What Recession? Sarbox Compliance Appears Unhurt by Pressure

In fact, 45% of executives and other players tell Protiviti that internal control improved at their companies last year.

The recession's many corporate pressures didn't have any impact on the Sarbanes-Oxley compliance work of finance and audit executives, according to research by the internal audit and consulting firm Protiviti.

The results were definitive, with 89% of the more than 400 respondents to its "2011 Sarbanes-Oxley Compliance Survey" saying that compliance wasn't hurt, and 45% actually saying that internal control over financial reporting at their companies is better now than a year ago.

Companies represented in the research, compiled in the first quarter, have a range of annual revenues from lower than $100 million to more than $20 billion. And the respondents tend to have significant Sarbox experience, with 79% of them having worked for companies in at least their fourth year of compliance, and with 83% or them representing large or accelerated filers. Besides executives, respondents were corporate leaders of Sarbox-related work, and audit professionals from a number of industries.

Strategies and Tactics

The survey was designed to assess "the strategies and tactics companies have employed to derive value" from the Sarbox compliance process, according to Proviti, a unit of Robert Half International. The research also looks at related costs and associated benefits. The second edition of the two-year-old report added a section on the impact of 2009's economic events on compliance, and on the exemption of non-accelerated filers under Section 404(b) as stipulated in the Dodd-Frank Act.

Nine years after Sarbox's passages, the research shows that "companies remain committed to continuously improving their compliance efforts -- despite ongoing economic challenges and global instabilities," said Bob Hirth, Protiviti executive vice president and leader of the firm's global internal audit and financial controls practice. "Organizations' systems of internal control over financial reporting need to be dynamic and constantly improved in order to effectively react to and address changes in operations and the external environment, such as new regulations, technology, accounting principles, industry issues and business models."

Hirth added, though, that "it may take a number of years to gain a clear picture of the effects the global economic crisis may have created. If an organization reduced its workforce or streamlined its processes with a resulting effect on its internal control structure, mistakes may increase over time. Given this, it will be interesting to monitor these survey results over the next few years to see what patterns develop."

Spend a Little, Spend a Lot

The research also indicated that most organizations are spending from $100,000 to $1 million a year on Sarbox compliance activities, with more than 80% of small companies in that lowest spending category, and nearly 70% of mid-sized companies spending less than $500,000 on Sarbox compliance.

Regardless of size of the length of their compliance process, companies plan to reduce compliance costs in the coming year, but that reduction is expected to be nominal --- less than 10% on average.

Among other findings:

* Compared to 2010 survey results, more companies are applying COSO (Committee of Sponsoring Organizations) guidance on monitoring internal control systems, and one in three reports this is having a positive impact on their Sarbox compliance activities.

* About 50% of organizations handle Sarbox compliance internally, a relatively consistent statistic regardless of size.

* Among non-accelerated filers -- which became exempt from having to comply with Section 404(b) of Sarbox (auditor attestation of internal control over financial reporting) with last July's passage of the Dodd-Frank Act -- 56% reported their organizations were "very prepared" to comply when the Dodd-Frank exemption was declared, while 29% said they were "somewhat prepared." These same filers, however, noted that areas related to IT and automation --- including IT general controls, spreadsheet controls, and segregation of duties --- would have required the most attention had they been required to comply with Section 404(b).

"While non-accelerated filers currently are exempt under law from the need to comply with Section 404(b), the question is whether this exemption is permanent," said Jim DeLoach, Protiviti managing director and the firm's senior SOX practice leader as well as a key survey architect.

"If restatements by these filers were to trend upwards and restatements by companies complying with Section 404(b) were to continue trending downward," he added, "Congress could decide to revisit whether a new law should be enacted to mandate compliance." Further, "an organization cannot rule out the possibility that it could grow beyond non-accelerated filer status and, as a result, be compelled to comply with Section 404(b)."

Join the CSO newsletter!

Error: Please check your email address.

Tags Protivitibusiness managementFinancial regulation and compliance

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Roy Harris

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place