With increased regulatory scrutiny, changes in key accounting standards and pressures from external auditors, companies need to take control of their SOX programs — or it may take control of them. Below are the key 2016 survey* findings highlighting areas for companies to consider in taking a proactive approach to maturing their SOX program.
Companies should take a proactive role in establishing their own strategy and making decisions related to their controls and overall ICOFR program, including an economic and risk-based decision about external audit reliance.
In efforts to minimize SOX costs, companies are primarily looking at compliance costs (testing and auditing) as these costs are more ‘visible’ to the company. However, most of the total cost of controls is generally related to the performance of controls (design, execution and administration).
Companies generally have invested significant resources into implementing enterprise resource planning and other key systems, as well as designing information technology general controls over those systems. Companies now need to continue focusing on implementing and monitoring additional automated controls within those systems to reduce risk and reduce the cost of controls.
When SOX is part of a company’s culture and the program is working efficiently, the program can add value rather than just being a compliance exercise. This can allow more time and money to be focused toward broader Internal Audit and value creation initiatives that align with the broader corporate values and strategies.