According to Protiviti's newly-released report: "Benchmarking SOX Costs, Hours and Controls" - revealing the results of its survey of 1,004 public companies conducted earlier this year for fiscal 2017 – SOX compliance costs continued to rise year-over-year for many companies, but are increasingly dependent on company-specific facts & circumstances, including filer status and size, SOX compliance year, and the number of controls, locations, and regions of operation. The firm surmises that increased compliance costs may be attributable at least in part to the new revenue recognition standard, and projects further compliance efforts (and associated costs) associated with the new lease accounting standard this next fiscal year.
External audit fees increased year-over-year for many companies, which the firm attributes to staff pay increases and increased demands on auditors triggered by the PCAOB, among other factors. Not surprisingly, many companies also experienced increased hours devoted to SOX compliance, attributed in part to increased PCAOB scrutiny and the new revenue recognition standard.
Notably, 46% of respondents reported being required to issue a cybersecurity disclosure according to the SEC's guidance – up from 33% last year and 20% the year before. SOX compliance hours increased 11 – 15% for 36% of companies and 16 – 20% for 39% of companies required by the guidance to make a disclosure. Protiviti notes: "While the PCAOB has not found any cyber incidents that have resulted in financial misstatements or material weaknesses in ICFR, we expect the board (PCAOB) as well as auditors to continue to scrutinize cyber disclosures." Also notable: The majority of companies said that the PCAOB's auditor inspection reports had a substantial or extensive impact on their control review testing compliance costs.
The report also includes helpful benchmarking data on the role of Internal Audit, and process/function outsourcing and third-party providers.