Prodded by increasing inspection report requirements placed on their outside auditors by the Public Company Oversight Board, senior finance and accounting executives say companies are tightening their Sarbanes-Oxley compliance efforts, according to a report by Protiviti issued earlier this week.
Seventy-five percent of the survey respondents whose companies’ external auditors required them to significantly boost their Sarbox compliance activities attributed the increased activity to heightened PCAOB auditor report requirements .
Further, 64% of the respondents to the survey say their companies’ outside auditors are focusing more on evaluating their companies’ control deficiencies under Sarbox. Enacted in 2002, the law which created the PCAOB requires public company managers to assess the effectiveness of their companies’ internal controls over financial reporting. The law also requires auditors to attest to, and report on, management’s internal controls assessment.
The report, Fine-Tuning SOX Costs, Hours and Controls, is based on 468 responses by public-company audit and finance executives to an online survey conducted in the first quarter of this year. Besides pressure from the PCAOB, the Financial Accounting Standards Board’s revenue recognition standard and the increased prominence of cybersecurity risks are prompting companies to boost their Sarbox compliance efforts, according to the report.
Concerning the revenue recognition standard, which goes into effect for many public companies in December 2017, 56% of the respondents said their companies launched the process of updating their controls documentation in 2016 in time to comply with the rule. Twenty-six percent reported that their companies were significantly increasing their testing of controls over the application of revenue recognition policies.
A growing number of companies are issuing cybersecurity disclosures, according to the report. Of those that issued disclosures, 15% (compared with 5% in 2015) increased their hours spent on Sarbox compliance by more than 20%. Of those companies that were required to issue a cybersecurity disclosure, nearly 33% experienced an increase of at least 16% in hours spent on complying with the act.