Sarbanes-Oxley Compliance Survey Shows Need for More Scrutiny on High-Risk Processes

Key trends include growing reliance on internal audit functions and automation of controls; survey results to be discussed during May 14 webinar. 

MENLO PARK, Calif. – May 14, 2013 – Demand for added attention to high-risk processes, growing costs and the increasing role of IT controls and testing reports are some of the key changes and challenges companies faced over the last year as they worked to meet Sarbanes-Oxley (SOX) requirements, according to findings in the 2013 Sarbanes-Oxley Compliance Survey ( by global consulting firm Protiviti (

 When executives and professionals involved in SOX compliance were asked what was driving the most change in their SOX compliance processes, 66 percent said there was at least moderate change due to demand for increasing process and control documentation for high-risk processes. Additionally, 60 percent of respondents indicated that the increased amount of time required for walkthroughs and documentation around processes was also driving moderate change.

“To continue to improve their SOX compliance efforts, companies need to intensify their scrutiny of high-risk processes such as financial reporting, accrual processes, stock options and equity, and taxes,” said Brian Christensen, Protiviti’s executive vice president for global internal audit.  “The study shows that companies are beginning to adjust in that direction and the shift aligns with guidance from the SEC and PCAOB.”

 “It’s important to note that SOX compliance programs and processes should remain agile and ready to change course if public companies are to adhere to the law in an effective and cost-efficient manner,” said Christensen. “As demonstrated by regulators, providers of ongoing guidance (e.g. COSO) and rapidly changing business conditions, the achievement of sustainable, cost-effective and value-enhancing compliance processes remains an ongoing journey that requires continual vigilance.”

With regard to the new COSO internal control framework, nearly two-thirds (66 percent) of the Protiviti survey respondents were aware of the revision process. Not surprisingly, the vast majority (85 percent) were against early implementation in 2013. If given an adoption option, respondents were fairly evenly split across several potential implementation schedules, including fiscal year 2014 and adoption after 2014.

 Shifting Responsibility to the Internal Audit Function

Year-over-year findings about which area within an organization is responsible for overseeing SOX compliance showed a sizeable shift toward the internal audit function and away from project management. In 2012, the survey found that 30 percent of organizations housed this responsibility with the internal audit function, while 25 percent handled SOX compliance through their project management office. However, in this year’s survey, 45 percent of respondents said internal auditing managed SOX compliance (up 15 percent), while only 10 percent said it was handled by project management (down 15 percent).

 One reason for this shift is the willingness of external auditors to rely on the work of internal audit departments rather than other functions. In 2013, only 25 percent of respondents said there was an increase in external auditors’ reliance on documentation, walkthroughs and testing performed outside of the internal audit function, while 39 percent said there was an increase from external auditors in having the same work done by internal audit departments.

Additional Survey Findings

Other key findings from Protiviti’s 2013 Sarbanes Oxley Compliance Survey include:

  • Eighty percent of respondents indicating they have seen improvements in internal control over financial reporting structure since Sarbanes-Oxley Section 404(b) was first required for large accelerated and accelerated filers in 2004. This is especially true for large accelerated filers, with 87 percent saying there have been improvements.
  • More than one-third of companies (38 percent) reporting a year-over-year increase (from 2011 to 2012) in SOX costs. Nearly half of the companies surveyed (47 percent) also reported a year-over-year increase in external audit fees during the same period. That said, on average the costs for SOX compliance are not extraordinarily high relative to the objective of quality financial reporting to investors through improved internal controls. For most organizations, the cost of SOX compliance remains at a manageable level.
  • Automation of controls continues to be an area of increased focus, with 90 percent of companies surveyed this year indicating that they have plans to automate IT processes and controls for SOX compliance, up from 83 percent in 2012.

 About the Survey

In its fourth edition, Protiviti’s 2013 Sarbanes-Oxley Compliance Survey gathered insights from 297 executives and professionals at companies with gross annual revenues ranging from less than $100 million to more than $20 billion. The survey was conducted in late 2012 and early 2013, and respondents included chief audit executives, chief financial officers, corporate Sarbanes-Oxley and Project Management Office leaders, chief compliance officers and others involved with SOX. The survey is available for complimentary download at:

A 90-minute webinar discussing the results of the survey will be held on Tuesday, May 14, 2013, at 9:00 a.m. PDT. To register for the complimentary webinar, please visit

Additionally, a video featuring Protiviti’s Brian Christensen discussing key trends in SOX compliance based on the survey results is available at  

About Protiviti

Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

 Protiviti is a wholly owned subsidiary of Robert Half International (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. 

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.


About the Author


Job description

Listing Info Summary: The Compliance Director is responsible for ensuring, under the direction of the Chief Compliance Officer (CCO), that NORCAL Group remains in compliance with all applicable legal and regulatory requirements, its Code of Conduct, and other internal policies, by overseeing the identification of such requirements and the design and implementation of an appropriate framework of internal processes, controls, and procedures company-wide to address such requirements. Monitors which compliance functions are best accomplished on a distributed basis within the business units. Partners with business unit leaders to develop, document, and update the processes for these distributed compliance functions in a manner designed to optimize both compliance and efficiency in terms of the required staff resources and tools. Maintains appropriate oversight over the efficacy of the distributed compliance functions. Implements all necessary actions to ensure achievement of the objectives of an effective compliance program. Essential Functions: Individual must be able to perform each essential duty satisfactorily. The essential functions listed below are representative of the knowledge, skill, and/or ability required with or without reasonable accommodation.
  • Manages day-to-day operation of the compliance program.
  • Identifies the laws and regulations applicable to the NORCAL Group of companies and develops/implements a system for receiving appropriate updates. Evaluates and selects appropriate software tools to facilitate same. Oversees appropriate internal dissemination of regulatory and legal compliance developments throughout NORCAL Group.
  • Determines appropriate ownership, either within Compliance or within the business/operations units for identified compliance needs and ensures that systems and processes are embedded within such units to ensure compliance. Works with business units to document required compliance processes, ensuring needed resources to administer processes are identified. Develops appropriate systems to track and report on required compliance activities, including evaluation and selection of appropriate software to track filing deadlines and issue reminders of upcoming filing requirements.
  • Facilitates role of Chief Compliance Officer as single point of contact company-wide for communication with regulators, manages NORCAL Group company relationships with various state insurance departments and other regulatory bureaus/entities, and coordinates mid-level regulatory contacts handled directly by the business units.
  • Periodically reviews and updates the Code of Conduct to ensure continuing appropriateness and relevance in providing guidance to management and employees.
  • Collaborates with other departments to direct compliance issues to appropriate existing channels for investigation and resolution.
  • Consults with legal staff as appropriate to resolve difficult legal compliance issues.
  • Responds to alleged violations of rules, regulations, policies, procedures, and Code of Conduct provisions by evaluating or recommending the initiation of investigative procedures. Develops and oversees a system for uniform handling of such violations.
  • Monitors, and as necessary, coordinates compliance activities of other departments to remain abreast of the status of all compliance activities and to identify trends.
  • Identifies potential areas of compliance vulnerability and risk; develops/implements corrective action plans for resolution of problematic issues, and provides general guidance on how to avoid or deal with similar situations in the future.
  • Institutes and maintains an effective compliance communication program for the organization, including promoting (a) the use of EthicsPoint, (b) a heightened awareness of the Code of Conduct, and (c) awareness and understanding of existing, new, and emerging compliance issues.
  • Works with the Human Resources Department and others as appropriate to develop an effective compliance training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers.
  • Supervises the activities of the Compliance unit in support of compliance activities for NORCAL Group.
  • Attends compliance organization seminars and conferences as appropriate and approved by CCO for purposes of remaining well informed concerning best practices and legal/regulatory developments relevant to the insurance industry.
  • Assists CCO with preparation for board/committee meetings.
  • Oversees the development and maintenance of an appropriate filing system in support of the foregoing.
Fiscal Responsibilities: Reviews and approves compliance staff expense reports consistent with company guidelines. Supervisory Responsibilities: Supervises compliance staff; Works with staff on professional development plans and opportunities; Interacts frequently with staff to provide feedback on performance; Consults with CCO and Human Resources as appropriate. Expenses: Employees must be able to pay for certain business expenses in advance. Examples include such items as airline tickets, rental cars, hotel deposits, seminar registrations, etc. Employees are eligible for reimbursement for such expenses through NORCALs Expense Reimbursement Policy. Required Driving: n/a Non-Essential Functions: n/a Physical/Environmental Working Conditions
  • General office environment is primarily sedentary work which requires the following physical activities: standing, sitting, walking, reaching, lifting, finger dexterity, grasping, repetitive motions, talking, hearing and visual acuity.
  • The employee must occasionally lift and/or move up to 10 pounds.
  • Exposure to LCD on a daily basis.
  • A moderate noise level is usual.
  • Minimum of 4-year college degree
  • JD
Experience Required
  • Minimum of 10 years experience as a compliance professional for a regulated financial services company, ideally an insurance company.
  • Expertise in HIPAA and state privacy laws is essential; familiarity with insurance holding company act, insurance regulatory requirements in general (especially relating to fraud plan/training requirements and consumer complaints), OFAC, and document retention requirements is ideal.
  • Some outside law firm and/or in-house legal experience is preferred.
Skills Required
  • Demonstrated leadership ability and ability to communicate effectively orally and in writing.
  • Familiarity with operational, financial, quality assurance, and human resources procedures and regulations.
  • Effective project management skills.
This description portrays in general terms the type and levels of work performed and is not intended to be all-inclusive or represent specific duties of any one individual. Nothing in this job description restricts managements right to assign or reassign duties and responsibilities to this job at any time.

About this company

The mission of NORCAL Mutual Insurance Company is to provide the policyholder-owners the highest quality medical professional liability insurance products and services at the lowest responsible cost while maintaining a financially sound company. The company was formed by physicians in 1975 to carry out this mission. NORCAL Mutual insures nearly 20,000 physicians and other healthcare professionals in solo practice, medical groups, hospitals, clinics and allied healthcare facilities in California, Alaska, Rhode Island, Texas and Illinois. Facilities coming soon are Pennsylvania, Delaware, Kansas and Missouri. As an active partner with organized medicine, NORCAL seeks to anticipate and influence changing industry and policyholder trends and to respond to those trends to the benefit of the policyholders. They are endorsed by 31 county medical societies and professional organizations. The Core Values * Underwriting to the standard of care * Clinically driven risk management services * Aggressive defense of non-meritorious claims and prompt, fair resolution of all meritorious claims * Sustained financial strength and stability * Physician and health care focus To apply, click here.