Through their inspections of audit firms, audit regulators are driving more corporate focus on high-risk areas, more documentation, more shifting of Sarbanes-Oxley compliance work back to the internal audit department, and increased costs.

That's the finding of a survey in late 2012 and early 2013 by Protiviti of nearly 300 executives charged with Sarbanes-Oxley compliance duties. The firm's 2013 SOX compliance survey says executives are answering the demand for more attention on high-risk processes and IT controls, and are paying a higher price to provide it. When asked what's driving change in SOX compliance processes, 66 percent said they are facing demands for increasing process and control documentation for high-risk processes, and 60 percent said they are increasing the amount of time devoted to walkthroughs and documentation around processes. With respect to cost, 38 percent of executives said they have witnessed an increase in their SOX compliance costs from the year before, and 47 percent said they have seen an increase in their external audit fees in the same time frame.

The Public Company Accounting Oversight Board has turned up the heat on audit firms in recent years, delivering searing inspection reports to all the major firms while demanding more audit scrutiny in a variety of areas, including fair value measurement, financial instruments, revenue recognition, and taxes, among others. Firms facing grim inspection findings have told companies as a result to brace for more audit procedures and more documentation to support audit conclusions.

The survey results suggest companies should take such demands into account as they plan for the 2013 year-end financial reporting and audits, says Brian Christensen, executive vice president for global internal audit at Protiviti. “We are seeing, as a result of audit firms responding to inspection reports from the PCAOB, that companies are putting a lot more emphasis into high-risk areas and walkthroughs,” he says. “Companies need to take a hard look at making sure they put the right time and energy into those high-risk areas.”

Companies are reporting they are putting an increased emphasis on information technology controls and automated controls, says Christensen. “There has been so much fluid change in the IT area,” he says. Fully 90 percent of executives surveyed said they plan to automate IT processes and controls for Sarbanes-Oxley compliance in 2013, up from 83 percent the year before.

The survey also revealed companies are making a significant shift in who is taking primary responsibility for Sarbanes-Oxley. Nearly half, or 45 percent of executives, said their companies are putting the internal audit department in charge of SOX compliance, up from 30 percent the year before. IA staff initially took charge of Sarbanes-Oxley requirements when the act was new, but many companies have taken steps to shift the duties out into the operational areas of the company.

Now companies are taking note that external auditors are more willing to place reliance on internal audit's work than that of operational managers, says Christensen. “External auditors are looking at who has the most objective and independent point of view in organizations,” he says. Operational executives are not adequately independent to enable external auditors to rely on their work, he says. “We are starting to see this trend in the field.”