The State Of Sarbanes-Oxley Compliance: The Protiviti Survey Results

The results of Protiviti’s survey of Sarbanes-Oxley compliance are out. The report has a few “mom and apple pie moments” given that Protiviti is in the business of providing risk assessment and advisory services as well as internal audit co-sourcing and outsourcing services to public and private companies, large and small.

That’s ok. I like seeing viable alternatives to the Big Four audit firms – the firms whose primary focus should be external auditing not growing their consulting businesses. Again.

Remarks Before the 2010 AICPA National Conference on Current SEC and PCAOB Developments

by James L. Kroeker, Chief Accountant, Office of the Chief Accountant, U.S. Securities and Exchange Commission on December 6, 2010 (Emphasis is mine.)

In vesting in the accounting profession such an important public trust, a system predicated upon auditors adhering to strong standards to ensure that financial statements are properly presented is crucial. Accountants should not take their position for granted; the role that auditors play was not put in place without considering the alternatives.

Just as I encourage auditors to stand firm and to maintain quality and credibility in their audit work, I also encourage leaders of audit firms to ensure that the audit is never again treated like a commodity. The auditing function should be the very soul of the public accounting profession – never again as a foot in the door for higher-fees related to services from their multidisciplinary firm.

The public – and those who act in the public’s behalf, such as the Commission – need to be assured that audit firms will continue to make the necessary investments over time to ensure that audit quality is not compromised, and that auditor performance will continue to meet public expectations. While I have heard recently about the rebuilding of the consultancy practices within large accounting firms, I trust that the profession will not need to re-learn lessons of the past on the serious, adverse effects of under-investing in the quality or failing to strictly maintain the independence of their audit process. I am likewise hopeful that if significant investments are being made to pursue other lines of business within a “multi-disciplinary” firm, the potential impact on public trust and public perception of the audit practice is being considered.

I interviewed Protiviti Executive Vice President Bob Hirth in January as they rolled out the survey. The Protiviti report had a few surprises for me – well, maybe not – about who’s doing the work of Sarbanes-Oxley within companies.

For the most part it’s still internal audit.

I asked Richard Chambers, the CEO of the Institute of Internal Auditors (IIA), an international professional association for internal auditors in industry and in the firms, what he thought of that:

“While nothing about that contravenes our professional standards, the best role for Internal Audit to play in Sarbanes-Oxley compliance initiatives is to provide overall assurance on the effectiveness of the organization’s documentation and testing of internal controls and Section 302 certification process, rather than to be down in the weeds doing the actual documentation and testing of controls instead of management.”

Truly surprising was that the authors of the Protiviti report had to warn some small company responders that outsourcing Sarbanes-Oxley to the external auditors is a no-no.

I wrote about the survey last week at  You can find that story and additional comments and quotes here.

Protiviti has a nice webinar on their site that goes though their whole report.

Download the survey report here.

14 replies
  1. Len Green
    Len Green says:

    Francine, is SOX worth it in the end? It seems that none of the real big frauds perpertrated on the public have resulted in anything: the housing crisis, the financial crisis happen, and all the feds can do is put Bernie Madoff inside? Is the cost worth it?

  2. Francine
    Francine says:

    @ Len Green

    It’s not the law but the lack of enforcement of the law by the auditors in doing the work diligently and calling out companies who have weak controls in enough time and strongly enough. And it also requires enforcement by the SEC and DOJ. If you don’t enforce Sections 302 and 304 and if you have weak whistleblower protections (another SOx provision that’s required more and more strengthening by other laws to no avail because it’s not truly supported by the corporate-catering SEC) then you don’t have effectiveness.

  3. Robert Castro
    Robert Castro says:

    As you know an audit consists of commercially reasonable procedures that should catch most but not all material misstatements; they involve considerable judgment which cannot be legislated. We have numerous law enforcement agencies yet we still have crime; we understand and accept that the elimination of all crime isn’t realistically possible on a cost effective basis yet the standards will hold auditors to is patently absurd.

    If the bureaucrats wanted to put some teeth in to Sarbanes they can start by having the registrant report what their audit fees were for the past 5 years and what the new audit fee is when they change auditors. If that number is more than 5% greater or less than their prior year fee or the average of the 5 prior years’ fees then both the new auditors as well as the Registrant and its audit committee to explain why they believe the auditor can properly conform to standards when they are doing the same work for 20 or 30 % less. I submitted a proposal to a Registrant where I quoted 2.2 Million and the prior Years auditor charged 2.2 Million, the winning Big 4 Firm bid was 1.3 Million – REALLY does anyone think thaht was possible??

    They were either subsidizing the Registrant (Independence?) by doing it at half or less of their standard rates (Yes December31 YE) or they aren’t going to plan their audit procedures to mirror the fee they are going to receive (proper audit?).

    How about the numerous small broker dealers with annual audit fees as low as $2,500. REALLY can audit be really done for less than 20K and still conform.
    The regulators should come up with the averages and compare them to identify the Registrants that fall well outside the averages and start challenging the Registrant and their Auditor’s. For instance assuming the registrant is paying 25% more than a competitor of similar size it may suggest that the internal controls that have been attested to under Sarbanes may not be up to standards if there were no discrepancies’, given our competitive world it is unlikely that the auditor is getting more than the market will bear. It is time we hold all accountable not just the auditors.

    Madoff was not afailure of auditors it was a failure of regulators.

    The Government asks the auditors to do is like sending the military to prosecute wars without equipment to do so.



  4. Francine
    Francine says:


    All the data is there for regulators – PCAOB and SEC – to scrutinize the audit fees. I heard the OHIO CPA Society CEO say that the smaller firms are really steamed up about larger firms lowballing audit fees to steal their clients. He has to do everything he can to prevent them from getting into some anti-trust, non-competitive conversations about creating fixed fee agreements amongst groups of firms. I guess they never heard of collusion.

    I don’t agree that identifying the risk of fraud and material misstatement is impossible for auditors. But it surely is if they don’t want to do the work the standards require and don’t want to act on the results when the they point to necessary additional skepticism and testing of senior management assertions.

  5. Robert Castro
    Robert Castro says:

    Hi Francine

    I too believe that identifying material frauds is not impossible and that many if not most frauds should be caught it is simply unreasonable to believe that all frauds can be caught without an enormous cost to society and investors alike. Regulation without teeth (i.e. the tools to monitor and implement is simply not going to work). The regulators have to provide the professionals with not only the responsibility they need to have the authority.

    After 30 years in the auditing profession I am sadden by what I believe to be a consistent decline of professionalism and ethics. So what’s the regulators answer in NY it was to require a minimum amount of ethics CPE every 3 years – REALLY is that the cure, I don’t think so! There needs to be enforcement and serious consequences to those violating their professional and ethical responsibilities, send a few to jail strip them of their licenses etc. and then but only then we will see an adjustment in practitioners attitude.

    BTW — keep up the good work

  6. Len Green
    Len Green says:

    Interesting follow up comments, I enjoyed reading them. What it tells me is that the realdefinition of “ethics” is “not being caught doing something you know you should not do.” But wait, that’s the Illinois way!!

  7. Robert Castro
    Robert Castro says:


    Sad but many times true, I am not a fan of Big Government – that being said you almost have to have audits performed by a governmental agency (or a similar set up the the PCAOB) to produce the kind of results people expect.

    You need to eliminate the natural conflict that exists in the profession — that of performing a public trust and maintaining and growing the client base. You either have to the PCAOB perform all of the audits or have them assign Companies to an auditor dictate the fees and not allow them to change, then and only then will auditors universally perform in the way we would hope.
    The problem is the slippery slope there are many grey area’s in the literature and I believe all too often they are used to the clients benefit because they are the ones that pay the bill, wrong no, unethical maybe, I guess it depends on ones point of view but clearly the way the profession operates it is going to favor the client over the investor if there are 2 choices (think Enron).

    I will argue that it is impossible to audit most if not all of the fortune 500 in a cost effective manner due to their size and complexity.

    Most if not all financial institutions (Bear Stearns, Lehman, Citi and the list goes on and on) had issues with Mark to Market so how is it that their internal controls were adequate? The auditors of these entities were reviewed by the PCAOB so did the PCAOB fail too?

    Audits of complex and large entities rely heavily on these so called internal controls which have in most failures proven not to be so reliable. Yet the cost of auditing the balance sheets of these entities on a substantive basis would be prohibitive so recognizing that means accepting that there will be failures from time to time. The expectations of audits is unrealistic, audits need to be delivered on a timely cost effective basis. It truly is the “Catch 22”

  8. Me
    Me says:

    “…But it surely is if they don’t want to do the work the standards require and don’t want to act on the results when the they point to necessary additional skepticism and testing of senior management assertions.”

    But auditors can only work so many 100-hour weeks before they just bend over and die.

  9. Francine
    Francine says:


    Testing senior management assertions, looking client company C-level executives in the eye and deciding whether you believe them is partner work. I don’t think most of them, especially non-IT partners, are working 100 hour weeks. And if they would either get the nerve to charge their clients for the work or take a hit on their paycheck to do a job that meets standards, they could stop cutting teams to the bone and have some support for what needs to be done without squeezing more hours out of same tired people.

  10. Robert Castro
    Robert Castro says:


    “And if they would either get the nerve to charge their clients for the work or take a hit on their paycheck to do a job that meets standards, they could stop cutting teams to the bone and have some support for what needs to be done without squeezing more hours out of same tired people.”

    Hasn’t happened up till now and it will never happen until you dramatically change the way the business model works. Look what the recession of 2008 brought about paring staff to the bone and a significant decrease in audit fees, to remain profitable especially at the new “rates” requires the auditor to either pare down his scopes to reduce the work, leverage the engagements pushing work down the ladder to even less experienced people or taking shortcuts or a combination of all the above. I recently learned that some of the International firms are outsourcing audit staff and senior work to foreign countries to reduce costs!!!

    Francine I agree with you there needs to be significant changes to the audit profession but I am not sure we see eye to eye on how to accomplish that, it would appear you hold the auditors responsible for all the ills of the profession, the truth is it is a combination of the auditors, the regulators and an antiquated ineffective business model – we are having much the same discussions today about the obvious conflicts of interests in the rating agencies business model. Until the obvious conflicts of interest are resolved it will never change.

    For instance how about the PCAOB assign an auditor together with a truly independent audit committee to a Company and pay them directly by charging it back to the Company thereby eliminating the conflict of interest.


  11. Robert Castro
    Robert Castro says:

    @ Francine

    Have you ever read the research paper by Richard Kaplan “The Mother of All Conflicts – Auditors and their Clients” I believe it would be of interest to you.

    So what do you believe are the prospects for the change that you and I as well as countless others believe must occur?

  12. Francine
    Francine says:

    @Robert Castro

    I must re-read that paper. I ran across it early in this process and it would come in handy again. Thanks for reminding me.

    I don’t think big change such as to the basic delivery model of assurance services will change unless there is another significant threat to one of the large firms. That threat will, of course come from outside, a class action lawsuit or individual suit against one of the firms from out of left field, perhaps the failure of a significant foreign member firm. The threat will never come form potential prosecution of one of the firms by the US or UK government of one of the firms for a criminal act. It would have to be something non-white collar, such as involvement in white slavery or child pornography to make one of the major governments take another audit firm down. That’s simply because they have no plan for what to do under the current delivery model with less capacity.

    I do think we will see some incremental changes and a shift in the pendulum back to less really crazy things like all of these inside trading allegations against audit partners as we see the PCAOB and SEC enforce those laws against individuals. But the firms themselves will get off scott-free.

    ANd the audit firms will not be held responsible for their role or lack of a role in serving the public the financial crisis unless a smoking gun demonstrating egregious complicity in fraud or coverup of fraud is uncovered by a journalist.

    That. as they say in the legal contingency arena, has a probability that is less than remote.

Trackbacks & Pingbacks

  1. […] The State of Sarbanes-Oxley Compliance: The Protiviti Survey Results […]

Comments are closed.