SOX Section 404 Compliance Costs
A Top-Down, Risk-Based Approach
- The general opinion of many companies that have completed
their first year of compliance with the Sarbanes-Oxley Act
(SOX) is that the costs associated with complying with section
404 are too high. The Public Company Accounting Oversight
Board (PCAOB) has determined that a large portion of these
excessive costs can be attributed to compliance processes
and audits that were not as effective or efficient as intended.
In many cases, companies and auditors were documenting and
testing too many financial reporting processes and related
two published releases, the PCAOB summarized its findings
and provided guidance on how to improve upon these inefficiencies.
The board is encouraging auditors and issuers to use a top-down,
risk-based approach instead of an overly detailed, bottom-up
assessment. The PCAOB stated that the assessment of internal
controls over financial reporting will be more effective
if auditors and issuers focus on company-level controls
and the significant accounts, processes, and controls that
are most likely to have a material impact on the financial
risk-based approach is founded on the premise that not all
accounts, transactions, and risks are equally important.
Companies should not only consider the relative significance
of these items, but also factor in a number of related concerns,
including the nature of the business, the inherent risk
level of processes and controls, and the effectiveness of
technology and human resources.
article, the first in a two-part series, describes a four-step
process for implementing a top-down, risk-based approach
to establishing scope and test strategies for internal controls.
When combined with appropriate technology support and sound
business acumen, it can significantly reduce the costs for
SOX section 404 documentation and testing.
May 16, 2005, and November 30, 2005 (PCAOB Release Nos.
2005-009 and 2005-023, respectively), the PCAOB published
additional guidance to auditors on how to implement Auditing
Standard 2, An Audit of Internal Control over Financial
Reporting Performed in Conjunction with an Audit of Financial
Statements (AS 2). The guidance consisted of a Policy
Statement regarding the implementation of AS 2, a series
of staff questions and answers, and a report on the initial
implementation of AS 2. Through these publications, the
PCAOB is providing technical guidance to auditors and issuers
on how to use the provisions and underlying principles of
AS 2 to conduct effective and cost-efficient audits of internal
controls over financial reporting.
most issuers generally support the objectives of SOX section
404, many have expressed concerns about compliance costs
and are examining how the implementation process can be
improved. The general consensus is that the internal control
assessment and audit process has the potential to significantly
improve the quality and reliability of financial reporting,
but that the first round of internal control audits cost
too much. The goal is to implement AS 2 in a manner that
captures the benefits of the process without unnecessary
or unsustainable costs.
PCAOB has identified the primary drivers of cost to be the
scope of the internal control audit and the amount of management
testing being performed. These factors should be addressed
most urgently to affect audits for the second and third
years of SOX compliance. The PCAOB recommends using a top-down
approach that begins with company-level controls and proceeds
to identify for further testing only those accounts and
processes that are, in fact, relevant to internal control
over financial reporting. Furthermore, companies should
use the risk assessment required by AS 2 to eliminate from
further consideration those accounts that have only a remote
likelihood of containing a material misstatement.
reviewing the guidance issued by the PCAOB, companies should
consider refining their best practices to support a top-down,
risk-based approach to testing the effectiveness of internal
controls. Such a methodology incorporates the following
Company-level controls: Use
a top-down approach that begins with company-level controls
to identify for further testing only those accounts and
processes that are relevant to internal control over financial
Material accounts: Identify
the financial statement accounts that are material by
selecting an appropriate number of locations to obtain
adequate coverage (not too low or excessive).
Risk-based selection of controls:
Apply a risk-based approach that considers both quantitative
and qualitative factors in identifying significant processes
for the transaction-level testing of controls.
Account assertions: Ensure that
the controls selected for testing cover the significant
PCAOB guidance, when implemented appropriately, can greatly
reduce the scope of controls identified for SOX section
404–related testing. In many cases, reductions of
25% to 45% can be achieved.
that many companies have passed the milestone of Year 1
SOX compliance, they have an opportunity to take a look
back to understand what actually occurred, and to see how
the experiences and lessons of Year 1 can help form strategies
and responses for Year 2 and beyond.
section 404 implementation during Year 1 was a challenge
for everyone involved; for many companies, the process was
simply overwhelming. Fully understanding the task at hand,
planning an initial approach, and ensuring the timely availability
of the appropriate resources were just a few of the key
challenges companies faced. In many cases, the process was
burdensome because the required documenting, monitoring,
verifying, and reporting were performed manually.
key problem was that many companies spent excessive amounts
of time testing the design and operating effectiveness of
every control, the validity of every assertion, and the
accuracy of every account balance.
2 of SOX compliance can be quite different from Year 1.
Now that companies better understand what the law requires
and where their process weaknesses lie, they should be focused
on implementing a sustainable compliance process. One of
the key components for a sustainable process is choosing
the right compliance technology needed to make the second
year’s filing less onerous than the first’s.
See the Exhibit
for a list of criteria for selecting a technology solution.
with Year 2, and certainly by Year 3, the focus should turn
to cost reduction. In “Emerging Trends in Internal
Controls: Fourth Survey and Industry Insights” (September
2005), Ernst & Young found a strong correlation between
the number of controls identified for testing and the costs
associated with compliance. For example:
85% of surveyed companies with annual revenues greater
than $20 billion invested more than $10 million dollars
in initial SOX section 404 compliance.
of companies with annual revenues greater than $20 billion
tested more than 10,000 controls, and some companies tested
more than 50,000 controls.
For companies with $5–$20 billion in annual revenues:
invested more than $5 million in initial SOX section
24% tested more than 5,000 controls.
is not surprising that the scope of controls identified
for section 404–related tests is a primary cost driver.
Ernst & Young survey also found that, for 63% of companies,
less than 30% of the SOX section 404–related controls
were IT-based, which means that the opportunity to realize
long-term cost savings and to improve confidence through
the automation of controls is significant. It will not,
however, be enough to realize the cost savings that many
testing strategies can also have a pervasive impact on the
overall scope and cost of SOX section 404 assessments, so
determining the right multi-location testing approach is
very important. In most cases, company size, complexity,
and geographic scope will affect the number of locations
identified for section 404 testing, but the selection criteria
can also have a sizable impact on the number of locations.
Beyond the location’s size, companies should consider
other criteria, such as whether the site is potentially
a significant financial-statement risk.
are several ways to lower SOX compliance costs, including
improving training, streamlining SOX processes, and automating
controls; however, implementing a top-down, risk-based approach
to establishing scope and testing strategies will have the
largest impact on ROI.
2 of this article will describe a four-step process for
implementing a top-down, risk-based approach to establishing
scope and test strategies for internal controls. It will
also discuss how a technology solution can support this
process and make it more efficient.
O’Brien, MBA, is OpenPages’ (www.openpages.com)
director of product management and leads the product development
process for the company’s line of governance, risk,
and compliance management (GRCM) solutions.