Internal Control Insights for Execs, Boards at Small Public Companies

Posted by Nancy Johnson on August 11, 2011

A recently published survey by global business consulting firm Protiviti offers insight about SOX compliance at public companies with revenues less than $100 million.

The survey included a total of 400 respondents representing small (revenues less than $100 million), mid-sized (revenues between $100 million - $10 billion), and large (revenues of $10 billion or greater) companies. The findings we at Vibato found most interesting for small companies– and our analysis of them – are below.

  • 80% of small companies included in the survey spend less than $100,000 annually on SOX compliance. 

Takeaway: This finding resonates with Vibato’s experience. It’s true that $100K is not insignificant, especially for very small public companies, but it is a far cry from the multi-million dollar annual estimates cited by SOX-bashers and political talking heads.


  • In all companies, the first year of SOX compliance is the most expensive. Cost reductions occur in years two, three, and four of SOX compliance, then level out after year four. 35% of small companies included in the survey expect SOX costs to increase, 24% believe they cannot reduce costs further, and 35% believe they can reduce costs but only by less than 10%.

Takeaway:  It makes sense for some small public companies to see SOX costs increase. After all, these companies are growing rapidly, often through M&A activity or global expansion that might require more controls or implementation of existing controls in multiple subsidiaries. However, these findings suggest that small companies are missing out on opportunities to make their control systems more efficient, and thus more cost-effective.  


  • 67% of small companies surveyed perform all SOX work internally; 28% bring in assistance from a single organization and only 5% get help from two to three organizations. 

Takeaway: It’s no surprise to us that executives and board members handle SOX oversight at small public companies, which are often too small to have fully-staffed internal audit departments. More unexpected is that a whopping 67% perform all SOX work internally. These executives especially should take another look at a third-party SOX specialists, such as Vibato, that offer high-value risk assessment and testing services on an annual basis. At the very least, small companies doing SOX themselves should seek help to fine tune their SOX internal control infrastructure, so that the internal resources being applied to SOX can work more efficiently and cost-effectively.

  • 7% of small companies surveyed reported outsourcing 50% or more of their SOX work to their external auditor during their first year of SOX. 

Takeaway: A company's external auditors should never be involved in completing SOX work because it violates the independence requirements of SOX and accounting standards set by the PCAOB. The public company execs and audit committee members who approved these actions were putting their companies at risk. The external audit firms who accepted this work should be ashamed of themselves.  


  • A majority of all surveyed companies believe that the costs outweighed the benefits during the first year of SOX compliance, but the reverse – the benefits outweigh the costs - is true in subsequent years.  

Takeaway: This finding is one that private companies going public or public companies crossing the threshold to accelerated filer status need to write down and refer to during any dark days in their SOX efforts. Plan well, budget accordingly, and hang in there: the true benefits of SOX compliance might be just a few months away.

Tags: Sarbanes-Oxley Articles & Information, Announcements