Yesterday, as noted in this Cooley blog, Corp Fin issued one new – and two revised – CDIs dealing with Rule 701 as well as the Rule 144(d) holding period. The 701 CDIs are:
The Rule 144(d) CDI is:
Audit Committee Financial Experts: Trends
This recent Equilar blog has a nifty chart about the relative trends among industries to have “financial experts” on the audit committee. Interesting, the blog notes that S&P 500 companies had a median of two financial experts in ’15 (with 27% composed solely of financial experts) – up about a third since ’11. Learn more about this topic in our “Audit Committee Disclosure Handbook“…
SOX Compliance Costs & Audit Fees: Continue to Rise
Here’s something from Dan Goelzer of Baker & McKenzie:
Recently, consulting firm Protiviti released its “2016 Survey of Sarbanes-Oxley Act Compliance Costs.” As in its 2015 and 2014 surveys, Protiviti found that, for many companies, costs associated with SOX compliance continue to rise. And, similar to prior years, significant numbers of respondents point to the PCAOB’s inspection program as the cause of these cost increases.
– Internal compliance costs – The average annual internal cost of SOX compliance for the largest public companies (large accelerated filers) was $1.335 million. For the next tier of public companies (accelerated filers), average annual internal costs averaged $914,000, while still smaller companies (non-accelerated filers) averaged $1.219 million. The highest costs were incurred by emerging growth companies –smaller, recently-public companies – at $1.430 million. On an industry basis, healthcare payers had the highest internal SOX compliance costs ($2.31 million), while media companies had the lowest ($856,000).
– External audit fees – Half of large accelerated filers reported that their external audit fee increased in fiscal 2015, while 8 percent reported a decrease, and 42 percent said the fee remained the same. For non-accelerated filers, 41 percent reported an increase, and 52 percent reported a decrease.
– External auditor reliance on the work of others – High percentages of companies of all sizes reported that their external auditor was relying “to the fullest extent possible” on the work of others (e.g., internal audit) for the testing of controls over medium- and low-risk processes. For example, 81 percent of accelerated filers indicated that this was the case, as did 95 percent of non-accelerated filers.
– Number of entity-level and process-level SOX controls – The average number of entity-level controls reported by survey respondents was 50, of which 60 percent were classified as “key.” The average number of process-level controls reported was 96, of which 63 percent were deemed key.
– Changes in SOX compliance – The compliance area in which the highest percentage of respondents reported “extensive/substantial” change in 2016 was process control documentation for high-risk processes. In addition, 26 percent of respondents reported extensive/substantial increases in the testing of controls over management judgments and estimates.
– Cybersecurity disclosure impact – One-fifth of respondents stated that their company made a cybersecurity disclosure in fiscal 2015, in accordance with the SEC’s staff’s guidance on disclosure obligations relating to cybersecurity risks and cyber incidents. The significance of this figure is tempered by the fact that 42 percent of respondents didn’t know whether or not such a disclosure had been made. Of those who reported a cybersecurity disclosure, 47 percent said that total hours devoted to Sarbanes-Oxley compliance increased 11 percent or more as a result.
Role of the PCAOB
As was reported in last year’s survey, many respondents blame increases in their Sarbanes-Oxley compliance costs on the activities of the PCAOB. Of those respondents who said that their audit firm required changes to the company’s Sarbanes-Oxley compliance procedures in 2015, 44 percent attributed those changes to the PCAOB’s inspection program. Across all respondents, significant percentages thought that PCAOB inspection reports had an effect on the organization’s Sarbanes-Oxley compliance costs in specific areas. For example, 50 percent thought that the PCAOB’s inspections reports had an extensive/substantial impact on the costs of testing reports and other information generated by the company’s systems; 46 percent thought that the PCAOB had caused increases in the testing of review controls.
The compliance cost impact of the PCAOB’s new related party auditing standard also seems to have been significant. Fifty-eight percent of respondents reported that the company was required to update its documentation to identify related parties as a result of Auditing Standard No. 18 (ASC 2410, which governs the auditing of related party transactions). This documentation updating increased total Sarbanes-Oxley compliance hours by an average of 8 percent.
Not surprisingly in light of the cost impact that respondents thought the PCAOB was having, 75 percent of public company respondents reported that someone in the company was “keeping abreast of guidance on PCAOB inspections issued by the PCAOB.”
Role of the Audit Committee
Protiviti also asked who in the organization had primary responsibility for “executive sponsorship” of Sarbanes-Oxley compliance and who had primary responsibility for “execution.” As to executive sponsorship, 46 percent indicated that the audit committee was the sponsor, while 39 percent identified executive management. These numbers reflect a surprising shift to audit committee responsibility during the past 12 months. In the 2015, only 25 percent pointed to the audit committee as the executive sponsor. With respect to execution responsibility for Sarbanes-Oxley compliance, 14 percent of respondents identified the audit committee in 2016, compared to only 2 percent last year.
Comment: Audit committees may have opportunities to consider whether there are ways to convert some of their company’s SOX compliance costs into an investment in more effective and efficient financial reporting and information gathering processes. Sixty-seven percent of public company respondents believe that the company’s internal control over financial reporting has “significantly/moderately improved” since ICFR auditing was required.
Broken down by size, majorities of companies with revenues over $5 billion and under $500 million agreed with that statement. The survey results indicate that large companies have done better than midsize companies at generating value from SOX compliance. In Protiviti’s view “SOX compliance requires a significant investment for many organizations in terms of budget and hours. But the results reflected [in the 2016 survey] * * * reinforce the reasons these investments are needed and the value they create.”
– Broc Romanek