International SEC filers - EY - US · 2017-12-14 · Page 2 Basis of preparation This survey has...
Transcript of International SEC filers - EY - US · 2017-12-14 · Page 2 Basis of preparation This survey has...
International SEC filersSOX Survey 2017
November 2017
Page 2
Basis of preparation
This survey has been prepared by EY EMEIA Capital Markets, using information provided by audit teams serving international SEC filers and where necessary, through interviews of client personnel (the “Respondents”). We have not sought to validate or confirm all of the information provided by the Respondents and therefore there is a risk of misinterpretation by the Respondents or of similar facts and circumstances being reported differently by the Respondents.
As such, while we believe the survey can be used as an enabler to discuss a client’s ICFR (versus other international SEC filers), it is not intended to act as a substitute to a thorough assessment of a client’s ICFR framework for efficiencies, redundancies or improvements.
We hope you find the survey useful and would appreciate any feedback you or your clients may have.
International SEC filers
Page 3
Population breakdown – Channel 1
International SEC filers
By industry By market cap
By revenue
O&G, 11%
T&T, 38%
RE, H&C, 8%
A&T, 13%
M&M, 9%
M&E, 4%FS, 13%Health,
4%
Less than USD1bn,
21%
US$1bn -US$ 10bn,
28%USD10bn -USD25bn,
17%
USD25bn -USD50bn,
21%
More than USD50bn,
13%
Less than USD1bn
25%
USD1bn -USD10bn
34%
USD10bn -USD25bn
17%
USD25bn -USD50bn
11%
More than USD50bn
13%
Country # FPIs % of totalChina 9 19%UK 7 15%Switzerland 4 9%France 3 6%Italy 3 6%Japan 3 6%Canada 2 4%Germany 2 4%Russia 2 4%Others 12 26%Total 47 100%
Page 4
Executive summary
► While the Sarbanes-Oxley Act (“SOX”) is in its 15th year, the results of our survey indicate that even for the largest and most mature companies, SOX compliance is getting harder each year
► There is no ‘right way’ – respondents have a variety of approaches to organise and execute SOX, which are not dependent on size or industry
► But, companies appear to have normalized around a certain split of controls between TLC, ITGCs, application controls, and ELCs
► Respondents who have taken a fresh look at their ICFR have had mixed results – only a third saw a reduction in the number of controls
► On average, one third of the respondents identify at least one significant deficiency each year
International SEC filers
Has SOX evolved as much it perhaps should, since 2002? If not, why not?
Page 5
Some key findings
International SEC filers
75% of respondents believe that SOX has improved their control environment
66% view documenting management review controls and testing IPE as the biggest challenge in the annual SOX assessment
60% of respondents use outside resources to assist with SOX
But 77% view SOX as getting harder each year
Only 10% of respondents consider cyber risk as part of their ICFR assessment
Page 6
The clear pathwayThe more…
Centralisation and Standardisation
Training of control owners/users
Flowcharts for key processes
… the lower the number of control deficiencies
Page 7
Internal controls mix – breakdown by industry
International SEC filers
933 330 1,393
260 796
47
56 72 74 64
464
79 396
67 230
191 48 261 51 202
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
O&G T&T FS All other Total
TLC ELC ITGC Auto. Controls
57% 64% 66% 62%58%
15%
28%19%
15%18%
3%
11%3%
12% 9% 12% 11% 16%
16%5%
Page 8
Where is ICFR managed?
International SEC filers
Our survey indicates that the deficiency rate is comparable, regardless of where ICFR is managed
32%30%
32%
6%
0%
5%
10%
15%
20%
25%
30%
35%
Senior Management andBusiness Unit
Risk and Compliancefunctions
Internal Audit No distinguishable lines
Page 9
Coincidence or not?
► Companies who have documented their processes with FLOWCHARTS have 50% less control deficiencies than those who haven’t
► Companies, which have NOT set the precision of management review controls centrally, identified, on average, 4x more deficiencies on such controls
► Companies who have ICFR KPIs have a HIGHER control deficiency rate than those who don’t use such KPIs
► Companies who provide training to control owners/users, have 50% LESS control deficiencies than those who don’t provide training
International SEC filers
Page 10
Keys to a successful ICFR assessment
International SEC filers
70%
60%
45%40%
15% 13%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Standardizingprocess
The businessrecognizing theadded value ofhaving robust
controlenvironment
Key stakeholder’s (CFO or similar)
involvement in the process
Reducing thescope without
jeopardizing theappropriate effort
to addressmaterial risks
Reducing theexisting IT
applications
Reducing theexisting ERPs
Page 11
Is your audit of ICFR getting harder?
International SEC filers
64%13%
23%
No – We are more efficient each FY and efforts are
reduced
Yes – Auditors increased scope due to regulatory
pressureYes – Getting harder
for other reasons (i.e., business
expansion)
Page 12
Is the ICFR process integrated with ERM or other compliance functions?
International SEC filers
26%
8%
13%
32%
21%
0%
5%
10%
15%
20%
25%
30%
35%
Integrated with both Integrated with ERM Integrated with othercompliance processes
Somewhat integrated It is not integrated
Perhaps surprisingly, the survey indicates that integration with other compliance function is not dependent on the size of the company. 40% of the respondents which are not or only somewhat integrated have market cap > $10bn
Page 13
Have you significantly redesigned your ICFR since initial SOX implementation?
International SEC filers
Yes and the controls were reduced, 36%,
Yes, however the controls remained the
same or increased, 36%
No, 28%,
Reassessment due to business changes and/or increased regulatory requirements does not always result in a decrease in controls.
Page 14
Does your SOX assessment identify at least one Significant Deficiency per year?
International SEC filers
20%
20%
36%
32%
80%
80%
64%
68%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
O&G
FS
All Other
Total
Yes No
Page 15
Correlation of ICFR training x Average control deficiencies
International SEC filers
Companies which do not provide their employees with regular training face as much as ~5 times more TLCs deficiencies than the ones that do provide training
53%
30%
17%
4%6%
23%
0%
10%
20%
30%
40%
50%
60%
Annually When there are material changes inthe requirements (e.g. COSO 13
introduction)
The core ICFR function stays up todate, but we don't provide training to
the business
% of TLCs deficiencies
Page 16
How centralised is your organization’s control environment?
International SEC filers
34%
40%
26%
5%
13% 18%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Very To a reasonable extent No, it is decentralized
Clients % of TLCs deficiencies
Decentralised environments have as much as 3 times more controls deficiencies than the very centralised ones
Page 17
Reliance on shared service centres (SSCs) for standardized processes
International SEC filers
70% of the companies with market cap greater than $10bn rely at some level on SSCs, while such percentage decreases by half, to ~35%, for companies with market cap lower than $10bn.
9%
32%
11%
49%
0%
10%
20%
30%
40%
50%
60%
Most transactions, w/standard processes
Some transactions, w/standard processes
Most transactions, but SSCdoes NOT apply
standardised processes
Some transactions, withoutstandard processes
% of clients
Page 18
Utilisation of service providers
International SEC filers
On average, 60% of the companies utilise service providers at some point of their ICFR assessment. However, there is a great discrepancy when the population is split by market cap: 43% for companies with market cap lower than $10bn vs. 75% for companies with market cap greater than $10bn.
34%
23%
4% 4% 4%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Testing Specific process (e.g.IT)
Scoping PMO Almost completelyoutsourced
O&G and T&T industries account for 55% of the utilisation of service providers for specific process (e.g. IT).
Page 19
Tools used in the ICFR assessment
International SEC filers
Excel files or similar tools
SAP GRC or equivalent
Third-party vendor/software
In-house developed tool
60%
19%
17%
4%
Of the companies who use in-house tools, the great majority are in the Financial Services sector
Page 20
Do you have flowcharts documented for all key processes?
International SEC filers
Decentralised companies, with no flowchart documented, reported, on average, as much as 2x more control deficiencies than very centralised companies, with flowcharts documented for all key financial process
36%
13%
2%
49%
0%
10%
20%
30%
40%
50%
60%
a. Yes – all processes including the SSC have
flowcharts for all key financial processes
b. Yes - but not for the SSC c. Yes - but only for theSSC
d. No
Page 21
Review controls precision ownership Vs review control deficiencies
International SEC filers
Companies, which have not centrally set the precision of their review controls, presented, on average, 4x more deficiencies on their review controls
23%
77%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Centrally defined Not centrally defined
Page 22
Do you have an inventory of the information prepared by the entity (IPE)?
International SEC filers
77%
23%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Yes
No
Not having an inventory of IPEs increases, on average, ~10% the number of IPE related deficiencies
Page 23
Do you ever use a benchmarking testing strategy?
International SEC filers
80% of the respondents who apply some form of benchmarking strategy have a market cap of $10bn or more
4%
15%
81%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Automated portion of ITDM controls Applications controls and Automatedportion of ITDM controls
Do not apply a benchmark strategy
Page 24
Is cyber risk currently considered in your ICFR assessment?
International SEC filers
10%
90%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes
No
Page 25
Do you currently have any KPIs linked to ICFR?
International SEC filers
60%
6%
21%
13%
Others
Those respondents who utilise KPIs in their assessment had a higher deficiency rate than those that didn’t
No KPIs in place
No. of control deficiencies and their
respective assessment of severity
Number of deficiencies must be lower than prior
FY
Page 26
Key challenges faced by the ICFR function
International SEC filers
57%53%
47% 45%
38%
26%
0%
10%
20%
30%
40%
50%
60%Ad
equa
cy/e
ffect
iven
ess
of re
sour
ces
in th
eco
mpa
ny to
sup
port
the
wor
k of
the
func
tion
Cos
t vs.
ben
efit
of th
eIC
FR fu
nctio
n
Bein
g vi
ewed
as
aco
mpl
ianc
e ex
erci
sean
d no
t as
a va
lue
adde
d fu
nctio
n
Incr
easi
ng d
eman
dspl
aced
on
us b
y ou
rex
tern
al a
udito
rs
Rap
id c
hang
es in
syst
ems
and
tech
nolo
gies
in th
ebu
sine
ss
Inte
grat
ion
with
oth
erris
k an
d co
mpl
ianc
efu
nctio
n
Page 27
ICFR assessment biggest challenges
International SEC filers
66%
60%
45%
38%
13%
4%
0%
10%
20%
30%
40%
50%
60%
70%
Documentingmanagement
review controls tosatisfy the
external auditor
The need to testIPE when most ofthe data comesdirectly from the
IT systems
The increasingscope of the
auditor's work
The businessunits don't see the
benefit from theassessment and
attestation
Agreeing on theresults with ourexternal auditor
Other
Page 28
Internal controls deficiencies mix –Breakdown by industry
International SEC filers
3% 6% 9%15%
9%
31%34%
43%20% 31%
18% 9%
23%
30% 20%
48% 51%
25%35% 40%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
O&G T&T FS All other Total
IPE IT MRC TLCs
Page 29
TLCs deemed to be review controls
International SEC filers
53%
26%
8%
13%
0%
10%
20%
30%
40%
50%
60%
1% to 20% 21% to 40% 41% to 60% More than 60%
Page 30
TLC deficiencies as a percentage of total TLC
International SEC filers
6%
3%
9%
0%
1%
2%
3%
4%
5%
6%
7%
8%
9%
10%
O&G FS All other
Page 31
Please get in touch
If you have suggestions as to which questions should be added to our next survey or wish to discuss the survey
results in more depth, please contact:
Stuart A. Reid [email protected] Tuma [email protected]
Sonila Routsi [email protected] Bandeira [email protected]
International SEC filers
Page 32
Thank you
International SEC filers
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to oneor more, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2017 EYGM Limited.All Rights Reserved.
EY-000047030-01ED None
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.
ey.com