The latest survey on Sarbanes-Oxley compliance costs finds that after three reporting cycles, corporations have become more efficient and reduced their costs internally, but external audit costs are holding steady.
Financial Executives International surveyed 200 companies, most of them large accelerated filers that have had to comply with SOX since 2004. The survey found that the average total cost for Section 404 compliance reached $2.9 million during fiscal 2006—down 23 percent from 2005 levels and 35 percent from 2004. The average revenue for companies responding to the survey was $6.8 billion.
Overall in 2006, companies reported a 10 percent reduction in the hours staff members spent internally on SOX compliance compared with 2005, and they saw a 14 percent reduction in the number of hours spent by external vendors other than auditors. FEI President Michael Cangemi says the results reflect increased efficiencies, as companies become more proficient in meeting their compliance obligations and as technical systems and software adapt to new demands.
“Companies have done a better job of implementing guidance of the SEC and PCAOB that calls for a top-down, risk-based approach, and they’ve streamlined the work that they’re doing,” Cangemi says.
On the audit side, however, the survey suggests companies have not seen a comparable decline in the overall cost. According to survey results, total fees paid to auditors for audits of both the financial statements and internal control over financial reporting averaged $1.2 million per company—a decline of less than 1 percent compared to 2005. The survey doesn’t list hours spent on the external audit, but it says the average hourly rate companies report paying for the external audit rose by 6.1 percent.
Cangemi
Cangemi says flat overall audit costs coupled with increased audit rates suggests the audit is taking less time, but any reduced cost as a result of reduced time is offset by an increase in rates. “Maybe hours have come down but rates have gone up a proportional amount,” he says. “Or maybe the audit firms are not really ready to reduce the significant amount of work they’re doing because of concerns about the risk of liability.”
While companies are still waiting for relief in audit costs, Cangemi says they are pinning hope on the pending management guidance from the Securities and Exchange Commission and new audit rules from the Public Company Accounting Oversight Board to make that happen. Action on both of those proposals is expected this week.
Cynthia Fornelli, executive director of the Center for Audit Quality at the American Institute of Certified Public Accountants, says auditors generally have done a better job of integrating the financial statement and internal control audits, focusing more on risk, using more judgment, and relying where appropriate on the work of others.
Still, she says, “It’s important … that the effectiveness and quality of audits and the recent increase in investor confidence are not lost solely due to a drive to cut audit costs,” she cautions.
Fornelli says the CAQ expects auditors will use what they’ve learned to make the implementation of Section 404 in smaller companies considerably less painful than it was with larger companies several years ago. Along those lines, the CAQ is considering whether to provide a venue for auditors to exchange ideas and best practices related to the upcoming 404 audits of non-accelerated filers, she says.
FEI also noted a correlation between compliance costs and centralization of operations. According to the survey, companies with centralized operations spent an average of $1.7 million on SOX-related compliance in 2006, while companies with decentralized operations spent an average of $4 million in the same period.
Despite the persistence in audit costs, an increasing number of companies are starting to see the upside of Section 404, the survey said—although the majority still sees an imbalance in the cost-benefit equation. Among respondents, only 22 percent said the benefits of Sarbanes-Oxley are in line with the costs, nevertheless a slight increase from the 15 percent who said as much in 2005.
IMA Offers Advice On Implementing ERM Framework
The Institute of Management Accountants has published a new statement on management accounting offering tips and how-to advice on implementing an enterprise risk management framework.
The statement, titled “Enterprise Risk Management: Tools and Techniques for Effective Implementation,” is intended to provide practice implementation knowledge and advice on how to put an ERM framework into place. IMA issued an earlier statement, “Enterprise Risk Management: Frameworks, Elements, and Integration” in January, to provide a foundation for understanding the concept of ERM.
The latest ERM statement addresses a number of techniques an organization might use for identifying risks, along with the root causes that drive the risks. The statement also explores a variety of implementation considerations, including infrastructure and maturity models, staging adoption, the role of the management accountant, education and training, technology, aligning corporate culture, building a case for ERM, and the return on investment of ERM.
Thomson
Jeff Thomson, an IMA vice president, says the concepts in the latest statement on ERM implementation are particularly timely as regulators work to redirect Sarbanes-Oxley implementation. The market is calling for a less prescriptive, more principled approach to SOX requirements, but Thomson says companies will still need some hands-on, practical ways to implement a cost-effective, risk-based approach to assessing internal controls over financial reporting.
“We would argue that there’s a balance between giving companies no guidance and giving prescriptive rules,” he says. “There’s a middle ground. This statement will be helpful to the market to fill that void.”
Thomson says the concepts in the ERM statement apply to any number of existing frameworks, including the COSO framework that is most commonly recognized in the United States and others that are better known abroad.
“It seems like it would be such a straightforward, intuitive thing to identify your risks,” Thomson says. “But when we did it inside the IMA, we found it’s a whole body of knowledge unto itself. Just identifying the risks—reputation risks, fraud risks, operational risks—it really requires good, practical, how-to discussion.”
No comments yet