A study has revealed that the high costs of complying with SOX section 404 are due to inactivity by the Securities and Exchange Commission and the incomplete nature of COSO 1992. According to experts at InfoWatch, the problem is exasperated further by the fact that many normative acts duplicate each other, but still require separate audits.
The absence of practical implementation guidance for internal controls and the incomplete system of the COSO (Committee of Sponsoring Organizations) 1992 framework for assessing the effectiveness of those controls are the two main factors that substantially raise the cost of complying with section 404 of the Sarbanes-Oxley Act (SOX). These are the findings of the COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices.
The results were based on responses from 400 experienced CFOs, controllers, internal auditors, and SOX compliance specialists at publicly traded companies. Among the main findings were the following points:
Approximately two-thirds of the total respondents attributed two key factors as major cost drivers. First of all, there is a lack of practical guidance from the SEC or other professional organizations on how to decide what constitutes an effective (or ineffective) internal control system. Secondly, there exists redundant testing (between auditors and inside SOX compliance resources) due to a lack of collaboration to reduce the sample size. The data suggests that the original goal of achieving efficiencies via an integrated audit of internal control incremental to (not duplicative of) the traditional financial statement audit is still not a reality. More than half of respondents acknowledged that they did not use COSO 1992 to assess IT control effectiveness, in spite of indicating their control assessment was done in accordance with COSO 1992. Almost 52% of respondents used COBIT for this critical aspect of their assessment. 45% of smaller public companies and 35% of larger public companies are using a “bottom-up” approach to internal controls, rather than a “risk-based” point-of-view. The higher percentage for smaller companies could suggest a skills gap issue in applying robust risk assessment methods. Only 38% of respondents indicated that the COSO 1992 controls framework was guiding their internal control assessments, while 62% primarily rely on Accounting Standard 2 (AS2). Due to the lack of practical guidance, AS2 has become the de facto assessment standard for company management. 57% of respondents did not believe that the COSO 1992 framework alone was sufficient guidance for determining the effectiveness of internal controls, strongly suggesting that practical assessment methodologies linked to the framework are necessary to assert to the SEC that an organization has an effective system of internal controls.“Compliance with section 404 is indeed expensive, but it is public companies in particular that are bearing the brunt. They often have to satisfy the requirements of several normative acts simultaneously, for example, SOX and GLBA, SOX and HIPAA, and so on. Under these circumstances it is best to aim for a comprehensive solution that enables the creation of both an effective system of internal control and a system of risk management and IT security,” points out Denis Zenkin, marketing director at InfoWatch.
Source: Business Wire