WIXLIB

2017 InternalControls Surveykpmg.com

2017 InternalControls SurveyExecutive summaryAlthough Sarbanes-Oxley (SOX) is not a newregulation, it has continued to evolve over the last 15years since it was enacted. We’ve seen additionalfocus areas from the Public Company AccountingOversight Board (PCAOB) which increased the levelsof documentation, and upcoming changes in keyaccounting standards may require further changes tosystems, controls and documentation. Additionally,the uses of technology and data have changedsignificantly in this time frame – bringing about newconsiderations such as using intelligent automation tofacilitate business processes or compliance activities.And all of this is happening while organizationsstrive to take costs out of their SOX programs.“Organizations are looking at the‘compliance exercise’ associatedwith SOX and are trying to reducethe cost aspect. However, to trulysee improvement in your SOX program,it’s important to look at the controlsthrough a value lens, rather than justa cost lens.”– Sue KingKPMG's SOX Solutions LeadKPMG LLP surveyed more than 100 organizationsto compile data related to current SOX trends,challenges and strategies. We are pleased topresent the results of this survey to provideinsights into how your organization’s SOX programcompares with both your industry peers andacross the total population of respondents.2

Key takeaways1A focus on cost reduction targeted specificallyat control testing costs, rather than the totalcost of control. 52% of strategies included minimizing the cost to test SOX controlsvs. only 11% focused on decreasing the cost of performing controls. Organizations may be overlooking the cost of performing controlactivities, which is typically the largest contributor to the total costof control.2External auditor reliance as the primary strategyused to manage compliance costs and the SOXburden on the organization. 3The SOX program strategy for 54% of the organizations is to ensuremaximum reliance by the external auditor. However, only 23% oforganizations are able to quantify the savings achieved as a result ofexternal audit reliance on their organization’s testing.Survey objectives: Gain valuable perspectiveson how an organization’sSOX program compares tothat of its peers. Obtain insights into resultsacross the total populationof respondents andindustry trends. Enhance understanding ofSOX program maturity.Focusing less on external auditor reliance may open the door toother cost reduction strategies, such as smaller sample sizes or selfassessments in low-risk areas. External auditor reliance should be adeliberate economic decision, weighing the costs and benefits of thatstrategy vs. other strategies.Lack of confidence in control executionand documentation. Less than half of the respondents (45%) are confident that theircontrols would pass (i.e., be effective) without testing them. Four out of five top areas of improvement were related to controlexecution — improving controls over key spreadsheets, increasingcontrol automation, quality of control evidence and overall quality ofcontrol performance. However, the common SOX program strategies(maximize external auditor reliance and minimize testing costs) are notaligned with these areas of improvement.2017 Internal controls survey3

Detailed findingsStrategyStrategy for 2017 SOX program:Strategies related to the SOXprograms were primarily related totesting aspects – ensuring maximumexternal auditor reliance (54%),minimizing testing costs (52%),and rationalizing controls (49%).65%Organizations in the financial sector(Banking & Capital Markets and FinancialServices) were more likely (65%) to include“Change business processes so that thecontrols are embedded in the process,are not performed just for SOX, and arevaluable to the business” as part of theirstrategy. This may be influenced by thelarge number of regulatory and complianceactivities that need to be embedded withintheir business processes.52%11%61%52% of strategies included minimizingthe cost to test SOX controls vs. only11% focused on decreasing the costof performing controls.Organizations with annual revenuesof 10 billion or more were most likelyto include controls rationalization(61%) and focusing efforts on theentity-level and most critical controls(57%) as part of their strategy.Development of SOX strategy:*46%41%38%Driven by thoseresponsible forperforming the testingDriven by control andprocess ownersLargely influenced by theexternal auditor32%Developed in conjunctionwith other compliance /assurance functions*Respondents could select multiple responses421%Driven by the auditcommitteeAlthough the SOXprogram strategy for 54%of organizations was toensure maximum externalauditor reliance, thatstrategy was not alwaysdriven or largely influencedby the external auditor.20%2%Developed as a standalone compliance effortDoes not have a clearstrategy

Areas of improvementTop five areas that are “fine as is” or need only minor tweaks*:Improvecommunication withaudit committeeImprove the SOX riskassessment process94%Take control of theSOX program overall82%Improve systemscoping to alignwith key businessprocesses81%76%Improve risk mitigationby changing processdesign75%*Respondents ranked multiple statementsTop five areas with improvement or significant improvement needed*:Increase control automationImprove controls over key spreadsheetsImprove quality and consistency of control performanceImprove quality of control evidenceReduce control testing cost / effortThe top areas with improvementneeded primarily focus on howcontrols are performed anddocumented. Improving controlperformance and documentationmay have a correlation toreducing associated testingcosts; however, theseresponses indicate that perhapsorganizations should first focustheir strategy on control designand performance, beforefocusing efforts on reducingtesting costs.*Respondents ranked multiple statements2017 Internal controls survey5

6

There were only two areas where organizations with revenue of 10billion or more were more likely to believe that improvement or significantimprovement was needed in comparison with the full respondent group:Focus efforts oncritical control areasincluding significantunusual transactions 10BReducecontrol testingcost / effortAll 10BAllIndustry trends were noted in industries that often have a more distributedand decentralized nature of operations, such as Industrial Manufacturing,Building, Construction & Real Estate and Consumer Goods:21%Only 21% of respondentsindicated that expandinginto non-SOX business unitsneeded improvement orsignificant improvement.32% of total respondents indicatedthat redesigning processesto have a more homogeneousenvironment in order to reducetesting effort (i.e. through sharedservices) needed improvement orsignificant improvement.vs.However, in the IndustrialManufacturing; Building, Construction& Real Estate; and Consumer Goodsindustries, 42% indicated improvementor significant improvement was needed.vs.However, in the IndustrialManufacturing; Building,Construction & Real Estate; andConsumer Goods industries, 55%indicated improvement or significantimprovement was needed.State of the SOX programSOX program’s maturity level:AllrespondentsLess than 1.5 billion11% 42%22%47%41%Developing: Controlsidentification and stabilization37%Evolving: Improved riskassessment and scoping,and rationalized controls(optimization of current controlenvironment) 1.5 - 9.9billion10% 44% 10 billionor more43%46%Maturing: Improved businessprocesses which havereduced the cost of controlperformance, reduced risk, andadded value to the business57%Smaller organizations (less than 1.5 billion in revenue) were morelikely to be developing.vs.Larger organizations ( 10 billion or morein revenue) were more likely to be at theother end of the maturity spectrum.2017 Internal controls survey7

Mean responses for agreement with the following statements regarding SOX programs:(1 strongly disagree and 5 strongly agree)Our organization’sculture and tone at thetop support our SOXprogramInvestors care aboutmaterial weaknessesOur management,executive management,and Board find our SOXprogram to be valuableChanges required toremediate control issuesare not only performed tomake it through the SOXprocess, but are also takenseriously going forwardOur SOX programeffectively improvestransparency in ourorganizationThe new revenuerecognition and/or leaseaccounting standardswill increase our controlperformance effortsOur organization considersSOX when planningsignificant businessinitiatives, such as newinformation systems, processreengineering, or outsourcingWe often add keycontrols based onexternal auditorrequestsI am confident ourcontrols would pass(i.e., be effective), evenwithout testing themOnly 45% of respondents agreed or strongly agreed with this statement.This indicates a potential problem with the control culture and thatperhaps more effort and strategic focus needs to be placed on theeffective and efficient performance of control activities.Frequency with which issues identified through SOX testing are used to make changes to the process:To enhance the control environmentand reduce riskNever8RarelyTo change the process so controls aremore meaningful to the business(not just performed for SOX)OftenAlwaysTo make a process more efficientregarding control performance(i.e., increase automated controls)Don’t know

2017 Internal controls survey9

SOX program executionWho performs SOX testing:*Smaller organizations ( 1.5B or lessin revenue) were more likely to useexternal providers (72%)vs.Internal AuditExternal providerInternal SOX Team75%62%32%Larger organizations ( 10B or morein revenue) were more likely to havean internal SOX team (54%) and toincorporate self-testing or peer testing asa component of their SOX program (39%)Self-testing / peer testing22%Don’t perform SOX testing1%* Respondents could select multiple responsesFor organizations where SOX testing is performed by Internal Audit,the proportion of total Internal Audit hours related to SOX:1-25%26-50%51-75%76-100%10In organizations where Internal Auditperforms SOX testing, 34% of thoseorganizations spend more than 50% oftheir total Internal Audit hours on SOX.This is largely the case for organizationswith less than 10B in revenue (44%).In organizations with 10B or more inrevenue, the burden of SOX testingwas often distributed across variousparties (Internal Audit, SOX team, otherdepartments, etc.), allowing a largerproportion of Internal Audit hours to befocused on other value-add activities.

How use of an external provider for support withSOX program has changed from 2016 to 2017:Using externalproviders more in 2017Frequency of control training for control / processowners (or control performers):Using externalproviders less in 2017Using external providersabout the sameLess than annuallyMore than annuallyAnnuallyDon’t knowSOX program costsHow costs are expected to change from 2016 to 2017 in regards to:Cost and effort for management to perform the control activities4%3%66%27%Cost will decreaseControl performance costs are largely staying the same or increasing in2017; however, only 11% of organizations included focusing on decreasingsuch costs as part of their SOX program strategy.SOX compliance activities (costs related to control documentation,control testing, and SOX program governance; not including thecost of control performance)16%46%36%Costs will stay the sameCosts will increase2%Don’t know2017 Internal controls survey11