404 responsibility shifts to internal audit units
It's hard to believe that Section 404 of the landmark Sarbanes-Oxley Act is almost 10 years old. It seems like just yesterday that compliance with 404(b) in particular was such a vexing, expensive issue for companies large and small. At this point, the maturity curve has moved to the point where most companies have refined their processes.
Protiviti has just released its fourth annual Sarbanes-Oxley Compliance Survey, which reveals that companies are continuing to develop their processes with greater value-add to the organization in mind.
One wrinkle is that more organizations are shifting responsibility for the process toward the internal audit unit and away from project management. In 2012, the survey found that 30 percent of organizations housed this responsibility with the internal audit function, while 25 percent handled Sarbox compliance through project management offices. However, in this year's survey, 45 percent of respondents said internal auditing managed Sarbox compliance, while only 10 percent said it was handled by project management.
One reason for this shift is the willingness of external auditors to rely on the work of internal audit departments. Other conclusions include:
- More companies are adjusting their compliance efforts to focus on high-risk processes and walkthroughs.
- External auditor reliance on these efforts, and on the work of others in general, continues to evolve, due in part to guidance from the PCAOB.
- SOX compliance costs are rising, as are external audit fees. However, for most organizations the cost of SOX compliance remains at a manageable level.
- Organizations continue to report significant improvements in their internal control structures since SOX Section 404(b) became a requirement.
- The automation of controls remains an enticing option and perhaps the "final frontier" for achieving significant improvements and efficiencies.
- here's the survey
Boards, CEOs more serious about internal audits