The Sarbanes-Oxley Act of 2002, commonly referred to as SOX, placed responsibility for financial reporting upon the CEOs and CFOs of publicly traded companies following the corporate accounting scandals of Enron (2001) and WorldCom (2002). The passage of SOX also marked the end of self-regulation of public accounting firms, established independent oversight through creation of the Public Company Accounting Oversight Board (PCAOB), and introduced standards for corporate responsibility and external auditor independence.
While SOX has increased transparency and accountability in corporate governance following 2002, fulfilling SOX requirements has brought significant challenges for management in terms of costs, resources, and departmental organization. This article will discuss the challenges of meeting these requirements as well as ways organizations can drive efficiencies in their compliance programs that contribute to an efficient annual SOX audit.
SOX Compliance Requirements and Internal Audit
SOX Section 404 requires management to establish an internal control structure to ensure the accuracy of financial reports and disclosures, as well as provide an assessment of the effectiveness of that internal control structure. To ensure compliance, SOX law specifically requires:
- Quarterly certification by management of a) financial reporting controls and b) disclosure controls and procedures (Section 302).
- An annual, independent SOX audit by a registered public accounting firm producing an attestation and report on management’s assessment of its internal controls. (Section 404 b). This audit must be conducted separately from internal audits and should be performed by an independent external auditor who is approved by the PCAOB.
The Internal Audit function is considered a part of an organization’s internal control system, and its work is reviewed in the internal control assessments of management and the external auditor. Internal Audit helps management monitor SOX compliance by testing SOX controls to evaluate their effectiveness on a year-round basis. In doing so, internal auditors play a significant role in providing assurance to management and the audit committee regarding the effectiveness of the state of internal control, risk management and governance.
Challenges of Preparing for the SOX Compliance Audit
Due to the extensive nature of these requirements, internal auditors face pain points every year in preparation for the SOX audit. Research performed on SOX compliance over the last decade by global consulting firm Protiviti indicates the level of cost and effort in SOX compliance has not significantly decreased for organizations since the advent of SOX. The following are a list of common trends and challenges of complying with SOX, as highlighted in Protiviti’s latest annual SOX survey:
- Internal costs. Average annual internal costs of managing SOX compliance programs in 2019 ranged from $480,000 to over $2 million, depending on company size.
- External audit costs. In 2019, the cost of hiring external auditors to perform the annual SOX audit increased by 10% or more for many organizations.
- Increasing hours spent on compliance, due to external changes to accounting and auditing standards.
- Increasing key control counts.
- Manual processes, specifically highly repetitive administrative activities, pose a major obstacle to SOX program efficiency.
How to Prepare for a Smooth SOX Audit: A Checklist
Below is a high-level list of considerations for management and the internal audit team as they plan ahead for the annual SOX audit:
- Meet with your external auditors to examine scoping and agreed upon SOX testing procedures for the year and establish timelines.
- Meet with your internal business owners to update walkthroughs for business processes and IT applications that will be in scope.
- Follow up on open issues and SOX controls that were deficient in the prior year to ensure they were remediated.
- Evaluate SOX compliance solutions to help you automate your audit trail and simplify your program.
Improving SOX Audit Efficiency Using SOX Compliance Software
The administrative burden of managing SOX compliance using Microsoft Word, Excel, emails and Sharepoint is increasingly being perceived as the old way of managing SOX. Technology advancements driving automation across the organization present SOX compliance stakeholders with an opportunity to automate and move toward what is being referred to as “SOX compliance 2.0.” According to Protiviti, Internal Audit functions that proactively and effectively implement SOX software to automate repetitive manual processes can actually strengthen assurance provided to management and maximize the information external auditors rely on in their assessments, improving overall SOX audit efficiency.
Learn what to look for in a well-rounded SOX solution by downloading AuditBoard’s checklist on “Top 10 Things Your SOX Solution Needs.”
Due to the seriousness of penalties of noncompliance, including removal from listings on public stock exchanges, invalidation of corporate insurance policies, and fines upward of $5 million and up to 20 years in prison for CFOs and CEOs, SOX compliance remains both a priority and a challenge for companies. Learn how AuditBoard can help you streamline your SOX program, save administrative hours, and gain back time by filling out the form below.