Costs related to ICOFR may be higher than you realize, in part because they often take a different form than you might expect. When most companies measure ICOFR costs, they typically only look at compliance costs, focusing on testing and external audit expenses. But the larger cost components related to ICOFR draw on other resources throughout the company for tasks such as:
When costs aren’t measured and accounted for, they tend to rise, so companies may be experiencing an increase in the hidden costs of ICOFR. Companies that merely look at compliance costs are therefore likely missing their greatest opportunities to reduce ICOFR costs and add further value. If companies don’t sufficiently understand the level of effort incurred to perform controls, they will miss opportunities to operate controls more cost-effectively.
Typically, companies try to get a handle on their ICOFR spend by rationalizing their controls. It’s a well-intentioned idea, and KPMG’s 2016 Internal SOX survey
found that 59 percent of companies that have had rationalization efforts have succeeded in reducing the number of key controls. But the survey also showed that only 37 percent of those companies achieved a corresponding reduction in the amount of time they spent on testing, and only 15 percent managed to also reduce time and costs associated with control performance.
Having a smaller number of key controls doesn’t correlate to a reduced burden on a company’s resources if it is still mostly doing the same work in the same way. The key to a cost-effective ICOFR program that accomplishes its mission of managing risk and adding value is not just reducing the number of controls — though that is one element—but also choosing the right controls, focusing efforts on the most critical among them, and creating the right control environment (a later paper will explore this topic further).