WIXLIB

IV.Quantifying Processes, Controls, and ComplianceS O X / I C M A N A G E M E N T I S D O M I N AT E D B Y B U S I N E S S P R O C E S S C O N T R O L SIn 2019, our survey focused on the control category,and we continued that same focus in 2020. We askedrespondents to break down their controls into entity-levelcontrols, information technology general controls, andbusiness process controls. A dominant portion of controlswere business process controls.Of your key controls, how many fit into theentity-level category?2%4%4%1-256%26-506%51-7546%Of your key controls, how many fit into thebusiness process category?2%101-5001%32%1-1005%7% 500Not sure101-25033%251-50017%501-1,000Of your key controls, how many fit into theITGC category?1,001-2,000 2,00035%3%4%Almost half of respondents report that their organizationsmanage fewer than 250 key controls. 17% manage fewerthan 100 controls compared with 22% in 2019. 31% reportmanaging between 101 and 250 key controls, an increasefrom 26% in 2019. Only 4% of respondents report thattheir organizations manage more than 2,000 controls, aslight decrease from 5% in 2019.What is the total number of key/testedcontrols annually?1-10023%4% 2,0004%Not sure0%Not sure9%2-1040%9%15%51-10010%9% 10015%20%25%7 Quantifying Processes, Controls, and Compliance251-500 1-50051-10012%How many total locations does yourorganization have?17%101-2501-507%Not sure501-1,00076-10030%35%18%0%5% 10% 15% 20% 25% 30% 35% 40%2020 State of the SOX/Internal Controls Market Survey

Number of internal controls vs. numberof locationsOverall, internal testing and validation teams grewcompared to last year’s survey. The number of surveyrespondents with five or fewer people on their SOX testingand validation team declined to 44% from 50% in lastyear’s survey results. Respondents who reported teamsbetween 5 and 10 people increased to 30% from 27% lastyear, teams of 11 to 20 people stayed the same at 12%,and teams between 21 and 50 people increased to 8%from 7% last year. Teams of 50 or more increased to 6%from 4% in 2019.1-100101-250251-500501-1,0001,001-2,000How many process/control owners are inyour organization? 2,0000%20%140%2-1060%80%100%13%23%21-5011-20 1010-25 10051-100There is a correlation between the number of controls and thesize of the company’s revenue. Half of the respondents whoreported 1–100 internal controls are from organizations withless than 700 million in revenue. Conversely, almost 70% ofthe respondents who reported more than 2,000 controls comefrom organizations with more than 5 billion in revenue.26%13%26-5051-100 10025%What is your SOX compliance model?Number of internal controls vs. 0Outsourced501-1,00055%1,001-2,000N/A - Not required tobe SOX compliant 2,0000% 75M20%40% 75M- 700 2.1B- 5B60%80%100% 701M- 2B 5BHow many people are on your SOX testing andvalidation team?8%6%The in-house compliance model increased to 55% from50% in 2019. 31% reported a co-sourcing model, upfrom 29% in 2019. 6% of the respondents outsourceSOX compliance, up from 5% in 2019. Combined with anincrease in the size of testing teams, the results suggestthat companies are investing in in-house staff. 55-1012%44%11-2021-5030% 508 Quantifying Processes, Controls, and Compliance2020 State of the SOX/Internal Controls Market Survey

V.Control FailuresCONTROL DEFICIENCIES PERSISTIn the past fiscal year, did you experience anycontrol issues that led to deficiencies, significantdeficiencies, or material weaknesses?How many significant deficiencieswere identified?5%035%Yes36%1-559%No5 65%In 2020, 65% of respondents reported control issuescompared to 61% in both 2019 and 2018.How many deficiencies were identified?The number of survey respondents who report zerosignificant deficiencies is 59%, a slight increase from53% reported in 2019. 36% reported between 1 and5 significant deficiencies, and 5% reported 5 or moresignificant deficiencies.How many material weaknesses were identified?10%3%1-1017%46%27%11-2514%26-50051 1-55 83%Survey respondents reported sharp increases in thenumber of deficiencies identified between 1 and 25. 46%of survey respondents report identifying between 1 and 10control deficiencies, an increase from 34% last year, and27% report between 11 and 25 control deficiencies, anincrease from 16% last year.9 Quantifying Processes, Controls, and ComplianceThe number of survey respondents who report zeromaterial weaknesses is 83%, an increase from 78%reported in last year’s survey. 14% of respondents reportbetween 1 and 5 material weaknesses, a decreasefrom 18% reported in last year’s survey. 3% of surveyrespondents report identifying more than 5 materialweaknesses, a slight decrease from the 4% who reportedmore than 5 material weaknesses in last year’s survey.2020 State of the SOX/Internal Controls Market Survey

What was the impact of the deficiencies as anabsolute percentage of revenue? 1%75%2-5%6-10%19%3%11-25%3% 75%.44%Three quarters of survey respondents report that theimpact of control deficiencies was less than 1% ofcompany revenue. Almost 20% of respondents reportedan impact between 2% and 5% of revenue. At the oppositeend of the range, fewer than 9 respondents reportedcontrol deficiencies whose impact was greater than 75% ofcompany revenue.Similar to previous surveys, respondents identify the sameroot cause leading to control failures: the control was notproperly performed, enforced, or monitored; human error;and poor control design.0% 10% 20% 30% 40% 50% 60% 70% 80%What were some of the causes for controlfailures?Poor control designControl not properly performed,enforced, or monitoredControl was overriddenor circumventedHuman errorUnforeseen circumstanceOther, please specify0%20%202040%60%80%100%201910 Quantifying Processes, Controls, and Compliance2020 State of the SOX/Internal Controls Market Survey

VI.Role of TechnologyT H E M A R K E T ’ S U S E O F A D VA N C E D T E C H N O L O G I E S I S L O WWhile the majority of the SOX market uses specialty software to execute and document SOX compliance testing, adoptionof analytical tools that help SOX professionals improve their efficiency in the identification of test samples or anomalieswithin the control processes is less prevalent.SOX professionals registered a strong interest in using continuous controls monitoring (CCM) in their SOX programs.CCM is typically the initial advent in automation of control testing, and it complements SOX compliance programs byreducing manual controls testing, which in turn, improves overall program efficiency by deploying SOX resources toanalyses of findings.What is the primary technology tool that you utilize to support your SOX/IC process?GRC software solution20%SOX-specific software tool39%Desktop tools (e.g., Microsoft Excel,Word, and PowerPoint) 31%Data analytics tool2%Homegrown 0%Testing management solution software, either GRC broadly or SOX compliance, specifically, is used by close to 60% ofthe respondents. Almost one-third of the respondents use desktop tools to complete SOX compliance. Spreadsheets anddesktop tools are largely the default for smaller public companies that need to meet SOX compliance.Do you currently use or have you considered using continuous control monitoring (CCM)within your SOX program?Yes, we have implemented automation12%No, but we are considering it56%No, I don’t know what CCM is25%Other7%0%10%20%30%40%50%60%More than half of this year’s survey respondents report they are considering adopting CCM, which is a slight increasefrom 53% reported last year. The number of CCM implementations reported by survey respondents remains unchangedfrom last year.11 Role of Technology2020 State of the SOX/Internal Controls Market Survey

VII.Involvement of Internal AuditSOX/IC COMPLIANCE ABSORBS MORE THAN HALF OF INTERNAL AUDIT’S TIMEWhat department is in charge of managing SOX/IC compliance in your organization?36%Dedicated SOX/IC compliance team12%Financial reportingInternal audit45%Legal/compliance2%Other5%0%10%45% of respondents identify internal audit as the ownerof SOX compliance, which is a slight decline from 46%last year. Additionally, 36% of survey respondentsreport that financial reporting teams own compliance,which is an increase from 34% last year. This reflects alonger term trend of separating financial reporting fromcompliance management.What is your internal audit model?7%6%21%Co-sourcedIn-houseOutsourced66%12 Involvement of Internal AuditN/A - No formalinternal audit function20%30%40%50%Survey respondents who report an in-house internal auditmodel is 66%, unchanged from last year. Likewise, thoserespondents who report a co-sourced model is unchangedat 21%. 7% of survey respondents report that theyoutsource internal audit, down from 8% in 2019, and 6% ofsurvey respondents have no formal internal audit functioncompared with 5% last year.Internal audit (IA) continues to maintain a high level ofinvolvement in the SOX/IC function across the board.77% of respondents report that IA is involved in testingand roll forward processes, which is the same as in 2019.68% are involved in walkthroughs, issue tracking andreporting, down from 72% last year. 64% are involved inrisk assessment, up from 63% in 2019. Each of these areprimary procedures for measuring how well a companymanages its internal controls.2020 State of the SOX/Internal Controls Market Survey

How is internal audit involved with your SOX/IC program?Risk ntrol documentation53%Testing and roll forward77%Issue tracking and reporting68%Reporting56%Training33%Project management33%Not involved10%0%10%20%30%40%50%60%70%80%31% of IA teams with SOX responsibility were spending more than 50% of their time on SOX, no change from 2019.Coupled with the data that 44% of these IA teams are only managing 1 to 10 operational audits in addition to SOXindicates that the burden of SOX on IA teams is impinging on assurance reviews.44% of respondents perform between 1 and 10 audits, compared with 39% in 2019. 25% of respondents perform between11 and 20 audits compared with 29% last year. 20% report performing between 21 and 50 audits compared with 16% lastyear, and 9% report more than 50 audits compared with 11% last year.What percent of time does internal audit spendon SOX?3%014% 10%In addition to SOX testing, how manyoperational audits does your organizationperform each year?10-25%1-1025%44%11-2026-50%30% 50%0%21-5031%5%10%15%13 Involvement of Internal Audit20%25%30%25%35%20% 509%0%10%20%30%40%50%2020 State of the SOX/Internal Controls Market Survey

VIII.Cost of ComplianceALMOST HALF EXPERIENCED AN INCREASE IN THE COST OF COMPLIANCEFor your previous fiscal year, what change (if any) did you experience in your overallSOX/IC assessment costs?11%Increased significantly10%33%Increased slightly39%44%Remained the same39%11%Decreased slightly8%20202%Decreased significantly20195%0%10%20%30%40%50%A total of 44% of survey respondents report an increase in SOX/IC costs compared with 13% who report a decrease incosts. 44% of survey respondents report SOX/IC compliance costs remained the same.33% of survey respondents report a slight increase in SOX/IC compliance costs compared to 39% last year, while 11%report a significant increase compared to 10% last year.11% of survey respondents report a slight decrease in SOX/IC compliance costs compared to 8% last year, while 2%report a significant decrease in compared to 5% last year.14 Involvement of Internal Audit2020 State of the SOX/Internal Controls Market Survey

44% of survey respondents report spending less than 1million on SOX compliance compared with 52% in 2019.18% spend less than 250,000, a decline from 24% in lastyear’s survey. 27% of survey respondents report spendingbetween 1 million and 3 million on SOX compliance, anincrease from 24% compared with last year.More than half of survey respondents report an increasein external audit fees, a slight increase from 50% in 2019.9% report a decrease, unchanged from 2019, and 40%report no change in external audit fees, down from 41%compared with last year.For your previous fiscal year, what change(if any) did you experience in your externalaudit fees?9%40%51%15 Involvement of Internal AuditNo change in externalaudit feesWhat is the company’s annual spend for SOX/ICcompliance, including any consulting andexternal audit fees?18% 250K 250K- 500K16%13% 501K- 1M12% 1.01M- 1.5M7%9%9% 1.51M- 3M9%9% 3M8%28%Don’t know0%24%13%24%5%10%202015%20%25%30%2019Increase in externalaudit feesDecrease in externalaudit fees2020 State of the SOX/Internal Controls Market Survey

IX.Priorities and Focus for the Year AheadI M P R O V I N G E F F I C I E N C Y A N D C R E AT I N G VA L U E F O R T H EO R G A N I Z AT I O N A R E H I G H P R I O R I T I E SWhat are your organization’s top priorities for this year?Improve efficiency of the SOX function42%Increasing focus on cybersecurity and IT controls41%Ensure compliance with SOX and other regulators36%Control automation28%Improved transparency into risk,issues/remediation and compliance26%Replace legacy technology with new systems24%Build on talent and skills23%Risk of data integrity and transparency15%Reduce/enhance organization's riskmanagement capabilitiesIdentify control requirements for new accounting policies(revenue recognition, lease accounting, and tax)Strengthen organizational relationships (audit committee,board, external auditors, management, etc.)14%13%12%Critical audit matters (CAMs)8%0%10%20%30%40%50%The top three priorities for SOX professionals in the coming year are improving the efficiency of the SOX program,increasing the focus on cybersecurity and IT controls, and ensuring compliance with SOX. The amount of time SOXprofessionals spend managing disconnected pieces of data is a driver for prioritizing the efficiency of the SOX function.Which of the following areas are you focusing on to add value to your SOX program?Control optimization: improving controlselection and related testing strategiesControl rationalization to reassess andpotentially reduce key controls42%60%53%Control automation44%Modifying testing approach based onexternal auditor’s reliance model27%Minimizing cost to testing controls33%Ensuring maximum relianceby external auditorChanging business processesto maximize business value31%25%Other5%0%16 Priorities and Focus for the Year Ahead10%20%30%40%50%60%2020 State of the SOX/Internal Controls Market Survey

The top three areas of value-add focus are improving control selection and related testing strategies, controlrationalization to reassess and reduce the number of SOX controls, and control automation. Combined, these areas offocus can contribute to the goal of increasing efficiency in SOX execution, which in turn, would free up valuable staff timeto work on analysis and value-add activities.Two-thirds of survey respondents believe that their organization’s leadership views the SOX program as of high or veryhigh value. In an environment where risk is increasing due to process complexities and increasing organizational scale,a congruent view of the SOX program by both corporate leadership and SOX practitioners ensures that SOX has theinstitutional capital to thrive and be effective.How is the SOX program in your organization viewed by leadership?20%Very high valueHigh value46%Neither high nor low value27%Low value4%Very low value3%0%17 Priorities and Focus for the Year Ahead10%20%30%40%50%2020 State of the SOX/Internal Controls Market Survey

X.About Our Survey SponsorsABOUT THE SOX & INTERNALCONTROLS PROFESSIONALS GROUPMembers of the SOX & Internal Controls ProfessionalsGroup are actively involved with SOX, internal controls,and internal audit processes for public and privatecompanies, including documenting, evaluating andtesting internal controls, and processes.The SOX Pro Group fosters networking and industrythought leadership and provides unique opportunities formembers to share best practices.There is no cost to join, and membership provides accessto a broad network of other like-minded professionals whilehelping them increase their value and influence acrosstheir organizations.Visit soxprofessionalsgroup.org for more information.J109555 20200825The information contained herein is proprietary to Workiva and cannot be copied, published,or distributed without express prior written consent. Copyright 2020 Workiva Inc. Workiva isa registered trademark of Workiva Inc. All rights reserved. Word, Excel, and PowerPoint areregistered trademarks of Microsoft Corporation in the United States and/or other countries.A B O U T W O R K I VAWorkiva is the provider of the world’s leading connectedreporting and compliance platform. Workiva is used bythousands of enterprises across 180 countries, including75 percent of the 500 largest U.S. companies by totalrevenue, and by government agencies. Our customershave linked over five billion data elements to build trustin their data, reduce risk, and save time. For moreinformation about Workiva (NYSE:WK), please visitworkiva.com.

ensures that SOX has the institutional capital to thrive and be effective. Efficiency, cybersecurity, and regulatory compliance reign. The top three priorities for SOX professionals in the coming year are to improve the efficiency of the SOX program, increase the focus on cybersecurity and IT controls, and ensure compliance with SOX.