, how many hours do you spend annually on:

The survey asked about the number of hours spent managing separate SOX/internal control-related processes. The results show the time spent for these processes ranges from less than 5 hours to more than 20 hours per control. The most time comes in the area of control testing and remediation of control issues.
More than 40 percent of those surveyed reported they spend 11 hours or more per control on the remediation of control issues. 65 percent reported they spend 5 hours or more per control on control testing. The least amount of time spent per control in the process was in the areas of control design and control reporting.
Involvement of Internal Audit
Based on survey responses, there is a fairly equal distribution of functional ownership of the SOX and internal controls process between internal audit (31 percent), SOX compliance (31 percent), and financial reporting teams (29 percent). Roughly 7 percent of organizations manage the process outside of these functions, including legal, risk management, accounting, or a dedicated internal team.
What department is in charge of managing SOX/IC compliance at your organization?

Is internal audit involved in the SOX/IC program?

Roughly 86 percent of survey respondents indicated the involvement of internal audit throughout the SOX compliance process. When internal audit is involved, respondents were asked to list the processes in which internal audit participates. 85 percent recorded involvement in the testing and roll-forward processes, followed by 64 percent in walkthroughs.
These areas align well with internal audit’s strengths. Other areas include coverage of testing through operational audits, Service Organization Controls (SOC) report testing, and overall project and program management and methodology.
However, the data suggest internal audit is less involved in the areas of risk assessments, reporting, and planning/scoping. This suggests an opportunity for greater collaboration with internal auditors throughout the SOX and internal controls compliance process.
How is internal audit involved with your SOX/IC program?

Maturity of Risk Management
With increased focus on risk management driven by many management teams and the implementation of the 2013 COSO enterprise risk management framework, it comes as a surprise that many organizations do not yet have robust processes and resources.

Of those surveyed, only 10 percent of respondents claim to have an embedded risk management framework and resources in place. Furthermore, 43 percent have some form of a program implemented, but require additional work and resources to advance the maturity of their risk functions.
With a majority of organizations maturing their risk management processes, SOX and internal control teams have an opportunity to lead the charge in risk maturity and drive to standardized processes.
By embracing a robust risk function, SOX and internal control teams may benefit from reducing efforts on controls with minimal risk and demonstrate a performance-oriented approach that may drive business value.
How would you rate the maturity of your organization’s risk management function?

Role of Technology
As expected, all of the respondents indicated they use some sort of technology to support their compliance processes. A high number of organizations (70 percent) rely on desktop applications, such as Microsoft Word and Excel, to support their processes. More than half have modernized their SOX/IC processes and use cloud-based software (51 percent), and only 15 percent use a dedicated GRC platform.
What is the primary technology tool(s) that you utilize to support your SOX/IC process?

As highlighted by these survey results, there is no one-size-fits-all answer to the question what is the standard approach to managing SOX and internal control compliance? Organizations are unique in their SOX and internal control compliance practices. The state of the SOX market is evolving as increased regulatory scrutiny on inspections and development of frameworks continues, and tools emerge.
Compliance efforts require a significant investment for many organizations in terms of resources, both in hours, and where possible, dollars. Across the board, organizations are seeing a consistent increase in external audit fees driven by changing requirements from external auditors. These changes are placing additional pressure and asks on SOX and controls management practitioners and are forcing them to do more with less resources.
Sarbanes-Oxley was created to improve the quality and reliability of the processes and controls over financial reporting functions within each organization. As pressure continues to build, organizations look to optimize the efficiency of the SOX function and see that as the top priority for the coming year.
Mike Rost, Vice President of Corporate Marketing at Workiva, is a key contributor to product strategy and works with business leaders in the areas of governance, risk, and compliance.