The SOX State of the Nation
Each of the last few years, Protiviti has conducted a survey to understand and then report on the state of SOX compliance programs. They recently published their 2014 Sarbanes-Oxley Compliance Report.
The Protiviti survey and analysis is interesting, useful, and valuable. If you contact them, they may be able to give you detail customized to your situation.
Not surprisingly, Protiviti has a major focus on how companies are adopting the 2013 update to the COSO Internal Controls – Integrated Framework.
I am surprised, as are the authors, that a large number of organizations “have yet to begin work on gaining an understanding of and implementing” COSO 2013. I join Protiviti in urging every organization subject to SOX to figure out their plan and discuss it with the external auditors a.s.a.p.
I am less surprised, even encouraged, that the majority of those who say they understand COSO 2013 are not anticipating a major increase in the level of work required for SOX compliance in 2014 and beyond. Here, I part ways with Protiviti who seem to believe that the external auditors will require organizations to do a lot more. That, in my opinion, would be a mistake.
Companies need to continue to take a top-down and risk-based approach to SOX, even in the face of COSO 2013, and this need not lead to an increase in the number of key controls included in scope (please see this post and the quotes from Jim DeLoach of Protiviti, Ray Purcell of Pfizer, and Marie Hollein of FEI).
Protiviti reports that a large number of companies have, presumably with Audit Committee approval, asked the internal audit team to provide SOX project management and leadership. That is consistent with my reading of the market, from my SOX training classes and interactions on social media.
Protiviti did not address how many internal audit departments are performing SOX testing on behalf of management. My reading is that the majority of organizations is doing this, but in contrast with the early years of SOX now have sufficient resources to do both SOX testing and their normal internal audit work.
Protiviti also did not address the extent of external auditor reliance on management testing, especially where performed by internal audit. They pointed out that the PCAOB, in their October 2013 report, criticized the external audit firms for failing to document their reasons for assessing management testing to be sufficiently competent and objective for them to place reliance. Protiviti seems to assume that as the firms address this issue they will tend to reduce reliance on management testing. I fail to follow their logic.
I am pleased to report that I am now finding a number of companies where the external auditors are placing reliance on management testing for as much as 80% of the key controls work.
Another area where I tend to disagree with Protiviti is in the value of automating controls. Protiviti sees this as a significant opportunity, presumably because automated controls only need to be tested once instead of the multiple tests required of manual controls. But, this argument overlooks both the high cost of testing automated controls and the fact that they bring into scope more IT general controls risks.
However, overall Protiviti has continued to provide valuable insights into the state of SOX compliance and their report is a useful read.
I welcome your comments.