WIXLIB

KPMG’s 2016Internal SOXSurveyAn internal survey of KPMG teams andtheir current experiences serving clientswith regards to SOX program governanceand execution

ExecutiveSummary

ExecutiveSummaryProgramStructure lanningDo you control your SarbanesOxley 404 (SOX 404) program? Ordoes it control you?With increased regulatory scrutiny, changes in keyaccounting standards and pressures from externalauditors, companies need to take control of theirSOX programs – or it may take control of them.KPMG LLP (KPMG) is pleased to present thefindings from our latest internal controls survey.Our survey provides a detailed look at the SOXprograms implemented by companies of varyingindustries and sizes, from governance andstrategy to details on execution and costs.Our report presents summary findings and keymeasures from the survey data and is designed tohelp compare a company’s SOX program againstpeers to help companies enhance value from andtake control of their SOX program.329Average number of total and ToolsLessonsLearnedSurveyDemographicsSurvey demographics by annual revenue29%27%23%14%7% 100M 100M 500M 500M 1.5B 1.5B 10B 10Bn 56Survey objectives and methodologySurveys were completed by KPMG professionals based on theirexperience in providing SOX services to their clients. The KPMGprofessionals have a detailed understanding of their client’s internalcontrols over financial reporting. The experiences of 59 clientengagement teams are represented in the survey responses. Thefindings offer useful direction and provide a basis for comparison andfurther analysis.The results were derived from a Web-based survey that wasconducted from March through May 2016, and the data has beencategorized by industry and company size. Results and figuresreported are as of the most recent fiscal year end unless otherwisenoted.Readers should consider multiple benchmarks (e.g., mean, median,etc.) for comparison and should draw their own conclusions regardingan individual company’s SOX 404 program relative to their appropriatepeer group. 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG InternationalCooperative (“KPMG International”), a Swiss entity. All rights reserved.3Appendix

ExecutiveSummaryProgramStructure lanningTestingThe following are the key findings and insights onKPMG’s point of view for using this information to helptake control of your internal controls.Companies may be overly focusedon aligning with the external auditorand maximizing relianceA primary strategy for SOX programs in 2016 is to maximizeexternal auditor reliance (81% of companies).—69% of companies do not have a difference between what thecompany has in scope / tests and what the external auditorhas in scope / tests.Our point of view—Companies should take a proactive role in establishing theirown strategy and making decisions related to their controlsand overall ICOFR program.—Companies need to regain control of their SOX programs andmake an economic and risk-based, thoughtful decision aboutexternal auditor reliance.LessonsLearnedSurveyDemographicsKey findings—The main strategy for SOX programs in 2016 is to minimizecompliance costs (83% of companies), whereas only 57%indicated they are focused on improving business processes todecrease the cost of control performance, reduce risk and addvalue as part of their strategy.—In ranking reducing control performer efforts from ‘no concerns’to ‘greatest focus’, only 15% of respondents indicated it as anarea of greatest focus versus 35% indicating reducing controltesting costs as a greatest focus.Our point of view—In efforts to minimize SOX costs, companies are primarilylooking at compliance costs (testing and auditing) as these costsare more ‘visible’ to the company. However, most of the totalcost of controls is generally related to the performance ofcontrols (design, execution and administration).—When companies focus solely on compliance costs, there maybe a misalignment between their efforts and where the majorityof the burden is actually occurring within their organization.—To help achieve more value from the SOX program, companiesshould focus on the total cost of controls and the quality,effectiveness and efficiency of the controls.Key findings—Technologyand ToolsCompanies are very focused onminimizing costs, but are focusedon compliance costs rather thanalso considering performance costs,which is the larger opportunityTake control of your internal controlsCompanies can benefit from taking a proactiveapproach to maturing their SOX program along thecontrols journey. Specifically, the journey to reducerisk, reduce cost, reduce variability in the financialstatements and drive value by improving processesand controls.ReportingandMonitoring 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG InternationalCooperative (“KPMG International”), a Swiss entity. All rights reserved.4Appendix

ExecutiveSummaryProgramStructure lanningTestingReportingandMonitoringTechnologyand ToolsLessonsLearnedSurveyDemographicsKey findings and insights, continuedCompanies are not fully leveragingtechnology to transform their controlportfolios and SOX programsCompanies are not using SOX as away to add value to their processesKey findings—In companies where Internal Audit participates in SOXactivities, 55% of the Internal Audit departments spend 75%or more of their total hours on SOX.—Only 57% of companies indicated improving businessprocesses to decrease the cost of control performance,reduce risk and add value as part of their strategy.Key findings—On average, only 18% of total controls are automated.—Only 8% of companies are using data analytic procedures inthe execution of their SOX program and only 14% usecontinuous monitoring.Our point of view—A healthy and efficient internal controls program shouldinclude both automated and manual controls.—Companies generally have invested significant resources intoimplementing enterprise resource planning and other keysystems, as well as designing information technology generalcontrols over those systems. Companies now need tocontinue focusing on implementing and monitoring additionalautomated controls within those systems to reduce risk andreduce the cost of controls.—Our point of view—Companies spending a large proportion of their total InternalAudit hours on SOX should consider how to move their SOXprogram to a more mature and efficient state where more timeand money can be focused towards broader Internal Auditand value creation initiatives.—When a SOX is part of a company’s culture and the programis working efficiently, it can add value rather than just being acompliance exercise. A mature SOX program supports thecompany’s broader corporate values and strategies and canreduce risk, reduce costs and drive value.Data analytics and continuous monitoring can yield significantbenefits, such as:- Delivering regular insight into the status of controls andtransactions across the company- Enhancing overall risk and control oversight capabilitythrough early detection and monitoring- Enabling an efficient way to vary the nature, timing andextent of testing based on risk.55%of companies vary the number ofsample selections based on theassociated risk level; This is anapproach more companies coulduse to align the nature and extentof evaluation procedures to risk 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG InternationalCooperative (“KPMG International”), a Swiss entity. All rights reserved.5Appendix

ExecutiveSummaryProgramStructure lanningTestingReportingandMonitoringTechnologyand tive Summary02Program Structure / Governance07Program Budgets12Risk Assessment17Scoping and Planning21Testing25Reporting and Monitoring30Technology and Tools34Lessons Learned37Survey Demographics39Appendix42 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG InternationalCooperative (“KPMG International”), a Swiss entity. All rights reserved.6Appendix

ProgramStructure /GovernanceKey takeaways

ExecutiveSummaryProgramStructure lanningTestingReportingandMonitoringTechnologyand ToolsLessonsLearnedSurveyDemographics83% of companies focused their 2016 SOX strategy on minimizing costsrelated to documentation and testing of processesFocus on reducing costs has increased from 2015 but on a limited portion of the costs, as only 57% ofcompanies are potentially considering the cost of control performance through improving business processes.Q. What were the company’s strategies for its SOX program in 2015 and 2016?90%83%78%80%81%71%81%Companies focused onmaximizing reliance bythe external auditors70%60%57%55%50%43%58%Companies where theSOX program’s day-today activities are ownedby the Controller / ChiefAccounting Officer orDirector of ControlsCompliance64%Companies withinvolvement by theController / ChiefAccounting Officer indeveloping the SOXstrategy40%40%30%20%10%0%20152016Minimize SOXcompliance mprove business Maximum relianceprocessesby external auditorsRespondents could select more than one option.n 58 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG InternationalCooperative (“KPMG International”), a Swiss entity. All rights reserved.8Appendix

ExecutiveSummaryProgramStructure essmentTestingReportingandMonitoringTechnologyand ToolsLessonsLearnedSurveyDemographicsFor 71% of companies, the external auditor relies on the organization’s test ofeffectiveness activities either moderately or fully, to the extent possible.This is significantly higher than the 37% at the same extent of reliance for the test of design. Despite these levels ofexternal audit reliance and that companies are focused on maximizing that reliance, based on the experiences of KPMGprofessionals, only 19% of companies were able to quantify the savings from reliance either in terms of hours or dollars.Q. To what extent does the external auditor rely on test ofdesign activities performed by the company?9%Q. To what extent does the external auditor rely on test ofeffectiveness activities performed by the company?2%9%15%Company doesnot perform28%Company doesnot perform33%No relianceNo reliance12%MinimalMinimalModerateModerateFully, to theextent possibleFully, to theextent possible36%38%18%“Savings related toExternal Audit relianceare unknown.” – Surveycommentary“External Audit has not historicallyrelied on management’s controltesting as the SOX testing wasperformed too late in the year toallow for appropriate planning andreliance.” – Survey commentaryn 56 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG InternationalCooperative (“KPMG International”), a Swiss entity. All rights reserved.n 589Appendix

ExecutiveSummaryProgramStructure lanningTestingReportingandMonitoringTechnologyand ToolsLessonsLearnedSurveyDemographicsExternal auditors are only relying on work performed by an internal SOX teamin 41% of companies compared to 77% when performed by an outside firm.Q. Will the external auditor rely on the work performed by departments other than IA?nInternal SOX er4918%100%YesSometimes5729No 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG InternationalCooperative (“KPMG International”), a Swiss entity. All rights reserved.10Appendix