SOX Nears 15-Year Anniversary. What’s Changed?: A Q&A With Protiviti’s Brian Christensen

Sarbanes-Oxley will reach a milestone this month. How have the challenges changed over the last 15 years and what are the top concerns of compliance leaders today?


The Sarbanes-Oxley Act (SOX) was signed into law on July 30, 2002, making this it’s 15-year anniversary. FEI Daily spoke with Brian Christensen, EVP of Global Internal Audit and Financial Advisory at Protiviti, about the changes since the enactment of SOX, the challenges compliance leaders face today, and how to incorporate an automated level of control.

FEI Daily: The 15th anniversary of SOX is July 30. How have the challenges changed since SOX first passed?

Brian Christensen: The way organizations can address Sarbanes-Oxley to look to drive value, to minimize costs, and achieve the outcomes, remains of amazingly high interest. And that's even somewhat a surprise to me as someone that works in it day to day.

Early on in the beginning of Sarbanes-Oxley it was looked at as a big exercise around compliance, designing controls, documenting controls. Fast forward to today, I think the survey results indicate a couple of things.


One, companies that have put sufficient resources and efforts into designing strong SOX programs have clearly identified there are benefits. No one likes to go through a large compliance effort, but those that have applied with some vigor and discipline are seeing benefits and also managing the costs therein. Despite that, there remain new and ongoing and emerging challenges of which audit executives and leaders need to be abreast of.

Cyber security is something that historically was not part of the standards of what to look at, but cyber is clearly on the minds of the external auditor. The new revenue recognition rules are something that will have an impact, that will require more insight and review by a company's financial executives because it there is a rise in expectations to deliver that result. Despite the fact that companies may be in a good, steady state, the expectations continue to rise and there are a number of things that are there on the horizon that need to be addressed, and so it is never status quo year over year.

FEI Daily: What surprised you most about the survey results?

Christensen: We find that every year this survey continues to gather more and more interest. That indicates that organizations do see this as an ability to assess their organization and be somewhat of a barometer of where are they are. And I think one of the takeaways is that it’s important to understand the level of effort that companies are putting into their Sarbanes-Oxley. No one ever likes to be the outlier, high or low, but it's good to benchmark where you stand and also to have an understanding and appreciation for what the results are.

What has surprised me is that level of interest itself. 10 years ago, it was all level around compliance, but now organizations are trying to gather more information, understand how to use that to improve the business, can they enhance the things that they're doing?

The other surprising feature is that desire to get to more automation. I think in our society and business world today, companies want to get to that strategic advantage and that one of the strategic advantages is how to incorporate an automated level of control? Including such things as big data, automated data techniques, and predictive analysis. According to the survey, a lot of people haven't made tremendous progress in those areas, but that is the next frontier and I think companies that can get to that level sooner rather than later will demonstrate a strategic advantage which will be good to them and their overall business not only in Sarbanes-Oxley work.

FEI Daily: What are the top concerns of compliance leaders today?

Christensen: The big one is revenue recognition. New rev rec accounting standards go into effect in the next fiscal year and just 56 percent of companies have begun preparations.

Cyber is the second. Following a year of high-profile breaches and ransomware attacks, the number of cybersecurity disclosures made in 2016 increased significantly. Fifteen percent of those issuing disclosures increased hours spent on overall SOX compliance by more than 20 percent.

The third is PCAOB requirements. According to the survey, 3 in 4 firms whose external auditors required significant changes to SOX compliance activities attribute this increase to PCAOB changes. The PCAOB and the body that provides the oversight for the auditor are always looking at how to improve and extend the audit standards. This past year we saw the reliance upon third parties, the types of reports and the level of scrutiny that was applied by the external auditor for the service organization reports that were delivered. But the PCAOB remains an active body to increase and maintain the scrutiny around the external auditor and obviously that has downstream effects to the auditee.

FEI Daily: 70 percent of companies see the value in their SOX compliance – can you tell me more about what the audit executives said about their current compliance efforts?

Christensen: When SOX first began it was this heroic effort taken by companies to document and get everything together. They went through some revisions from audit standard two to audit standard five in terms of the level and extent of what was there. In my experience, organizations do a pretty good job of assessing, designing and executing SOX programs, but it gives them a level of comfort both to financial executives, board members, and management, as to how things are functioning for the various roles and functions within companies.

For example, I have seen in the last couple of years, as we've seen an uptick in some mergers and acquisitions, one of the first areas that people look to in the due diligence is to get an understanding of the control environment. Historically, that probably didn't exist. It provides a level of comfort to the management on both sides of the company as to what the current state is and, as a result, I'm finding that people are asking in board rooms and at the C-level, "What did the Sarbanes control review tell us around a particular area?"