Sarbanes-Oxley: what do financial executives really think? With the 10th anniversary of the major transformative piece of compliance legislation on the horizon, financial executives assess the effect of its key component, section 404.
July 30 will mark 10 years since George W. Bush signed into law the Sarbanes-Oxley Act, which introduced the most sweeping changes to financial reporting processes since passage of the U.S. securities laws nearly 70 years earlier.
Section 404, one of the most significant provisions of Sarbanes-Oxley, requires management to report on the effectiveness of internal control over financial reporting (ICFR) and, for many companies, the auditor to attest to management's assertion.
Few executives would want to relive the early days of Section 404 compliance. Until the U.S. Securities and Exchange Commission published its 2007 interpretive guidance, many companies felt beholden to their external auditors for direction as to "what to do" because there wasn't a guidebook for companies to follow.
Those early days were filled with false starts, trial and error, unwanted surprises, tense dialogue and inefficiencies--everything one would expect during a learning process. And that is exactly what the Section 404 compliance experience has proven to be: a learning process.
Naturally, as with all such processes, there have been lessons for companies that have been passed along to others (see sidebar on page 61 for "Ten Important Lessons"). The plethora of conferences, webinars, briefings, white papers and roundtables has played a significant role in facilitating this passage of rite, as those who learned the hard way sought to make it easier for those who followed.
Even the regulators got into the act. The Public Company Accounting Oversight Board (PCAOB) scrapped its rigorous requirements in Auditing Standard No. 2 (AS2) and replaced it with AS5. The SEC, after receiving feedback from two years of roundtables, issued its interpretive guidance for management regarding the evaluation and assessment of ICFR. As lessons have been applied, companies have improved their controls and streamlined compliance.
Section 404 of Sarbanes-Oxley has been a source of debate about its costs and benefits. As the learning curve costs declined and the compliance process became more integrated with the business, the intensity of the debate declined, with one exception--the impact of the auditor attestation provisions of Section 404(b), which require company auditors to issue an opinion on the effectiveness of the audit client's ICFR, on smaller companies..
To this point, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued further guidance on the use of its Internal Control--Integrated Framework, focusing in particular on smaller companies. In addition, in 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act mandated a study by the SEC to ascertain whether the attestation requirement was necessary and cost effective in providing investor protections for issuers with public float between $75 and $250 million.
Although the final study issued last year recommended retaining the current $75 million threshold--meaning no further exemptions of Section 404(b)--the focus on job creation shifted the debate to reducing the burden on startup companies.
The recently enacted Jumpstart Our Business Startups Act (JOBS Act) exempted certain initial public offerings as so-called "emerging growth companies," enabling these organizations to delay compliance with Section 404(b) for up to five years--with some constituencies pushing back on the basis that steps of this nature reduced investor protections. Needless to say, these emerging growth companies will be watched closely.
What Executives Really Think
With the 10th anniversary of Sarbanes-Oxley's enactment on the horizon, what do executives involved directly or indirectly with Section 404 really think about this provision of the law?
To find out, Protiviti conducted a study to take an in-depth look at the many issues companies address related to the costs and resources required to achieve a stronger internal control environment and improved efficiency and effectiveness in operations. Almost 600 financial, compliance, internal audit and other executives, principally from North America, participated in the study. Three key themes emerged.
* Divergent Views on the Cost-Benefit Question
While first-year compliance costs and efforts are burdensome, over the long term many organizations view the benefits of Sarbanes-Oxley compliance as outweighing the costs. A growing number of organizations are not in favor of exempting certain companies from having to comply with Section 404(b). (Editor's note: the Protiviti survey described here was conducted prior to passage of the JOBS Act.)
Nearly one in three respondents indicated that, for their own organizations, the benefits of Sarbanes-Oxley exceed its costs, with 22 percent reporting that benefits greatly or moderately exceed the costs. Large accelerated filers (companies with more than $700 million in public float) hold slightly more positive views--37 percent believe the benefits outweigh the costs. Among all respondents, approximately half say the costs outweigh benefits in some manner.
When it comes to assessing the law's impact on other companies, respondents view the legislation in a more negative manner, with 64 percent stating that Sarbanes-Oxley's costs outweigh its benefits. This suggests that companies view Sarbanes-Oxley as benefitting their own organizations more than the rest of the public reporting community.
* Positive Changes in the Control Structure
Nearly 70 percent of respondents reported that the ICFR structure in their organizations has significantly or moderately improved since compliance with Sarbanes-Oxley Section 404(b) became a requirement. To a significant extent, these improvements have been driven by efforts to make the control structure more cost effective.
According to the survey, the strategies at least 40 percent of the respondents indicate they used to streamline the control structure and compliance processes are as follows (Note: the percentages provided in parentheses apply to all respondents):
* Maximize lessons learned from previous years/peers (54 percent);
* Use a risk-based testing approach (52 percent);
* Establish process owner accountability (51 percent);
* Tighten overall assessment scope (44 percent);
* Deploy top-down validation approach beginning with entity-level controls and monitoring (43 percent);
* Eliminate the root cause of exceptions and errors to "build in" quality to the process (42 percent);
* Eliminate activities and tasks that are unnecessary or add no value (41 percent);
* Reduce number of key controls (40 percent);
* Reduce the total population of controls (40 percent).
With respect to tactics that significantly or moderately decreased compliance costs, the approaches at least 25 percent of the respondents indicated they used are (Note: the percentages provided in parentheses apply to all respondents): reduce number of key controls (36 percent); reduce the total population of controls (34 percent); tighten overall assessment scope (32 percent); decrease the number of manual controls (30 percent); increase the number of automated controls (29 percent); centralize common processes and functions (26 percent); and consolidate IT processes, platforms and systems (25 percent).
* Top-Down, Risk-Based Approach Driving the Compliance Focus
Respondents were asked to compare the number of entity-level controls versus the number of process-level controls they documented for the first year of compliance and for fiscal year 2011. The results indicate that the number of entity-level controls and process-level controls dropped 52.6 percent and 48.6 percent, respectively, between the two time frames.
With the emphasis on a top-down, risk-based approach supported by the SEC narrowing the focus to what really matters, this downward trend in the controls population is to be expected. PCAOB's AS5 supports this approach. These findings vary depending on the length of time a company has been public.
When asked what percentage of the process controls were classified as "key mon controls" for the purpose of evaluating the effectiveness of ICFR, respondents also reported a significant drop-off between the first year of compliance and fiscal year 2011. To illustrate:
* 45 percent of repondents reported that during their first year of compliance, more than 75 percent of their controls were key controls; in fiscal 2011, it was 38 percent.
* 10 percent of respondents reported that 20 to 50 percent of their controls were key controls during the first compliance year, whereas in fiscal 2011, it was 18 percent.
As their Sarbanes-Oxley compliance processes mature, companies become better at planning, scoping and recognizing which controls are most important in reducing the risk of material misstatements to their financial statements.
In regard to reducing the overall controls population to the present number of key controls, respondents reported the top two approaches are (1) selecting controls linked to higher-risk financial reporting assertions (68 percent); and (2) consideration of relative risk of material misstatements in selec-ing controls relating to critical accounts and processes (62 percent).
Where Do Companies Go From Here?
A decade after passage of the Sarbanes-Oxley Act, companies are still learning and working to improve continuously the quality of their internal controls as well as the effectiveness and efficiency of their compliance processes.
The top three benefits companies expect to achieve in the coming fiscal year through Sarbanes-Oxley compliance are (1) enhanced understanding of control design and control operating effectiveness (44 percent); (2) internal audit able to perform more traditional (operational and nonfinancial reporting-related) audits (43 percent); and (3) In-creased effectiveness and efficiency of operations (42 percent).
Companies plan to employ a variety of tactics to achieve these and other benefits. The top 11 approaches respondents plan to employ this year and beyond to streamline the control structure and compliance process are presented in the table on page 60.
Notably, automation is at the top of the list. The study indicates that a significantly higher number of large companies report they are at or near the end of their efforts to improve the maturity of their Sarbanes-Oxley compliance processes. This is to be expected given the amount of time these organizations, as large accelerated filers, have invested on compliance relative to accelerated and nonaccelerated filers.
However, automation--in terms of controls, processes, etc.--may represent the "final frontier" for significant improvement opportunities in terms of greater efficiencies and long-term cost savings for companies that have been testing complying with Sarbanes-Oxley for years. Automation of controls makes sense when there are opportunities to establish a proactive and preexternal ventive tone to the internal control environment and support a mission to simplify and streamline business processes. Accordingly, automation is both a quality and efficiency play.
Respondents from most organizations also said they do have plans to automate processes. Therefore, the results for companies planning to automate increase when viewed in the context of both manual processes and controls
Though Section 404 of Sarbanes-Oxley has been controversial, most would agree it has made life interesting. The good news is that there is a prevalent view that, over the last decade, internal control structures related to financial reporting have improved.
Going forward, the experiences of companies going public as emerging growth companies under the JOBS Act will be well worth watching. It is likely the debate around the Section 404(b) threshold for current filers will continue to get air time in the broader context of the economic recovery.
Ten Important Lessons Learned for Improving Section 404 Compliance
1. Deploy a top-down approach to focus on what's really important.
2. Consider qualitative and quantitative factors to implement a truly risk-based approach in selecting what to evaluate and document.
3. Incorporate prior controls experience into the assessment process.
4. Apply a balanced approach of self-assessment, entity-level monitoring, process-level monitoring and detailed testing techniques to improve reliability of results and ongoing transparency.
5. Allow sufficient time in the process for remediating control deficiencies and retesting improvements.
6. Maximize the quality of communications with the external auditor throughout the process.
7. Treat the compliance effort as a significant project requiring project management discipline.
8. Engage unit managers and process owners in the compliance process and hold them accountable.
9. Improve operational effectiveness and efficiency of upstream financial reporting processes.
10. Automate controls to increase the cost-effectiveness of the controls portfolio.
STRATEGIES TO STREAMLINE THE CONTROL STRUCTURE AND COMPLIANCE PROCESS Planning to Planning to to employ in 2012 to employ beyond 2012 Increase in number of 20% 15% automated controls Decrease in number of manual 20% 12% controls Increase in number of 18% 8% monitoring controls Reduction in the total 17% 3% population of controls Reduction/streamlining level/ 16% 6% quality of documentation Reduction in number of key 16% 5% controls Tightening of overall scope 16% 3% Use of continuous monitoring 13% 14% tools or techniques Consolidation of IT processes, 13% 12% platforms and systems Eliminate activities and tasks 13% 7% that are unnecessary or add no value Use of data mining and 12% 10% analytics to increase understanding of process performance
Brian Christensen is executive vice president of global internal audit in Protiviti's Phoenix office. Jim Deloach is managing director in Protiviti's Houston, Texas, office. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit.