VANCOUVER, British Columbia -- More than 95 percent of companies polled report that a "reduction of staff time and associated costs to test internal controls" is key to maintaining effective SOX 404 compliance, according to a survey conducted by ACL Services Ltd. and the Center for Continuous Auditing (CCA). The poll of 247 senior audit professionals at corporations with more than $1 billion in annual revenues looks at the serious challenges organizations face in making their SOX compliance efforts sustainable.
The burden of compliance hit companies hard in year one -- but this survey confirms what many in the market have been saying --year two will not provide the efficiencies organizations had hoped for. The ACL/CCA survey reports only 40 percent of these organizations already have, or plan to, automate the testing of their controls this year -- leaving nearly 60 percent of the companies to continue the struggle to find the skilled resources necessary to test the myriad of internal controls present in any large organization.
Section 404 of the Sarbanes-Oxley Act, which requires corporate management teams to assess and test the effectiveness of internal controls on an ongoing basis, has proven to be the most challenging section of the legislation to comply with for most companies. It is time-consuming and difficult because it requires expert knowledge of internal controls objectives and represents technical challenges, since much of the information that must be tested resides on different IT systems spanning multiple business processes across the enterprise.
An overwhelming 92 percent of respondents identified the importance of enabling timely and effective management insight into controls deficiencies, giving further credence to the fact that sustaining SOX 404 compliance is a top-of-mind concern for audit and financial management. In addition, more than 80 percent of the audit executives cited the need for faster, more effective identification and correction of inappropriate transactions, and deemed increased investments in technology solutions designed to continuously monitor controls to be important for their organizations.
"The results of this survey mirror much of what we heard last year," says Harald Will, president and CEO of ACL Services Ltd., the leading provider of business assurance analytics technology for audit and controls professionals. "Many companies still maintain a short-term mindset when addressing the ongoing requirements set forth in Sarbanes-Oxley, despite recognition of the benefits of ongoing and continuous monitoring of transactions for the purposes of assuring internal controls," adds Will. "And while internal auditors are overwhelmingly in favor of adopting the technology and best practices of continuous monitoring and auditing, organizations frequently don't seem ready or willing to back them up."
"Continuous monitoring of controls is a management function and part of the organization's control structure in accordance with COSO best practices. Auditors, on the other hand, use continuous auditing processes to test transactions and identify anomalies and to test the continuous monitoring processes of management," says J. Donald Warren Jr., Director of the CCA. "The combination of these continuous processes provides management with timely information to take corrective action when a control deficiency is identified, as well as providing assurance to management on the effectiveness of the company's internal control environment."