Sarbanes-Oxley Insights: An Interview With Bob Hirth of Protiviti
Protiviti is currently soliciting feedback for its new Sarbanes-Oxley Insight Survey.
The results of this survey promise to provide valuable and important insight into the current state of Sarbanes-Oxley compliance for all types of organizations. We should also learn more about the related costs and how to achieve a desired state of verifiable compliance, value-add, and sustainability. Completing the survey takes approximately 20 minutes and will be available online until February 15. Please click on the link below when you are ready to begin the survey. No login ID or password is required to access the survey.
I encourage you to participate.
Complete the survey. (Survey is now closed. The results should be available in a couple of months.)
The results are expected to be available later in the spring of 2010 and re: The Auditors will have an exclusive look at these, along my analysis and that of Protiviti’s experts.
In the meantime, I asked Bob Hirth (San Francisco), Executive VP, Global Internal Audit Practice for Protiviti, and Scott Gracyalny (Chicago), Managing Director, Risk Technology Services a few questions about Sarbanes-Oxley and companies’ attitudes towards risk, controls, and corporate governance.
fm: What are your objectives in producing this study at this time given that the PCAOB, and perhaps SOx and Section 404, are perceived by many to be threatened by the forthcoming Supreme Court decision in Free Enterprise Fund v. Public Company Accounting Oversight Board?
BH: The objective of this survey is to gain current — as well as future state — insight into the status of SOX compliance efforts and techniques at companies of varying levels of filing status, revenue size and industries with emphasis on large accelerated filers who have complied with SOX for four to six years, IPO’s from four to six years ago, as well as more recent IPO’s, foreign filers and small filers who, at least at this time, will be required to have auditor attestation of their SOX Section 404 compliance efforts. We hope that the information we obtain and the report we issue summarizing our findings will help organizations continue to improve the overall cost, quality and sustainability of their SOX compliance as well as continue to evolve and enhance their systems of internal control over financial reporting.
While we cannot determine or predict the outcome of any legislation or litigation concerning the future of the PCAOB or the SOX law itself, we felt it important to push on with this survey in the hopes that the reported results will benefit companies who continue to strive for cost-effective internal controls and efficient compliance processes. We also hope this survey will benefit companies that have a strong commitment to an effective system of internal control over financial reporting, which benefits all key stakeholders – management, boards, shareholders, employees, external auditors and even the overall economy.
We have conducted a related SOX survey over the last four years entitled; Moving Internal Audit Back Into Balance, a Post-Sarbanes-Oxley Survey. However, this survey was more focused and limited to the impact of SOX on the internal audit activity of an organization. While the reported results have been very helpful and enlightening, we decided to broaden the study this year to involve more stakeholders, such as finance leaders, managers who lead SOX initiatives for their organizations but may not be part of the internal audit function, and even key process owners who might have significant responsibility for SOX compliance. These prior year surveys are available on our website at www.protiviti.com.
We expect to release the results of this year’s broadened survey in May of this year, well in time to assist organizations with their 2010 SOX planning efforts. Again, we are hoping that this information will further improve the efficiency and effectiveness of SOX compliance for many organizations.
fm: I’m often asked for examples of companies that had no trouble with Sarbanes-Oxley, had good controls and documentation prior, never complained about the cost, consider 404 best practice… Do you know of any? Do they exist? Is there a Fortune 500 company that openly supports Sarbanes-Oxley 404 and its goals?
BH: Yes, there are companies that had (little to) no trouble with Sarbanes-Oxley, had good controls and documentation prior, never complained about the cost and could be considered best practice. While not being able to quote specific organizations for client confidentiality reasons, we believe there are a number of well-known U.S. public companies that support SOX section 404 and its goals. Many of these companies have used the SOX compliance process as a catalyst for improving their upstream business processes that feed financial reporting.
Though company management and their auditors certainly struggled with SOX compliance in the initial year or two, we find today that many public companies have evolved their SOX compliance processes to a point where they are efficient and effective. SOX compliance efforts at these organizations are now in appropriate and reasonable proportion compared to other compliance activities. We have also found that in many, but not all cases, external audit teams have improved and streamlined their approaches and adopted the tenets of AS5.
It is true that many large and well-controlled organizations had difficulties adjusting to the SOX compliance requirements. However, we have found that a high percentage of them have seen SOX as a good validation process of their system of internal control over financial reporting. The Lexicon of SOX concepts, including such items as automated controls, key controls, frequency of control application, preventative and monitoring controls, etc., has facilitated better communications around internal controls and helped many companies to refine and enhance their system of internal control over financial reporting and, in some cases, substantially streamline their control systems and improved the design and operating effectiveness of those control systems. For example, because of SOX, some organizations realized that they had too many controls in some areas, which were simply redundant or actually ineffective. By going through a rigorous process of identifying the key controls that really matter and evaluating both the design and operating effectiveness of those controls as SOX requires, changes were made that streamlined AND actually improved controls.
Likewise, we also know of and have worked with a number of organizations where the requirements of SOX illuminated serious control deficiencies, some of which were adequately remediated in time for reporting by management and unqualified attestation by their external auditors and other cases where material weaknesses were reported. Many of these companies have been able to substantially improve their system of internal control over financial reporting albeit primarily because SOX required them to.
fm: Given budget constraints and cost cutting at many companies, do you see overall cuts in internal audit for any kind of support – internal or external – or just a re-emergence of internal audit having to pay its way via business process improvements and cost savings finds? Have we reverted to pre-SOx attitudes about internal audit yet? Did we make any progress in changing attitudes about control value of internal audit, as a very necessary cost of doing business, in the last seven years?
BH: Like any business process, internal audit functions have not escaped a review of their costs and benefits. This has been a positive and appropriate activity at most companies, and in our experience, internal audit budgets have generally not simply been cut for the sake of cutting costs. Where internal audit can identify cost savings and improve processes, we think this is a positive contribution in addition to providing assurance on controls. We encourage all internal audit functions to seek out these opportunities, which is consistent with The IIA’s definition of internal auditing.
Internal auditing, controls and companies themselves are dynamic and always in a state of change. Consider, for example, the recent financial crisis; the current discussion on board risk oversight; the challenges in emerging from a severe recession; among other things. Therefore, it would be impossible to literally revert back to things as they were pre-SOX. We continue to see internal audit being viewed as a value-added, important and necessary activity that has the attention of management, the audit committee and the board. We continue to work with organizations that truly have world class audit organizations and work with others who aspire to be at this level.
And, yes, we believe progress has been made over the last seven years in improving the stature and delivery capability of internal audit as well as attitudes about controls, their cost, but also their value.
fm: Which do you see as having a greater impact on the reduction of costs associated with Section 404 – AS5 or general economic conditions and backlash on perceived fee gouging that has shifted power back from Big 4 audit firms to client management from Big 4 audit firms post Sarbanes-Oxley?
BH: We believe that the proper application of both AS5 for external auditors and the SEC Interpretative Guidance for company management produced positive benefits and efficiencies for public companies and their auditors. The requirements of SOX and the evaluation process and scope of auditor attestation has not changed because the economy has changed. However, the falling economy has put pressure on fees as companies have appropriately sought to reduce costs in all areas, including the cost of outside professional services.
Our experience has been that external audit fee increases have moderated over the last several years and that, in most cases, audit fees have decreased from the initial years of SOX compliance. We believe that there are empirical studies that support this trend.
fm: Assuming the PCAOB and therefore Sarbanes-Oxley is not considered unconstitutional, do you see a chance that prohibitions against external auditors serving as internal auditors for US listed firms will be repealed instead following trend in UK such as in Rentokil? The client himself asked for audit firms to propose package deals, ignoring issues that arose from these independence conflicts in the past such as in Enron.
BH: U.S. regulations about the type and scope of services provided by external auditors have been clarified and strengthened as a result of SOX. We do not believe these regulations will be relaxed, no matter what happens with the forthcoming Supreme Court ruling.
As to Rentokil, a UK listed company, the UK Accounting Practices Board (ABP), which has a degree of oversight responsibility for the independent auditing profession, is currently reviewing the issues around the provision of non-audit services by audit firms to listed companies that they audit. A Consultation Paper has been issued requesting comment from interested parties. The Consultation Paper and all comment letters are on the APB’s website.
fm: Where do you see the GRC software and testing and process documentation repository software providers from a capability maturity model perspective? Will the big ERP firms dominate or specialized providers who can focus on the required functional expertise?
SG: The GRC software market is semi-mature, equating to a defined/managed level from a capability maturity model perspective. It is also our thought that this market will evolve to include two types of primary providers, a) ERPs and b) e-GRC solutions. Organizations with heavy investments in homogenous ERP systems will gravitate towards the benefits of inherent integration and a desire to be in close proximity to their transactional data. The key benefit of this approach is the ability to automate elements of compliance, while remaining within a single vendor stack. Organizations who seek to have pressing needs met while tackling the near-term GRC challenge have focused on specialized providers. The mix of the immediate functional relief with an ability to implement quickly (time, cost, required collaboration, etc.) have driven the majority of companies to date to select from among a variety of specialized providers.
From a vendor standpoint, the ERPs are larger and better funded with a depth and reach that cannot be matched by eGRC offerings. The completeness of their vision is sound, if not immediately impacting for many organizations. The eGRC providers present buyers with a more tangible set of costs and benefits (due to lower price point and smaller implementation scope), yet may be challenged to expand their offering to remain relevant into the future. Additionally, the viability of any single specialized vendor is unknown due to performance, consolidation or the impact of other trends.
Our view is that this market will remain robust for the next 3 to 5 years – without a single vendor or category of solution becoming dominant. The abovementioned dynamics will remain and the diverse needs of the buyer community will create opportunities for numerous organizations to compete for their GRC business. As the field converges towards a set of commonly accepted requirements, we feel that the successful vendors will continue to focus on: phased implementations that start small and evolve towards GRC; interoperability with source systems and data; third party integration to meet discrete functional needs; dynamic frameworks that handle complex business models; improved usability to drive adoption by business professionals and a consistent track record of innovation.
The Capability Maturity Model time windows are my guess:
Level 1 – Initial (Chaotic) (1995 to 2002)
It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes.
Level 2 – Repeatable (2002 to 2005)
It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Level 3 – Defined (2005 to 2009)
It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization.
Level 4 – Managed (2005 to 2012)
It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.
Level 5 – Optimized (2013 +)
It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.
Please contact Lark Scheierman (email@example.com or +1.720.264.2941) if you have any questions related to the survey.
Main Page Image Credit
Thanks, first, for sharing this interview with my good friend, Bob Hirth. Bob is a gentleman of high integrity, experience, and insight and I have always valued his opinion.
After talking to Bob, you asked Scott this question: “Where do you see the GRC software and testing and process documentation repository software providers from a capability maturity model perspective?” In the context of this discussion, it appears as if you are talking about the audit/assurance/compliance functions related to management’s Sarbanes-Oxley compliance program.
However, GRC is a term with multiple meanings: for some it refers to the way in which an organization directs and manages the organization to advance the interests of its owners (governance), managing risks to achievement (risk), and remaining in compliance with applicable laws and regulations (the compliance part). But, others use GRC to refer only to risk management and related activities; some, including the influential analysts at Gartner, describe it in yet other ways. Then there are adaptations of the term, such eGRC, iGRC, financial GRC, etc.
I discuss this in more detail in several posts at http://normanmarks.wordpress.com/.
I suggest that the answer to the second part of your question to Scott can only be answered once GRC is clearly defined: “Will the big ERP firms dominate or specialized providers who can focus on the required functional expertise?” In other words, if you are talking about the holistic version of GRC, then it is hard to see niche vendors ever addressing more than a few elements. If GRC is limited to risk management or management of the SOX program, then certainly niche vendors can (and have) been significant.
Disclosure: I work for SAP, which has multiple solutions for our customers’ GRC processes – and Protiviti is a valuable SAP partner.
I am surprised to see this interview on your blog. Seems more like an infomercial. Same stuff you can get off their website.
Well, the questions were mine. Whether or not they answered them in an original way is something else. I am planning on asking similar questions to other independent service providers and GRC tools/technology providers such as SAP. If any of the Big 4 or next tier firms would like to provide their responses, I will print them, too.
I thought the topic was timely and the information that will come out of encouraging more response to their survey may be useful.