Uncovering the full picture of control costs

Costs related to ICOFR may be higher than you realize,  in part because they often take a different form than you might expect. When most companies measure ICOFR  costs, they typically only look at compliance costs, focusing on testing and external audit expenses. But the larger cost components related to ICOFR draw on other resources throughout the company for tasks such as:

• Performance:  Your company has to design, execute, and administer its controls. These tasks often add up to more than half of the total ICOFR cost. Yet since other departments often absorb performance costs, companies usually fail to include these costs as part of ICOFR. The Public Company Accounting Oversight Board (PCAOB) has continued to focus on management review controls and levels of precision, as well as on management’s validation of completeness and accuracy for key reports. As these focus areas flow down to the company, they require additional time and expense for control owners to perform and document control activities.

• Errors/Corrections/Turnover:  How often does your company spend time and resources reperforming or redesigning controls? How often do you train new employees on the control activities when experienced ones leave? These costs add up quickly and generally aren’t considered when evaluating ICOFR costs.

• Management review:  In addition to the time spent performing control activities, management also spends time reviewing and administering these activities, with more manual control activities requiring an especially time-intensive review process. Every hour managers spend on ICOFR is an hour they can’t spend elsewhere. When you consider the number of controls and number of people involved, the corresponding costs add up quickly.

When costs aren’t measured and accounted for, they tend to rise, so companies may be experiencing an increase in the hidden costs of ICOFR. Companies that merely look at compliance costs are therefore likely missing their greatest opportunities to reduce ICOFR costs and add further value. If companies don’t sufficiently understand the level of effort incurred to perform controls, they will miss opportunities to operate controls more cost-effectively.

Typically, companies try to get a handle on their ICOFR spend by rationalizing their controls. It’s a well-intentioned idea, and KPMG’s 2016 Internal SOX survey
 found that 59 percent of companies that have had rationalization efforts have succeeded in reducing   the number of key controls. But the survey also showed that only 37 percent of those companies achieved a corresponding reduction in the amount of time they spent on testing, and only 15 percent managed to also reduce time and costs associated with control performance.

Having a smaller number of key controls doesn’t correlate to a reduced burden on a company’s resources if it is still mostly doing the same work in the same way. The key to a cost-effective ICOFR program that accomplishes its mission of managing risk and adding value is not just reducing the number of controls — though that is one element—but also choosing the right controls, focusing efforts on the most critical among them, and creating the right control environment (a later paper will explore this topic further).