March 19, 2018
By Jason Bramwell
As we approach the “sweet sixteen” of the Sarbanes-Oxley Act later this summer, corporate controllers provided some perspective on how SOX compliance efforts have changed with the times and what challenges they continue to face.
“I’ve seen quite a few SOX changes through the years and improvements to internal controls since the original COSO framework was launched in 1992,” said Cheryl Kerr, CPA, controller at Pursuit Collection, a Denver-based company that operates attractions, lodges and hotels, and sightseeing tours in Alaska, Montana, and western Canada. “Internal controls are necessary to mitigate risk and when they are well-designed, they give you peace of mind that your financials are correct. The framework provides a uniform model to promote efficient and effective controls.”
Brian Christensen, executive vice president of global internal audit and financial advisory at consulting firm Protiviti, said most companies at this point are doing a fairly good job of responding to the needs of the SOX requirements.
“I think we’ve gotten to the point where people understand and appreciate what’s there,” he said. “It’s now moving into how do we continue to improve the efficiencies?”
But back when SOX became law on July 30, 2002, Debbie Smith, PMP, corporate controller of Phoenix-based BeyondTrust, a provider of cybersecurity threat management software, remembers organizations scrambling to figure out how to become compliant.
“There was a lot of uncertainty and resistance. So, I would say the first several years most of the focus and effort was on compliance,” she said. “Probably three to five years post-enactment, organizations started to settle and get perspective. The tone was changing. Organizations were meeting the minimum needed for compliance and the environment started shifting into areas identified for efficiency and improvement, such as standardizing key processes and controls, reducing complexity, increasing documentation and training, and ensuring an effective control environment. Compliance became the result of that effort, not the driving force.”
AS 5 and SOX audits
To CPA David Lloyd, a significant SOX compliance development occurred in 2007 when Auditing Standard No. 5 was adopted by the Public Company Accounting Oversight Board, which was created as part of SOX.
AS 5, which is used by auditors when auditing internal controls over financial reporting, replaced Auditing Standard No. 2, which was considered “unduly expensive and inefficient.”
“Approaches were fairly stringent in the first few years [of SOX], but that relaxed quite a bit with AS 5,” said Lloyd, vice president, corporate financial controller, and treasurer of Greif Inc., a Delaware, Ohio-based company that produces and sells industrial packaging products and services. “AS 5 provided for a more top-down, risk-based approach to the SOX audit. AS 5 was designed to reduce costs by allowing auditors to focus on the most important issues and simplify their procedures.”
He also noted that the requirements that get passed along to companies through the PCAOB inspection process and the updated 2013 COSO Internal Control—Integrated Framework have raised the bar in SOX compliance in recent years.
“Both have really added to the complexity and the level of effort required for compliance,” Lloyd said. “One recent example from the last few years is around key reports that are used in the operation of controls. There’s been more attention recently on documenting parameters, such as correct dates and correct entities, instead of just the testing of report logic.”
COSO framework’s impact
COSO’s original framework, released in 1992, satisfied the U.S. Securities and Exchange Commission’s rules for implementing internal controls over financial reporting in accordance with SOX Section 404.
The core of the 1992 framework were the five components of internal controls: control environment, risk assessment, control activities, information and communication, and monitoring activities.
Although effective, the framework started to show its age, according to Kerr and others.
“The COSO framework was published and adopted as the uniform framework for internal controls. As companies began to migrate to a similar control framework, you saw consistencies in controls,” Kerr said. “We had that original COSO framework for many years before it was revised. It had become outdated and didn’t address significant business changes, particularly in the area of IT general controls and compliance. When they revised it in 2013, the framework became more robust and appropriate for today’s business climate.”
The 2013 COSO framework contains 17 principles that explain the concepts associated with the framework’s five main components—one of which, No. 11, is “selects and develops general controls over technology.”
And unlike the 1992 framework, the 2013 framework includes the concept of considering the potential for fraud risk when assessing the organization’s risk objectives.
“The 2013 COSO framework put some more onus on management in the area of fraud control in the revamped framework,” Kerr said. “So, you saw that big shift a few years ago to the new COSO framework, and companies had to identify their controls and map them to the new framework.”
From an operational perspective, Kerr said one of the biggest changes she’s seen over the past 15 years, other than COSO’s influence over the framework, is the way businesses and auditors are working together to ensure the control framework is right-sized.
“You don’t want a proliferation of excessive controls that aren’t really providing any risk mitigation or a control framework that is too minimal,” she said.
“It’s all about right-sizing your control framework and identifying those controls that are key within the framework to prevent financial statement misrepresentation,” Kerr continued. “You used to hear a lot, ‘The auditors made me do it.’ Well, auditors aren’t making us do anything that we shouldn’t be doing. These are our controls and we own them, we design them, and we work with the auditors to ensure our framework mitigates our risk.”
She also noted that getting IT and business process people on the same page will result in a more aligned framework.
“What I’ve seen over the last few years is more collaboration where you’ll have both IT control owners and business process control owners in the same walkthrough because the systems are so integrated with business processes,” Kerr said. “They’re really working together on the control framework and aren’t designing system controls in a vacuum from business process controls and not designing business process controls in a vacuum from system controls. Getting that to work has been a challenge, but when it does work well, it makes the entire process much smoother and more efficient.”
Key SOX challenges for controllers
“Other than the ever-emerging control requirements and technical compliance requirements of managing SOX, the biggest issues facing companies relate to the required time and cost implications it takes to comply, to assess controls on an ongoing basis, to manage a myriad of new issues related to acquisitions, and to manage the increased intensity around cybersecurity,” said Steve Rinaldi, CPA, U.S. corporate controller at InterSystems, a global health IT vendor based in Cambridge, Mass.
Indeed, many of those issues that Rinaldi mentioned were highlighted in Protiviti’s most recent SOX Compliance Survey.
Compliance costs: There was a slight downward trend in annual SOX compliance costs in fiscal year 2016 compared to the previous year, according to the survey. One reason is that most organizations have now completed implementation work in connection with the 2013 COSO framework—which typically costs between $50,000 and $100,000.
But that decrease in costs hasn’t been felt by all public companies. While more companies spend $500,000 or less annually on SOX compliance than in prior years, many are still spending more than $2 million.
“I think we’ve seen established companies that have gone through the SOX process year over year increase those efficiencies and move to a maturity level that gives them a better return and, in the end, maintain or lower the costs of the effort,” Christensen said. “However, those that are relatively early in their SOX journey still see there’s an opportunity to move up that maturity curve—move from more of an ad hoc state to a better-defined level. And I would expect that they would see those efficiencies somewhere in their near future.”
Compliance hours: Time spent on SOX compliance activities went up for most companies in FY 2016, and for two out of three of these companies, hours increased by more than 10 percent, according to the survey.
Cybersecurity: There was a fairly big jump in cybersecurity disclosures in FY 2016 (33%) compared to the prior year (20%). “I talk with a lot of audit committees and internal auditors about what’s on the macro-level lists that the C-suite and the boardroom are thinking about, and obviously, cyber the last year or two has been close to the top of the list,” Christensen said.
Future of SOX compliance
A big question moving forward, Christensen said, is: What will next-gen SOX look like?
“The topics that we’re seeing include the introduction of some robotic process automation. RPA is a hot topic, and I don’t think people have gone too far down that path, but there are tremendous opportunities and it’ll be part of the future,” he said.
“Some of the bigger advancements are going to come through automated techniques that are there, particularly with advancing technologies,” Christensen continued. “Big data sets and disparate data systems communicate and corroborate information, adding elements and things that you can get into the cloud and in the various cloud environments. That’s probably the next frontier of where SOX can go, but that’s probably two to three years away. But companies that are on the cutting edge around SOX are beginning to implement and experiment with these, as recently as today. So, that’s creating some excitement and interest in where SOX goes.”
Technology advancements in SOX compliance will be the focus of a future article, as these controllers talk about tech trends, automation, and the possibility of using artificial intelligence and blockchain in their compliance efforts.