thinking outside the box survey questions
DESCRIPTION
TRANSCRIPT
Thinking outside the SOX boxSOX survey questions
iii
1
Thinking outside the SOX box
Signifi cant opportunity exists to transform your SOX function
In April 2011, Ernst & Young conducted a face-to-face survey with 225 global executives about their SOX compliance functions. For the most part, we found organizations are still treating SOX compliance the same way most of them originally looked at it: as a compliance exercise.
A small proportion of the interviewees, however, have evolved their thinking. Their companies have come to look at SOX the way they look at many of their operations: as an opportunity to innovate, to automate and to gain competitive advantage. These are companies that have seen the correlation between certain SOX compliance practices and the ability of the SOX function to add value to the business — which 56% of the executives considered a key challenge for their SOX function.
Thinking outside the SOX box reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors:
1. Automate controls
2. Offshore for lower-cost resources
3. Leverage IT investment
4. Innovate strategically
Contacts
Robert F. Cullen III Partner, Advisory Services+1 612 343 [email protected]
Sapna AhujaSenior Manager, Advisory Services+1 212 773 [email protected]
For related thought leadership from Ernst & Young, please visit:ey.com
2
Q1. How satisfi ed are you with the quality of the work produced by your SOX function?
SOX function satisfactionMost respondents are either satisfi ed or extremely satisfi ed with the quality of the work done by their SOX function.
Q2. How satisfi ed are you with the quality of the work produced by your SOX function, the total cost of your SOX function and the ability of your SOX function to add value?
Drop in SOX satisfaction Respondents more likely to be extremely satisfi ed with SOX quality than with either cost or value.
Q3. What are the key challenges faced by your SOX function?
Satisfaction comparison The majority of respondents consider adding value to their business a key challenge of the SOX function.
Note that cost/level of effort and innovation in control testing strategies were originally asked separately in the questionnaire.
0% 10% 20% 30% 40% 50% 60%
None of the above
Other
Dealing with mergers or acquisitions of
private or non-SOX- compliant entities
Effectiveness of resources
Controls monitoring
Technology-related challenges
Providing learning and career opportunities
for SOX personnel
Integration with other risk and
compliance functions
Adding value to the business
Cost/Level of effort and innovation in control
testing strategies58%
56%
44%
37%
32%
32%
25%
16%
15%
1%
Survey questions
Percentages may not total 100 due to rounding.
Multiple responses allowed.
Multiple responses allowed.
0% 10% 20% 30% 40% 50%
Extremely
Somewhat
Extremely 38%
58%
3%
2%
0%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Extremelyt e
Somewhatat e
e ther at eor at e
Sat e
Extremelyat e
38%
13%19%
58%
55%51%
3%
26%24%
2%
6%7%
0%
0%0%
Quality of work Cost Value
3
Q4. What is the company’s annual budget/ spend for SOX compliance?
Satisfaction comparison The majority of respondents consider adding value to their business a key challenge of the SOX function.
Note that cost/level of effort and innovation in control testing strategies were originally asked separately in the questionnaire.
0% 5% 10% 15% 20% 25% 30%
$5 million or more
$3–$4.9 million
$2–$2.9 million
$1–$1.9 million
$0.5–$0.9 million
Less than $0.5 million 18%
18%
27%
15%
8%
14%
Average MedianUS$2,766,742 US$1,200,000
Q5. In total, approximately how many FTEs are dedicated to and reside in the SOX function?
5%15%None
FTEs residing within the SOX function Other SOX-related FTEs across the organization
0%
11%16%
21+
13%15%11 to 20
20%15%
6 to 10
42%34%
2 to 5
9%6%Less than 2
45%40%35%30%25%20%15%10%5%
Average Median26 10
Q6. Do you use an outside service provider for SOX services?
Outside service provider used for SOX services Majority of respondents have an outside provider for one or more SOX services.
Yes52%
No48%
If yes, how do you use them?
Outside service provider usage Of all respondents who have an outside service provider, yesting is the key service used for the SOX function.
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
All of the above
PMO
Scoping/risk assessment
Testing 74%
18%
7%
16%
14%
Additionally, across the organization, e.g., Internal Audit, business, etc., how many (est.) FTEs are allocated to SOX-related activities?
Percentages may not total 100 due to rounding.
Multiple responses allowed.
4
Q6a. [If you use an outside provider] What percent of the hours spent annually for SOX compliance are performed by the external service provider, excluding external audit?
Internal versus external time spent on SOX compliance The majority of respondents use their SOX external service provider for less than 25% of the hours spent annually on SOX.
Q7. Is Internal Audit involved in the SOX program?
Internal Audit involvement in SOX program For most respondents, the Internal Audit Department is involved with the SOX program.
Yes81%
No19%
If yes, what percent of Internal Audit budget/ capacity is spent on SOX testing?
Internal Audit resources spent on SOX testingMost respondents whose IA Department is involved in the SOX program say that less than 25% of their budget & capacity is spent on SOX testing.
0% 10% 20% 30% 40% 50% 60% 70%
Don't know/unsure
Over 75%
51%–75%
26%–50%
Less than 25% 59%
29%
10%
1%
1%
Q8. What percentage of SOX work is performed by the following:
Total 100%Resources at corporate headquarters 60%
Regional resources at other company locations 26%
Domestic third-party resources 9%
Other 2%
Offshore third-party resources 2%
Offshore resources not at company locations 1%
Percentages may not total 100 due to rounding.
55%
22%
8%
13%
1%Don’t know/unsure
Over 75%
51 - 75%
26 - 50%
Less than 25%
0% 60%40%20% 70%50%30%10%
5
Q9. What percentage of the work performed by the SOX compliance function (walkthroughs and testing) do your external auditors rely on?
Reliance of external auditors on the SOX compliance function The majority of respondents say that their external auditors rely on at least half of the walkthroughs and testing work performed by the SOX compliance function.
Q10. Is SOX incorporated into your Enterprise Risk Management (ERM) program?
Relationship between SOX and ERM Just over half of respondents incorporate SOX into their ERM programs.
Yes52%
No48%
Q11. What is your company’s total number of SOX-related controls?
Total number of controls The majority of respondents have fewer than 1000 controls.
0% 10% 20% 30%
2,500 or more
Between 1,000–2,499
500–999
250–499
Less than 250 19%
24%
22%
22%
13%
What percentage of your controls are “key” controls?
Key controls as % of total controls Average key control percentages provided for the corresponding categories on left. For fewer total controls, the % of key controls is higher than for more controls.
Controls PercentageLess than 250 79%
250–499 78%
500–999 72%
Between 1,000–2,499 66%
2,500 or more 62%
Percentages may not total 100 due to rounding.
7%
14%
24%
34%
21%More than 75%
51 - 75%
26 - 50%
Less than 25%
Not available
0% 40%20% 30%10%
6
Q12. On average, how many hours do you spend on each key control?
Design and walkthroughs versus testing controlsMost respondents spend less than fi ve hours on design and walkthrough of each control.
By comparison, the majority of respondents spend 5 hours or more on testing per control.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Testing
Walk-through
Design
Less than 5 hours
over 20 hours11 to 20 hours
5 to 10 hours
1%13% 6%80%
8%39%
72% 25% 3%
15%39%
Q13. What is the percentage of fully automated controls (vs. manual or IT dependent controls) that make up your total key controls?
Fully automated key controlsMost respondents say that less than a quarter of their key controls are fully automated.
0% 10% 20% 30% 40% 50%
More than 75% of key controls are
fully automated
51% to 75% of key controls are
fully automated
26% to 50% of key controls are
fully automated
10% to 25% of key controls are
fully automated
Less than 10% of key controls are
fully automated
No key controls are fully automated 1%
36%
41%
19%
3%
0%
Q14. What is the percentage of entity level controls that make up your total key controls?
Entity level controls as percentage of total key controlsAlmost all respondents say that less than 25% of their SOX key controls are entity-level controls.
0% 10% 20% 30% 40% 50% 60%
More than 75% of key controls are entity
level controls
51%–75% of key controls are entity-
level controls
26%–50% of key controls are entity-
level controls
10%–25% of key controls are
entity-level controls
Less than 10% of key controls are
entity-level controls54%
40%
5%
1%
1%
Q14a. Please provide percentage breakdown of indirect entity-level controls (e.g. tone at the top, policies and procedures) vs. direct monitoring entity level controls (e.g., reconciliations, budget to actual analytics).
Type of entity-level controls %Indirect entity-level controls 50%
Direct monitoring entity-level controls 50%
Percentages may not total 100 due to rounding.
7
Q15. Do you perform a risk-based SOX scoping exercise?
Risk-based scoping exercisesAlmost all of the respondents perform risk-based scoping exercises at least once every year.
66%
31%
2%No
Yes, during initial scopeand review mid-year
Yes, annually
0% 50%20% 40%10% 30% 70%60%
Q15a. Please indicate the key attributes of your approach to SOX scoping:
Attributes of scopingA top-down, risk-based approach and a balance sheet and Income statement coverage are the key attributes to SOX scoping.
By comparison, very few respondents say they use a bottom-up approach.
57%
48%
43%
9%
9%Other
Bottom-up
Location coverage
Entity-level
Process-level
0% 70%20% 40%10%
84%Balance sheet/incomestatement coverage
84%Top down, risk-based
100%90%80%60%50%30%
Q16. What impact did PCAOB AS5 have on your SOX scoping exercise?
PCAOB A S5 impactThe majority of respondents noted that the PCAOB AS5 has a moderate to signifi cant impact on their scoping exercise.
10%
31%
35%
25%
0% 40%20% 30%10%
Q17. When was the last time a rationalization/ optimization or some other innovative exercise conducted?
Innovative exercisesMost respondents noted that they performed rationalization/ optimization or other innovative exercises either this fi scal year or last.
0% 10% 20% 30% 40% 50% 60%
Not performed
Two or more years ago
ast s a year
Current s a year
52%
19%
24%
4%
Percentages may not total 100 due to rounding.
Multiple responses allowed.
8
Q17a. What techniques were used?
Key techniquesMost respondents utilized rationalization of in-scoping controls and the majority rely on more periodic controls.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
None of the above
Other
Implementation ofcontinuous controls
monitoring
Use of technology for testing
Global standardization of
control set (if multiple countries/
locations)
Automation/Optimization of
SOX controls
Increased reliance on higher-level
quarterly/monthly controls and less on transactional
controls
Rationalization of in-scope controls 91%
55%
42%
41%
22%
20%
7%
2%
Q18. What tools/software do you use as part of your scoping exercise?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
None
In-house – developed tool/
software
Third-party vendor/software
Excel® 90%
19%
14%
4%
Q19. What is your SOX compliance approach for walkthroughs and testing?
SOX complianceTesting and walkthroughs of key controls are performed annually by most respondents.
Percentages may not total 100 due to rounding.
Multiple responses allowed.
Multiple responses allowed.
Multiple responses allowed.
Walkthrough Testing
0%
7%5%Other
7%4%
Rotational selectionof controls only
28%24%
Risk-based selectionof controls only
50%74%
All key controls annually
21%11%
All controls annually
80%70%60%50%40%30%20%10%
9
Q20. What is the frequency of your testing and your roll-forward approach?
Key techniquesFrequency results for testing and roll-forward fairly evenly distributed over the year among the respondents.
0% 10% 20% 30% 40%
Controls testing spreadevenly throughout the year
Majority of controls tested later in the year (late Q3/Q4),
no rollforward performed
Majority of controls tested in Q1 or Q2 and limited
roll-forward proceduresperformed in Q4
Majority of controls tested inQ1 or Q2 and then roll-forward
procedures/testingre-performed in Q4
Controls testedcontinuously throughout
the year4%
23%
25%
29%
20%
Q21. For what percent of SOX controls do you perform continuous controls monitoring (e.g., leveraging Blackline to monitor account reconciliations)?
Continuous controls monitoringAlmost all respondents say that they either do not perform continuous controls monitoring at all, or do so for less than 25% of all SOX controls.
0% 10% 20% 30% 40% 50% 60% 70%
More than 75%
51%–75%
26%–50%
Less than 25%
Do not perform continuous
controls monitoring
65%
28%
3%
1%
2%Cont
inuo
us c
ontr
ols
mon
itori
ng fo
r SO
X co
ntro
ls
Q22. For what percent of controls does the company use Control self-assessment (CSA)?
Control self-assessment The majority of respondents do not use CSA.
0% 10% 20% 30% 40% 50% 60% 70%
More than 75%
51%–75%
26%–50%
Less than 25%
Do not use control
self-assessment58%
17%
5%
16%
3%
Q23. For what percent of controls does the company use peer reviews?
Peer reviews The majority of respondents do not use peer reviews.
0% 10% 20% 30% 40% 50% 60% 70%
More than 75%
51%–75%
26%–50%
Less than 25%
Do not use peer reviews 63%
16%
4%
4%
12%
Percentages may not total 100 due to rounding.
10
Q25. How are SOX test results/documentation/ fi ndings primarily maintained and reported?
Information sharingOne-third of the respondents use Microsoft Offi ce Tools® across a shared drive.
One third of the respondents also selected “other.”
Q26. In what areas of control testing do you see the most SOX defi ciencies?
Defi ciencies in control testing area of SOXThe biggest reported problem faced in terms of SOX control testing relates to IT general controls.
5%
5%
3%
2%
1%
1%
0%
0%
14%Other
Off-balance-sheet liabilities
Spreadsheets
SAS 70/SSAE 16
Derivatives
Purchasing
Inventory
Revenue
Tax
0% 60%20% 30%10%
7%Estimation accounts/accruals
9%Financial statement close process
51%IT General controls
40% 50%
Percentages may not total 100 due to rounding.
Q24. How often do you use the following as part of your testing process?
Tools used in the testing process Most respondent either never or sometimes use advanced analytical techniques as part of their control testing process.
Among those who use them often or always, data analytics are the most popular technique.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Predictive modeling
Automated testing
methods
Data analytics
Never AlwaysOftenSometimes
6%15%42%37%
3%
2%88%
39% 44% 14%
1%
9%
34%
9%
8%
8%
4%
3%
2%
2%
28%
0% 10% 20% 30% 40%
Excel or Word documents in a shared drive
Paisley GRC
Teammate
OpenPages
Hardcopy
SAP GRC
Bwise
Archer
Other
11
Q27. How much do you leverage your SOX testing results with other departments in the company or other compliance/reporting functions?
Leveraging SOX testing results Respondents leverage SOX testing results most with the Internal Audit department.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Legal
Regulatory/Compliance
IA
Not at all ModeratelyVery little
54%26%13%7%
9%
3%51%
33% 39% 19%
11%35%
Q28. Do you conduct an annual fraud risk assessment?
Popularity of annual assessment Nearly two-thirds of the respondents conduct an annual fraud risk assessment.
Yes65%
No35%
Q28a. If yes, what mechanism do you use?
Methods of fraud risk assessmentThe most popular methods of assessments are meetings and hotline calls, although a third of respondents also noted the use of surveys.
73%
63%
37%
27%Other
Survey
Review of ethics/hotline calls
Meetings with business
process owners
0% 60%20% 30%10% 80%40% 50% 70%
Percentages may not total 100 due to rounding.
Multiple responses allowed.
Q29. How satisfi ed are you with the ability of your SOX function to add value??
Value of SOX FunctionFewer respondents were extremely satisfi ed with the value of the SOX function, as compared to cost and the quality of work. Over one-third of the population said they were less than satisfi ed with the ability of the SOX function to add value.
0% 10% 20% 30% 40% 50%
Extremelyt e
Somewhatat e
e ther at eor at e
Sat e
Extremelyat e 13%
55%
26%
6%
0%
60%
12
Q2.10. Is SOX incorporated into your Enterprise Risk Management program?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes
No
e e s s es e
11%43%45%
14%21% 65%SOX
inco
rpor
ated
into
En
terp
rise
Ris
k M
anag
emen
t pr
ogra
m
Q1.4. Annual revenue
Q2.11. What is your company’s total number of SOX-related controls?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
More than $50b
$26 - 50b
$11 - 25b
$1 - 10b
Less than $1b
Less than 250 2,500 or more1,000 - 2,499
36%21%36%
39%
23%
22% 32%22%
18% 32%
28%8%
7%
500 - 999 250 - 499
7%
35%
15%
24% 20%20%
10%
4%17%23%
4%
Ann
ual r
even
ue
Percentages may not total 100 due to rounding.
Q2.7a. [If IA involved in SOX] What percent of Internal Audit budget/ capacity is spent on SOX testing?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Don't know/unsure
Over 50%
25 - 50%
Less than 25%
tre e sat s eat s e
13%58%29%
50%
37% 48% 15%
38%
50%
56% 6%
Perc
enta
ge o
f Int
erna
l Aud
it b
udge
t/ca
paci
ty s
pent
on
SOX
tes
ting
Q2.2. How satisfi ed are you with the total cost of your SOX function?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Somewhat at e
e the at eo at e
Sat e
Extremelyat e
Extremely at eSat e
15%42%20%
2%88%
39% 44% 14%
1%
9%
44% 14%
Sati
sfac
tion
wit
h co
st
Multiple question comparisons
13
Q1.4. Annual revenue
Q2.16. What impact did PCAOB AS5 have on your SOX scoping exercise?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
More than $50b
$26 - 50b
$11 - 25b
$1 - 10b
Less than $1b
No impact i ni cant impact
7%67%20%
36%
15%
35%7%
21%
22%4%
43%
Moderate impactMinor impact
7%
26%
28%
19% 56%
30%
23%36%
Ann
ual r
even
ue
Q2.16. What impact did PCAOB AS5 have on your SOX scoping exercise?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
32%58%11%
10%31%
34% 52% 14%
38%
59%
54% 9%
5
Q2.21. For what percent of SOX controls do you perform continuous controls monitoring?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70%
More than 75%
51%–75%
26%–50%
Less than 25%
Do not perform continuous
controls monitoring
65%
28%
3%
1%
2%Cont
inuo
us c
ontr
ols
mon
itori
ng fo
r SO
X co
ntro
ls
Percentages may not total 100 due to rounding.
Q2.22. For what percent of controls does the company use Control self-assessment (CSA)?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes
No
e e s s es e
12%51%37%
14%25% 60%
Cont
inuo
us s
elf a
sses
smen
t (CS
A) u
sed
14
Q2.28. Do you conduct an annual fraud risk assessment?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes
No
e e s s es e
4%54%41%
18%27% 55%
Ann
ual f
raud
risk
ass
essm
ent c
ondu
cted
Percentages may not total 100 due to rounding.
Percentages of CCM, CSA and peer review usage for those respondents who were less than satisfi ed with the ability of their SOX function to add value:
0% 5% 10% 15% 20% 25% 30% 35% 40%
Continuous control
monitoring
Peer review
CSA25%
37%
22%
38%
19%
39%
Use technique Do not use technique
Q2.23. For what percent of controls does the company use peer reviews?
Q2.29. How satisfi ed are you with the ability of your SOX function to add value?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes
No
e e s s es e
12%50%38%
15%22% 63%
Peer
revi
ews
used
15
16
.
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com
© 2011 EYGM LimitedAll Rights Reserved.
EYG No. BT0125
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.