An overwhelming majority of finance and audit executives say that the global recession didn't impact their Sarbanes-Oxley (SOX) compliance efforts, according to new research from Protiviti, a global business consulting and internal audit firm. In fact, 45 percent of respondents to Protiviti's2011 Sarbanes-Oxley Compliance Surveysaid that internal control over financial reporting in their organizations is better now than it was one year ago.

Protiviti's2011 Sarbanes-Oxley Compliance Survey– which includes feedback from a combination of more than 400 executives, corporate SOX leaders and audit professionals across a variety of industries – assesses the current state of SOX compliance, related costs, associated benefits and value, as well as how to achieve a desired state of verifiable compliance and sustainability. This is the second year the survey has been conducted, and this year it includes two new sections focusing on the impact of the economic events of 2009 on ongoing compliance with SOX requirements and the exemption of non-accelerated filers from Section 404(b) compliance as stipulated in the Dodd-Frank Act.

"Our survey results demonstrate that nine years after the passage of Sarbanes-Oxley, companies remain committed to continuously improving their compliance efforts – despite ongoing economic challenges and global instabilities," saidBob Hirth, Protiviti executive vice president and leader of the firm's global internal audit and financial controls practice. "Organizations' systems of internal control over financial reporting need to be dynamic and constantly improved in order to effectively react to and address changes in operations and the external environment, such as new regulations, technology, accounting principles, industry issues and business models."

The vast majority, 89 percent, of respondents said the global recession did not have an adverse effect on their SOX compliance efforts. "In reality, it may take a number of years to gain a clear picture of the effects the global economic crisis may have created," Hirth said. "If an organization reduced its workforce or streamlined its processes with a resulting effect on its internal control structure, mistakes may increase over time. Given this, it will be interesting to monitor these survey results over the next few years to see what patterns develop."

Other key findings from Protiviti's 2011 SOX survey include:

• By year four of SOX compliance, most organizations spend in the range of$100,000 to $1 millionannually on SOX compliance-related activities. More than 80 percent of small companies spend less than$100,000annually, and nearly 70 percent of mid-sized companies spend less than$500,000on SOX compliance.
• Companies, regardless of size or year of compliance, plan to reduce SOX compliance costs in the coming year, but that reduction is expected to be nominal – less than 10 percent on average.
• Compared to 2010 survey results, more organizations are applying COSO's guidance on monitoring internal control systems, and one in three reports this is having a positive impact on their SOX compliance activities.
• About 50 percent of organizations handle their SOX compliance efforts internally; this statistic is relatively consistent regardless of company size.
• Fifty-six percent of non-accelerated filers – who became exempt from having to comply with Section 404(b) of SOX (the auditor attestation of internal control over financial reporting) with the passage of the Dodd-Frank Act inJuly 2010– reported their organizations were "very prepared" to comply with Section 404(b) when Dodd-Frank pulled the plug on the requirement, while 29 percent said they were "somewhat prepared." These filers, however, also noted that areas related to IT and automation – including IT general controls, spreadsheet controls, and segregation of duties – would have required the most attention if they were required to comply with Section 404(b).

"While non-accelerated filers currently are exempt under law from the need to comply with Section 404(b), the question is whether this exemption is permanent," saidJim DeLoach, Protiviti managing director and the firm's senior SOX practice leader as well as a key survey architect. "If restatements by these filers were to trend upwards and restatements by companies complying with Section 404(b) were to continue trending downward, Congress could decide to revisit whether a new law should be enacted to mandate compliance. In addition, an organization cannot rule out the possibility that it could grow beyond non-accelerated filer status and, as a result, be compelled to comply with Section 404(b)."

The survey also finds that organizations are increasingly looking to IT solutions to improve the effectiveness and efficiency of their compliance efforts. Among the top three strategies respondents plan to employ in 2011 and beyond:

• Increasing the number of automated controls
• Using continuous monitoring techniques
• Decreasing the number of manual controls