International SEC filers - EY - US · 2017-12-14 · Page 2 Basis of preparation This survey has...

International SEC filersSOX Survey 2017

November 2017

Basis of preparation

This survey has been prepared by EY EMEIA Capital Markets, using information provided by audit teams serving international SEC filers and where necessary, through interviews of client personnel (the “Respondents”). We have not sought to validate or confirm all of the information provided by the Respondents and therefore there is a risk of misinterpretation by the Respondents or of similar facts and circumstances being reported differently by the Respondents.

As such, while we believe the survey can be used as an enabler to discuss a client’s ICFR (versus other international SEC filers), it is not intended to act as a substitute to a thorough assessment of a client’s ICFR framework for efficiencies, redundancies or improvements.

We hope you find the survey useful and would appreciate any feedback you or your clients may have.

International SEC filers

Population breakdown – Channel 1


By industry By market cap

By revenue

O&G, 11%

T&T, 38%

RE, H&C, 8%

A&T, 13%

M&M, 9%

M&E, 4%FS, 13%Health,

4%

Less than USD1bn,

21%

US$1bn -US$ 10bn,

28%USD10bn -USD25bn,

17%

USD25bn -USD50bn,

21%

More than USD50bn,

13%

Less than USD1bn

25%

USD1bn -USD10bn

34%

USD10bn -USD25bn

17%

USD25bn -USD50bn

11%

More than USD50bn

13%

Country # FPIs % of totalChina 9 19%UK 7 15%Switzerland 4 9%France 3 6%Italy 3 6%Japan 3 6%Canada 2 4%Germany 2 4%Russia 2 4%Others 12 26%Total 47 100%

Executive summary

► While the Sarbanes-Oxley Act (“SOX”) is in its 15th year, the results of our survey indicate that even for the largest and most mature companies, SOX compliance is getting harder each year

► There is no ‘right way’ – respondents have a variety of approaches to organise and execute SOX, which are not dependent on size or industry

► But, companies appear to have normalized around a certain split of controls between TLC, ITGCs, application controls, and ELCs

► Respondents who have taken a fresh look at their ICFR have had mixed results – only a third saw a reduction in the number of controls

► On average, one third of the respondents identify at least one significant deficiency each year


Has SOX evolved as much it perhaps should, since 2002? If not, why not?

Some key findings


75% of respondents believe that SOX has improved their control environment

66% view documenting management review controls and testing IPE as the biggest challenge in the annual SOX assessment

60% of respondents use outside resources to assist with SOX

But 77% view SOX as getting harder each year

Only 10% of respondents consider cyber risk as part of their ICFR assessment

The clear pathwayThe more…

Centralisation and Standardisation

Training of control owners/users

Flowcharts for key processes

… the lower the number of control deficiencies

Internal controls mix – breakdown by industry


933 330 1,393

260 796

47

56 72 74 64

464

79 396

67 230

191 48 261 51 202

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

O&G T&T FS All other Total

TLC ELC ITGC Auto. Controls

57% 64% 66% 62%58%

15%

28%19%

15%18%

3%

11%3%

12% 9% 12% 11% 16%

16%5%

Where is ICFR managed?


Our survey indicates that the deficiency rate is comparable, regardless of where ICFR is managed

32%30%

32%

6%

0%

5%

10%

15%

20%

25%

30%

35%

Senior Management andBusiness Unit

Risk and Compliancefunctions

Internal Audit No distinguishable lines

Coincidence or not?

► Companies who have documented their processes with FLOWCHARTS have 50% less control deficiencies than those who haven’t

► Companies, which have NOT set the precision of management review controls centrally, identified, on average, 4x more deficiencies on such controls

► Companies who have ICFR KPIs have a HIGHER control deficiency rate than those who don’t use such KPIs

► Companies who provide training to control owners/users, have 50% LESS control deficiencies than those who don’t provide training


Keys to a successful ICFR assessment


70%

60%

45%40%

15% 13%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Standardizingprocess

The businessrecognizing theadded value ofhaving robust

controlenvironment

Key stakeholder’s (CFO or similar)

involvement in the process

Reducing thescope without

jeopardizing theappropriate effort

to addressmaterial risks

Reducing theexisting IT

applications

Reducing theexisting ERPs

Is your audit of ICFR getting harder?


64%13%

23%

No – We are more efficient each FY and efforts are

reduced

Yes – Auditors increased scope due to regulatory

pressureYes – Getting harder

for other reasons (i.e., business

expansion)

Is the ICFR process integrated with ERM or other compliance functions?


26%

8%

13%

32%

21%

0%

5%

10%

15%

20%

25%

30%

35%

Integrated with both Integrated with ERM Integrated with othercompliance processes

Somewhat integrated It is not integrated

Perhaps surprisingly, the survey indicates that integration with other compliance function is not dependent on the size of the company. 40% of the respondents which are not or only somewhat integrated have market cap > $10bn

Have you significantly redesigned your ICFR since initial SOX implementation?


Yes and the controls were reduced, 36%,

Yes, however the controls remained the

same or increased, 36%

No, 28%,

Reassessment due to business changes and/or increased regulatory requirements does not always result in a decrease in controls.

Does your SOX assessment identify at least one Significant Deficiency per year?


20%

20%

36%

32%

80%

80%

64%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

O&G

FS

All Other

Total

Yes No

Correlation of ICFR training x Average control deficiencies


Companies which do not provide their employees with regular training face as much as ~5 times more TLCs deficiencies than the ones that do provide training

53%

30%

17%

4%6%

23%

0%

10%

20%

30%

40%

50%

60%

Annually When there are material changes inthe requirements (e.g. COSO 13

introduction)

The core ICFR function stays up todate, but we don't provide training to

the business

% of TLCs deficiencies

How centralised is your organization’s control environment?


34%

40%

26%

5%

13% 18%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Very To a reasonable extent No, it is decentralized

Clients % of TLCs deficiencies

Decentralised environments have as much as 3 times more controls deficiencies than the very centralised ones

Reliance on shared service centres (SSCs) for standardized processes


70% of the companies with market cap greater than $10bn rely at some level on SSCs, while such percentage decreases by half, to ~35%, for companies with market cap lower than $10bn.

9%

32%

11%

49%

0%

10%

20%

30%

40%

50%

60%

Most transactions, w/standard processes

Some transactions, w/standard processes

Most transactions, but SSCdoes NOT apply

standardised processes

Some transactions, withoutstandard processes

% of clients

Utilisation of service providers


On average, 60% of the companies utilise service providers at some point of their ICFR assessment. However, there is a great discrepancy when the population is split by market cap: 43% for companies with market cap lower than $10bn vs. 75% for companies with market cap greater than $10bn.

34%

23%

4% 4% 4%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Testing Specific process (e.g.IT)

Scoping PMO Almost completelyoutsourced

O&G and T&T industries account for 55% of the utilisation of service providers for specific process (e.g. IT).

Tools used in the ICFR assessment


Excel files or similar tools

SAP GRC or equivalent

Third-party vendor/software

In-house developed tool

60%

19%

17%

4%

Of the companies who use in-house tools, the great majority are in the Financial Services sector

Do you have flowcharts documented for all key processes?


Decentralised companies, with no flowchart documented, reported, on average, as much as 2x more control deficiencies than very centralised companies, with flowcharts documented for all key financial process

36%

13%

2%

49%

0%

10%

20%

30%

40%

50%

60%

a. Yes – all processes including the SSC have

flowcharts for all key financial processes

b. Yes - but not for the SSC c. Yes - but only for theSSC

d. No

Review controls precision ownership Vs review control deficiencies


Companies, which have not centrally set the precision of their review controls, presented, on average, 4x more deficiencies on their review controls

23%

77%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Centrally defined Not centrally defined

Do you have an inventory of the information prepared by the entity (IPE)?


77%

23%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Yes

No

Not having an inventory of IPEs increases, on average, ~10% the number of IPE related deficiencies

Do you ever use a benchmarking testing strategy?


80% of the respondents who apply some form of benchmarking strategy have a market cap of $10bn or more

4%

15%

81%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Automated portion of ITDM controls Applications controls and Automatedportion of ITDM controls

Do not apply a benchmark strategy

Is cyber risk currently considered in your ICFR assessment?


10%

90%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Yes

No

Do you currently have any KPIs linked to ICFR?


60%

6%

21%

13%

Others

Those respondents who utilise KPIs in their assessment had a higher deficiency rate than those that didn’t

No KPIs in place

No. of control deficiencies and their

respective assessment of severity

Number of deficiencies must be lower than prior

FY

Key challenges faced by the ICFR function


57%53%

47% 45%

38%

26%

0%

10%

20%

30%

40%

50%

60%Ad

equa

cy/e

ffect

iven

ess

of re

sour

ces

in th

eco

mpa

ny to

sup

port

the

wor

k of

the

func

tion

Cos

t vs.

ben

efit

of th

eIC

FR fu

nctio

n

Bein

g vi

ewed

as

aco

mpl

ianc

e ex

erci

sean

d no

t as

a va

lue

adde

d fu

nctio

n

Incr

easi

ng d

eman

dspl

aced

on

us b

y ou

rex

tern

al a

udito

rs

Rap

id c

hang

es in

syst

ems

and

tech

nolo

gies

in th

ebu

sine

ss

Inte

grat

ion

with

oth

erris

k an

d co

mpl

ianc

efu

nctio

n

ICFR assessment biggest challenges


66%

60%

45%

38%

13%

4%

0%

10%

20%

30%

40%

50%

60%

70%

Documentingmanagement

review controls tosatisfy the

external auditor

The need to testIPE when most ofthe data comesdirectly from the

IT systems

The increasingscope of the

auditor's work

The businessunits don't see the

benefit from theassessment and

attestation

Agreeing on theresults with ourexternal auditor

Other

Internal controls deficiencies mix –Breakdown by industry


3% 6% 9%15%

9%

31%34%

43%20% 31%

18% 9%

23%

30% 20%

48% 51%

25%35% 40%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

O&G T&T FS All other Total

IPE IT MRC TLCs

TLCs deemed to be review controls


53%

26%

8%

13%

0%

10%

20%

30%

40%

50%

60%

1% to 20% 21% to 40% 41% to 60% More than 60%

TLC deficiencies as a percentage of total TLC


6%

3%

9%

0%

1%

2%

3%

4%

5%

6%

7%

8%

9%

10%

O&G FS All other

Please get in touch

If you have suggestions as to which questions should be added to our next survey or wish to discuss the survey

results in more depth, please contact:

Stuart A. Reid [email protected] Tuma [email protected]

Sonila Routsi [email protected] Bandeira [email protected]


mailto:[email protected]




Thank you


EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to oneor more, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2017 EYGM Limited.All Rights Reserved.

EY-000047030-01ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com

International SEC filers - EY - US · 2017-12-14 · Page 2 Basis of preparation This survey has...

Documents

Transcript of International SEC filers - EY - US · 2017-12-14 · Page 2 Basis of preparation This survey has...