Risk-Based Sarbox Implementation Guidelines Working, Study Says


It's so rare to see anything positive about the Sarbanes-Oxley Act in the media these days that when I find it, I have to share. A new study from Protiviti, a global consulting and internal audit firm, indicates the guidance issued last year by the Public Company Accounting Oversight Board and the Securities and Exchange Commission is doing what the regulators wanted it to do.


According to a press release posted at CNW Group, Protiviti's third internal audit rebalancing study found that nearly 40 percent of respondents have been able to spend less time on Sarbanes-Oxley compliance activities and focus more time and energy on business strategy since the new guidance came out. Protiviti's VP and internal audit practice leader, Bob Hirth, said:

Our survey findings indicate that as a result of the new information from the SEC and PCAOB, companies are establishing a more finite number of controls, thus enabling them to reduce the time spent on compliance and then shift, or rebalance, their focus to other key areas in the organization.

As I have written before, the guidelines from the SEC encourage a more risk-based approach to internal controls. A company's most stringent controls should be set around the processes that create its greatest risks, and so on. Similarly, the PCAOB's Auditing Standard 5 seeks to reduce duplication of audit work by allowing external audit teams to rely on certain findings of internal audit teams rather than doing another complete audit. The Protiviti study also revealed that such changes are happening in companies that participated in the study.


It's nice to know that, every now and then, a plan really does come together.