In the following podcast interview, Chris Patrick and Mike Lawler, both Senior Managers with SC&H Group’s Risk Management Services team, discuss how to contain external audit costs and maintain Sarbanes-Oxley (SOX) compliance in the wake of the PCAOB’s “Audit Alert #11.”
When the Sarbanes-Oxley Act (SOX) was passed in 2002, the law’s original intent was to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise.
The law created the need for companies to implement additional safeguards – and more robust internal controls – to mitigate overall risk. SOX required top management to establish and maintain an adequate internal control structure. This internal control structure needed to include procedures for financial reporting, and had to be assessed for effectiveness on an annual basis. Additionally, SOX specified that accelerated filers with a market capitalization of $75 million or more enlist external auditors to perform a second independent assessment of the internal control structure.
SOX introduced a highly complex regulatory environment into the U.S. financial market. Maintaining regulatory compliance became very time-consuming and costly for corporations, with many of the law’s detractors claiming it reduced America’s competitive edge. While SOX is not a new concept, there have been several changes that are impacting how companies comply.
First, in 2007, the Public Company Accounting Oversight Board (PCAOB) issued “Auditing Standard No. 5” to establish requirements for performing and reporting on internal control assessments. By implementing a top-down, risk-based approach, any risk deemed “material” should have a mitigating control. The overall goal of this standard was to avoid procedures that were unnecessary to perform an effective assessment.
However, a 2010 PCAOB general inspection report revealed that in 46 of 309 integrated audits reviewed, the external auditors failed to obtain appropriate evidence to support their opinions on the effectiveness of internal control due to one or more deficiencies. It was apparent that SOX was becoming increasingly viewed as a “check-the-box” activity by organizations, and their external auditors alike. As a result, many SOX programs became stale, and the level of effort and collective interest to ensure that these programs were operating in accordance with the original standards began to wane.
As a response to this independent review, the PCAOB issued “Audit Alert No. 11” in 2013 to discuss the application of certain requirements of Auditing Standard No. 5, and to hold external auditors to the standards originally set forth in this standard. Audit Alert No. 11 wasn’t saying anything “new”, however, this caused a perception in the market of PCAOB increasing documentation requirements, which in turn would raise the level of effort – and drive up fees – of audit firms. Many companies were feeling as if it were 2002 again.
During the same time Audit Alert No. 11 was issued, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its 2013 Framework. Historically, companies used the 1992 COSO Framework, but this enhanced Framework aimed to help organizations mitigate the risks inherent in continuously changing technological, economic, and regulatory environments. The 2013 COSO Framework broadened internal controls beyond just finances to include more emphasis on technology, entity-wide risk assessments, fraud, and the use of third parties – with 17 principles broken down into roughly 80 points of focus.
Now more than ever, organizations are running leaner, and are looking for increased guidance as a result of these regulatory changes without increasing costs. Working as an extension of management, SC&H Group’s Risk Management team works closely with internal staff and external auditors to enhance compliance while minimizing costs.
The goal of our work is to get external auditors to rely on management’s work to the maximum extent possible. The risk assessment and business process documentation work that we perform in collaboration with the external auditors on the front-end of each of our projects helps clients prevent an “eleventh hour” scenario.
Often times the annual SOX process is placed on the back burner during the year as management and the external auditors tackle other pressing operational and financial reporting issues. In some instances, management and the external auditors are unable to connect and collaborate on the methodology used to perform the SOX assessment until it’s too late. In this scenario, the external auditor may decide that they’re unable to rely on the work performed by management – the work may not meet the external audit firm’s own internal methodology standards, or the requirements set forth by the PCAOB.
SC&H Group’s Risk Management Services team collaborates with internal staff and external auditors to streamline SOX efforts – in turn minimizing organizational risk and maximizing value. Our seasoned team of professionals helps companies create a sound internal control environment while ultimately keeping the cost of compliance in-check.
Our Risk Management professionals work diligently to make all parties involved comfortable and confident in the controls and processes in place. Ultimately, the work performed up front by our dedicated team of SOX and internal audit professionals can decrease the amount of time, effort, and cost incurred to maintain compliance.
If you need assistance containing external audit costs and maintaining Sarbanes-Oxley (SOX) compliance in the wake of the PCAOB’s “Audit Alert #11,” please contact Chris and Mike here.