It's been 15 years since Sarbanes-Oxley (SOX) was signed into legislation and although many companies have now settled into a compliance routine, the requirements process continues to evolve and costs have risen for many companies. So how are US-based companies coping with the changing compliance landscape? A report by consulting firm Protiviti suggests that companies are adapting as SOX requirements evolve but that the costs of compliance are continuing to rise, with a higher percentage of companies compared to last year now spending more than $2 million on compliance.

Overall, the survey found that companies are spending more time on SOX compliance and are also using more external resources. They are also conducting more control counts but, overall, companies view SOX as having a positive effect. The graphics below show a correlation between the complexity of an organisation and its number of unique locations, to annual compliance costs.

The survey also identified three factors that are now influencing SOX compliance: revenue recognition, cyber security and the PCAOB.

Accounting requirements

The US's Public Company Accounting Oversight Board (PCAOB) has been increasing its inspection report requirements for external auditors, which has resulted in stricter compliance activities for many organizations. Protiviti's research found that three-quarters of firms whose external auditors required significant changes to SOX compliance activities attribute this increase to PCAOB changes. In particular, 64 per cent of the Protiviti survey respondents said their external auditors are placing more focus on evaluating deficiencies.

Revenue recognition

A narrow majority (56 per cent) of public companies started the process of updating controls documentation in 2016, ahead of the new revenue recognition accounting standard going into effect for most companies in the next fiscal year. Those who completed the antecedent work to meet the new standard have already identified gaps and updated critical accounting policies; 26 per cent noted extensive or substantial increases in testing of controls over application of revenue recognition policies.

Cybersecurity

With the growing prevalence of cyberattacks and breaches during the last year came increasing scrutiny from external auditors, management and boards of directors. As cybersecurity grows beyond an IT concern into a fundamental business issue across the enterprise, it’s not surprising that survey respondents showed significant growth in the number of cybersecurity disclosures made in 2016. Of those who issued disclosures, 15 per cent (compared to just 5 per cent in 2015) increased their hours spent on SOX compliance by more than 20 per cent. Overall, of those companies that had to issue a cybersecurity disclosure, nearly one out of three experienced an increase of at least 16 per cent in SOX compliance hours.

What is Sarbanes-Oxley?

The Sarbanes-Oxley Act was passed by the US government in 2002 in response to accounting scandals in large corporations such as Enron, Tyco and WorldCom. The aim of the legislation is to improve financial disclosures from corporations and prevent accounting fraud. It made senior management accountable for the accuracy of financial disclosures and also established requirements for internal controls, which have been costly for companies to put into practice.