Home > Audit, Compliance, COSO, Governance, GRC, IT, Risk, Sarbanes, SOX > The SOX State of the Nation

The SOX State of the Nation

Each of the last few years, Protiviti has conducted a survey to understand and then report on the state of SOX compliance programs. They recently published their 2014 Sarbanes-Oxley Compliance Report.

The Protiviti survey and analysis is interesting, useful, and valuable. If you contact them, they may be able to give you detail customized to your situation.

Not surprisingly, Protiviti has a major focus on how companies are adopting the 2013 update to the COSO Internal Controls – Integrated Framework.

I am surprised, as are the authors, that a large number of organizations “have yet to begin work on gaining an understanding of and implementing” COSO 2013. I join Protiviti in urging every organization subject to SOX to figure out their plan and discuss it with the external auditors a.s.a.p.

I am less surprised, even encouraged, that the majority of those who say they understand COSO 2013 are not anticipating a major increase in the level of work required for SOX compliance in 2014 and beyond. Here, I part ways with Protiviti who seem to believe that the external auditors will require organizations to do a lot more. That, in my opinion, would be a mistake.

Companies need to continue to take a top-down and risk-based approach to SOX, even in the face of COSO 2013, and this need not lead to an increase in the number of key controls included in scope (please see this post and the quotes from Jim DeLoach of Protiviti, Ray Purcell of Pfizer, and Marie Hollein of FEI).

For more on applying a top-down and risk-based approach (as required by PCAOB and SEC) to the COSO 2013 update, please see my May post on the topic. I cover it in detail in my SOX book for the IIA.

Protiviti reports that a large number of companies have, presumably with Audit Committee approval, asked the internal audit team to provide SOX project management and leadership. That is consistent with my reading of the market, from my SOX training classes and interactions on social media.

Protiviti did not address how many internal audit departments are performing SOX testing on behalf of management. My reading is that the majority of organizations is doing this, but in contrast with the early years of SOX now have sufficient resources to do both SOX testing and their normal internal audit work.

Protiviti also did not address the extent of external auditor reliance on management testing, especially where performed by internal audit. They pointed out that the PCAOB, in their October 2013 report, criticized the external audit firms for failing to document their reasons for assessing management testing to be sufficiently competent and objective for them to place reliance. Protiviti seems to assume that as the firms address this issue they will tend to reduce reliance on management testing. I fail to follow their logic.

I am pleased to report that I am now finding a number of companies where the external auditors are placing reliance on management testing for as much as 80% of the key controls work.

Another area where I tend to disagree with Protiviti is in the value of automating controls. Protiviti sees this as a significant opportunity, presumably because automated controls only need to be tested once instead of the multiple tests required of manual controls. But, this argument overlooks both the high cost of testing automated controls and the fact that they bring into scope more IT general controls risks.

However, overall Protiviti has continued to provide valuable insights into the state of SOX compliance and their report is a useful read.

I welcome your comments.

  1. Robert Moeller
    June 8, 2014 at 8:52 AM

    Despite the close connection between the new COSO Framework and Sarbanes-Oxley internal control requirements, audit and accounting professionals have perhaps not yet given enough emphasis to the importance of the new COSO Framework and its 17 Principles. I am somewhat surprised as the author of a book, published by Wiley and released late last December on the revised COSO Framework, http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118626419.html#

    Although the AICPA talked about the revised Framework after its release, The IIA, on an International level, only talked about the new Framework in a recent posting that talked about the revised Framework as a knowledge area to help internal auditor’s careers. Although it was only about six weeks ago, ISACA has now stepped into the plate on the importance of the new Framework and its soon of come implementation due date.

    There is an interest and awareness among internal auditors, at a local level, on implementing the new COSO Framework. For example, I recently gave a well received and largely attended presentation on the new COSO Framework to the Chicago IIA at their One Day Seminar and I’m scheduled to do the same ISACA in Chicago as well. However, I have proposed sessions and articles on the importance of the new COSO Framework to several other professional groups, and the responses to these have generally been along the lines of “Thanks but no thanks.”

    Perhaps the original COSO Framework had been with us too long, with its confusing to some, three dimension diagram and the revised Framework looks too much like the old. Professionals at all levels should focus on the revised Framework, its upcoming due date, and how COSO’s 17 Principles mesh with their internal controls processes.

    Robert Moeller

  2. Norman Marks
    June 8, 2014 at 9:00 AM

    Robert, my personal view is that too much has been made of the update.

    It is important to recognize the great majority of the 1992 Framework has not changed, especially the definition of internal control.

    Even the Principles are restatements of content that already existed in the 1992 version! It was just not emphasized to the same degree.

    Unfortunately, few commentators (perhaps your presentations are an exception) have noted that the first requirement for effective internal control according to the 2013 update is that risk is managed within acceptable limits. The Principles are a way to consider whether that has been achieved – but they should not be used as a checklist, which is what most people are, unfortunately, doing.

    When migrating to COSO 2013 for SOX, it remains essential to focus on areas where there is at least a reasonable likelihood that a failure could lead to a material error or omission. Using the Principles as a checklist without considering whether a failure would be “important” (the AS5 expression) to the assessment of ICFR is likely to expand the scope of the SOX work beyond what is necessary to prevent or detect a material error or omission.

    I congratulate you if this is your message as well.

  3. Mike Willis
    June 8, 2014 at 11:55 AM

    Disclosure Management applications, being a new technology implemented in the reporting process area, may commonly be overlooked in SOX assessments as both internal and external auditors continue with manual reperformance and tie out procedures and may not fully consider the IT process and controls of these newly implemented reporting systems.

  4. Deb
    June 8, 2014 at 11:15 PM

    I see no cause for surprise at the perceived ‘failure’ of IIA and ISACA to adopt COSO as the ‘mantra’. If these organizations have to cater to an increasingly international audience (as they profess to), they can’t perhaps be expected to pander only to US-centric sensibilities. We should realize that the pain that many filers went through when SOX was mandated, including spiralling costs of implementation (later optimized with wide-ranging benefits), remains a grim reality for mid-level organizations in very many jurisdictions outside North America. How many such organizations can actually vouch that their “risk is managed within acceptable limits” (ref. Norman’s comment above)? And just calling it a ‘revised framework’ does not seem to counteract the proclivity among too many practitioners (including so many of the Big 4 lot) to take the easy way out and just substitute the old SOX checklist with a new one, without making such value judgments, including on “important” failures. Why? Because making such value judgments requires much more core work (perhaps not justified by the billing rates?) and also putting your neck out.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: