Since the Sarbanes-Oxley legislation first came into effect seven years ago, much has changed in the US corporate landscape. At first, the new laws appeared onerous—time consuming and perhaps just a little bit of overkill. Since then, the global financial crisis occurred—putting much greater focus on internal audit, control and corporate accountability.
That focus was pushed from within companies themselves, not just from regulators or legislators, which may be why companies are coming to appreciate the benefits of Sarbanes-Oxley—at least according to a survey by global risk and business consultants Protiviti. In fact, companies report that Sarbanes-Oxley does not go far enough in having companies assess and audit risk.
In the company’s fourth annual Sarbanes-Oxley survey, Protiviti found that the majority of respondents were now well into their Sarbanes-Oxley changes: most were beginning to reduce the amount of time spent on Sarbanes-Oxley compliance, and many reported seeing the benefits of rebalancing their audit activities since the law was put into effect.
More than one third of respondents reported that their internal auditors were now more able to perform traditional audits, and 25 percent said that they were seeing more appropriate coverage of risk. Other benefits cited include increased objectivity by the internal audit department and increased effectiveness and efficiency of operations.
Two out of three companies that responded to the survey reported that they were implementing risk-based testing as part of the audit rebalancing efforts. In addition, companies are focusing on rescoping workloads of audit staff and increasing testing and reliance on monitoring controls.
Respondents also noted that Sarbanes-Oxley compliance was not their only area of focus for reducing risk. For example, companies are also once again looking at enterprise-wide risk assessment as a means of improving risk management and control, according to the survey. Almost half of respondents said enterprise risk assessment was a priority.
Survey respondent Larry Harrington, vice-president of Internal Audit at Raytheon, noted: “Without understanding risk, we can be auditing the wrong area at the wrong time. The bottom line is that businesses face far greater risks today than Sarbanes-Oxley and internal audit must not only rebalance but also retool to meet the current requirements. There is going to be a sea change in internal audit, and each of us has a choice—be ready, willing and able, or become obsolete.”