Year one of Sarbanes-Oxley Act (SOX) compliance was a painful and expensive one for many firms both in the US and Australia, but it’s about to get a whole lot worse, according to two major studies.
Many Australian firms taking the Sarbanes-Oxley route were able to avoid some of the costly mistakes made by US peers during the first year of compliance. But many are also concerned that the relief of completing year one compliance has given way to some complacency.
Moreover, a study carried out by the Centre for Continuous Auditing (CCA) and ACL Services (ACL) has flagged potentially disastrous issues for year two.
The study found senior audit and finance professionals have serious concerns over their organisations’ ability to repeat SOX compliance this year and engender a sustainable compliance framework. The study also found some startling disconnects between what senior audit executives see as critical compliance issues and what is actually happening in the business.
“Not surprisingly the reduction of staffing times and the cost associated with testing of controls, typically manual, is a very significant issue,” said Harald Will, president and CEO of ACL. “Interestingly, of relatively equal importance was that it wasn’t just about the cost and time, but about getting faster identification of anomalies and identifying inappropriate transactions.”
Despite spending some $46 million to become SOX compliant, many firms continue to test internal controls frameworks manually, a situation likely to lead to incorrect financial reporting.
“The fact that only 10 per cent already have automated controls testing in place is maybe not that surprising, but when we see only another 30 per cent are planning to do it, that leaves another 60 per cent with no plans to automate,” Will told Risk Management. “It makes you wonder what the plans are for actually producing a sustainable environment for compliance, particularly given the increased costs of manual testing.”
The remaining 60 per cent with no plans to automate testing would struggle to find the resources needed to test the myriad internal controls present in any large organisation, Will added.
Australian sources agreed.
“All the documentation and ongoing self-assessment of individual control is at risk of all falling over very quickly as the sheer volume makes it impossible for the users to maintain in a manual form,” said Michael Jamieson, head of risk and compliance at AMP Financial Services, writing in Risk Managementmagazine earlier this year. “Plus it is difficult to synthesise assurance reports if you have to trawl through hundreds of pages. We selected a simple risk and compliance tool to assist the management of the process and the assignment of control accountability.”
Meanwhile, a separate study from Resources Global Professionals found that not one respondent from the 60 surveyed firms (two-thirds of which have revenues exceeding US$10 billion) had measured return on investment of their significant SOX compliance efforts. “This is an area for smart companies to focus on in year two of compliance,” said Rob Clemesha, Resources Global Professionals’ Australian managing director.
This finding is despite all respondents to the survey hiring an average of two or more external firms for SOX compliance support and more than 50 per cent of respondents using compliance management software.
While in Australia there has been a trend towards internal audit professionals taking on more responsibility for risk and compliance issues, in the context of SOX in North America, this trend is causing issues and eroding internal audit’s main role.
“The typical role of audit is to assess and review the control environment, not to do the testing,” Will said.
“Who’s responsible for monitoring the business is very clear, but when you look at who’s performing the monitoring, everyone is hiring outsiders and pulling people from other areas to do the monitoring. Thirty per cent of respondents said internal audit is doing the monitoring, which doesn’t make a lot of sense from an independence perspective and it’s not like internal audit doesn’t already have a lot to do. It’s not exactly best practice.”
Worryingly, the implications of not fixing problems inherent to year two compliance with SOX are severe. Auditors use continuous testing of controls to test transactions and identify anomalies and to test management monitoring processes. Failure to automate or properly resource this testing increases the chance of failing to identify potentially critical errors.
“The increasing number of material issues that are being flagged as part of the external attestation process is helping people see that the legislation is helping companies make progress,” said Will. “The biggest risk is not continuously monitoring and not catching anomalies prior to important events like the filing of financial statements.”
David Walker, Comptroller General of the United States, added that unless best practices were adhered to, there would be continued problems with SOX compliance. “Until there is mainstream adoption of these best practices, companies will continue to experience challenges managing their compliance processes.”
As with Australia, North America is experiencing its own talent drought in risk, audit and compliance and as a result, corporates are paying a premium to attract qualified professionals.
“It’s definitely true that the cost of people has gone up as there is definitely a lot of competition for them,” said Will. “In the US particularly, it’s not only because of the new positions of compliance-related roles, it’s also because we are seeing increasing numbers of smaller companies implementing internal audit functions where they might have previously relied on external audit. We’ve seen people recruited from Fortune 1000 levels to Fortune 5000 companies to set up new internal audit functions.”
News