IMA Releases Landmark Study Revealing Sarbanes-Oxley Compliance Issues

October 12, 2006 from Business Wire – “A lack of practical management implementation guidance and the incomplete nature of the COSO (Committee of Sponsoring Organizations) 1992 framework in assessing effectiveness of internal controls over financial reporting (ICoFR) are two of the key cost drivers for public companies complying with Sarbanes Oxley Section 404 (SOX) requirements, says a landmark research study released by the Institute of Management Accountants (IMA®). The research study, COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices, was released today.

Conducted by Professor Parveen P. Gupta of Lehigh University, the study assessed the views of nearly 400 experienced CFOs, controllers, internal auditors, and SOX compliance specialists at publicly traded companies. The study was designed to determine the extent to which companies are using COSO’s 1992 internal controls framework and identify the factors which inhibit a successful and cost-effective SOX compliance outcome, including high-cost compliance activities, definition and use of “risk based” models, application of risk assessments (fraud, plausible, and inherent risk), integrated audits, IT controls assessments, skills gap issues, and other practical areas.

“IMA’s study is the first comprehensive study of its kind that goes beyond estimating the cost of compliance. This study helps to identify the real drivers of cost and provides actionable insights for policy makers, regulators and professional associations,” said Paul A. Sharman, president and CEO, IMA. “We have hypothesized for some time that current controls frameworks are inadequate, as they do not allow management practitioners to conduct cost-effective, risk-based assessments covering internal controls over financial reporting, fraud risk, general IT controls, and other areas.”

A sampling of key findings from the IMA research study includes:

• Approximately two-thirds of the total respondents attributed two key factors as major cost drivers:
  1. A lack of practical guidance from the SEC or other professional organizations on how to decide what constitutes an effective (or ineffective) internal control system
  2. Redundant testing (between auditors and inside SOX compliance resources) due to a lack of collaboration to reduce the sample size. The data suggests that the original goal of achieving efficiencies via an integrated audit of internal control incremental to (not duplicative of) the traditional financial statement audit is still not a reality
• More than half of respondents acknowledged that they did not use COSO 1992 to assess IT control effectiveness, in spite of indicating their control assessment was done in accordance with COSO 1992. Almost 52 percent of respondents used COBIT for this critical aspect of their ICoFR assessment
• Forty-five percent of smaller public companies and 35 percent of larger public companies are using a “bottom-up” approach to internal controls, rather than a “risk-based” point-of-view. The higher percentage for smaller companies could suggest a skills gap issue in applying robust risk assessment methods
• Only 38 percent of respondents indicated that the COSO 1992 controls framework, the predominant framework in use, was guiding their internal control assessments, while 62 percent primarily rely on Accounting Standard 2 (AS2). Due to the lack of practical guidance, AS2 has become the de facto assessment standard for company management
• Fifty-seven percent of respondents did not believe that the COSO 1992 framework alone was sufficient guidance for determining the effectiveness of internal controls, strongly suggesting that practical assessment methodologies linked to the framework are necessary to assert to the SEC that an organization has an effective system of internal controls.
  

“These results suggest that our hypotheses have been proven to a reasonable degree. Now it is time to develop the long awaited assessment guidance so desperately needed by American businesses to cost-effectively comply with SOX while protecting shareholder interests,” added Sharman.

The study, COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices, includes an Executive Summary that is available free of charge. The full study is available for purchase from IMA. Please visit https://www.imanet.org/research_sox_study.asp for complete details.”

180 View – We think there's no excuse for not providing an efficient SOX compliance reveiw.