Thinking outside the box survey questions

Thinking outside the SOX boxSOX survey questions

1

Thinking outside the SOX box

Signifi cant opportunity exists to transform your SOX function

In April 2011, Ernst & Young conducted a face-to-face survey with 225 global executives about their SOX compliance functions. For the most part, we found organizations are still treating SOX compliance the same way most of them originally looked at it: as a compliance exercise.

A small proportion of the interviewees, however, have evolved their thinking. Their companies have come to look at SOX the way they look at many of their operations: as an opportunity to innovate, to automate and to gain competitive advantage. These are companies that have seen the correlation between certain SOX compliance practices and the ability of the SOX function to add value to the business — which 56% of the executives considered a key challenge for their SOX function.

Thinking outside the SOX box reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors:

1. Automate controls

2. Offshore for lower-cost resources

3. Leverage IT investment

4. Innovate strategically

Contacts

Robert F. Cullen III Partner, Advisory Services+1 612 343 [email protected]

Sapna AhujaSenior Manager, Advisory Services+1 212 773 [email protected]

For related thought leadership from Ernst & Young, please visit:ey.com

2

Q1. How satisfi ed are you with the quality of the work produced by your SOX function?

SOX function satisfactionMost respondents are either satisfi ed or extremely satisfi ed with the quality of the work done by their SOX function.

Q2. How satisfi ed are you with the quality of the work produced by your SOX function, the total cost of your SOX function and the ability of your SOX function to add value?

Drop in SOX satisfaction Respondents more likely to be extremely satisfi ed with SOX quality than with either cost or value.

Q3. What are the key challenges faced by your SOX function?

Satisfaction comparison The majority of respondents consider adding value to their business a key challenge of the SOX function.

Note that cost/level of effort and innovation in control testing strategies were originally asked separately in the questionnaire.

0% 10% 20% 30% 40% 50% 60%

None of the above

Other

Dealing with mergers or acquisitions of

private or non-SOX- compliant entities

Effectiveness of resources

Controls monitoring

Technology-related challenges

Providing learning and career opportunities

for SOX personnel

Integration with other risk and

compliance functions

Adding value to the business

Cost/Level of effort and innovation in control

testing strategies58%

56%

44%

37%

32%

32%

25%

16%

15%

1%

Survey questions

Percentages may not total 100 due to rounding.

Multiple responses allowed.


0% 10% 20% 30% 40% 50%

Extremely

Somewhat

Extremely 38%

58%

3%

2%

0%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Extremelyt e

Somewhatat e

e ther at eor at e

Sat e

Extremelyat e

38%

13%19%

58%

55%51%

3%

26%24%

2%

6%7%

0%

0%0%

Quality of work Cost Value

3

Q4. What is the company’s annual budget/ spend for SOX compliance?

Satisfaction comparison The majority of respondents consider adding value to their business a key challenge of the SOX function.

Note that cost/level of effort and innovation in control testing strategies were originally asked separately in the questionnaire.

0% 5% 10% 15% 20% 25% 30%

$5 million or more

$3–$4.9 million

$2–$2.9 million

$1–$1.9 million

$0.5–$0.9 million

Less than $0.5 million 18%

18%

27%

15%

8%

14%

Average MedianUS$2,766,742 US$1,200,000

Q5. In total, approximately how many FTEs are dedicated to and reside in the SOX function?

5%15%None

FTEs residing within the SOX function Other SOX-related FTEs across the organization

0%

11%16%

21+

13%15%11 to 20

20%15%

6 to 10

42%34%

2 to 5

9%6%Less than 2

45%40%35%30%25%20%15%10%5%

Average Median26 10

Q6. Do you use an outside service provider for SOX services?

Outside service provider used for SOX services Majority of respondents have an outside provider for one or more SOX services.

Yes52%

No48%

If yes, how do you use them?

Outside service provider usage Of all respondents who have an outside service provider, yesting is the key service used for the SOX function.

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

All of the above

PMO

Scoping/risk assessment

Testing 74%

18%

7%

16%

14%

Additionally, across the organization, e.g., Internal Audit, business, etc., how many (est.) FTEs are allocated to SOX-related activities?



4

Q6a. [If you use an outside provider] What percent of the hours spent annually for SOX compliance are performed by the external service provider, excluding external audit?

Internal versus external time spent on SOX compliance The majority of respondents use their SOX external service provider for less than 25% of the hours spent annually on SOX.

Q7. Is Internal Audit involved in the SOX program?

Internal Audit involvement in SOX program For most respondents, the Internal Audit Department is involved with the SOX program.

Yes81%

No19%

If yes, what percent of Internal Audit budget/ capacity is spent on SOX testing?

Internal Audit resources spent on SOX testingMost respondents whose IA Department is involved in the SOX program say that less than 25% of their budget & capacity is spent on SOX testing.

0% 10% 20% 30% 40% 50% 60% 70%

Don't know/unsure

Over 75%

51%–75%

26%–50%

Less than 25% 59%

29%

10%

1%

1%

Q8. What percentage of SOX work is performed by the following:

Total 100%Resources at corporate headquarters 60%

Regional resources at other company locations 26%

Domestic third-party resources 9%

Other 2%

Offshore third-party resources 2%

Offshore resources not at company locations 1%


55%

22%

8%

13%

1%Don’t know/unsure

Over 75%

51 - 75%

26 - 50%

Less than 25%

0% 60%40%20% 70%50%30%10%

5

Q9. What percentage of the work performed by the SOX compliance function (walkthroughs and testing) do your external auditors rely on?

Reliance of external auditors on the SOX compliance function The majority of respondents say that their external auditors rely on at least half of the walkthroughs and testing work performed by the SOX compliance function.

Q10. Is SOX incorporated into your Enterprise Risk Management (ERM) program?

Relationship between SOX and ERM Just over half of respondents incorporate SOX into their ERM programs.

Yes52%

No48%

Q11. What is your company’s total number of SOX-related controls?

Total number of controls The majority of respondents have fewer than 1000 controls.

0% 10% 20% 30%

2,500 or more

Between 1,000–2,499

500–999

250–499

Less than 250 19%

24%

22%

22%

13%

What percentage of your controls are “key” controls?

Key controls as % of total controls Average key control percentages provided for the corresponding categories on left. For fewer total controls, the % of key controls is higher than for more controls.

Controls PercentageLess than 250 79%

250–499 78%

500–999 72%

Between 1,000–2,499 66%

2,500 or more 62%


7%

14%

24%

34%

21%More than 75%

51 - 75%

26 - 50%

Less than 25%

Not available

0% 40%20% 30%10%

6

Q12. On average, how many hours do you spend on each key control?

Design and walkthroughs versus testing controlsMost respondents spend less than fi ve hours on design and walkthrough of each control.

By comparison, the majority of respondents spend 5 hours or more on testing per control.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Testing

Walk-through

Design

Less than 5 hours

over 20 hours11 to 20 hours

5 to 10 hours

1%13% 6%80%

8%39%

72% 25% 3%

15%39%

Q13. What is the percentage of fully automated controls (vs. manual or IT dependent controls) that make up your total key controls?

Fully automated key controlsMost respondents say that less than a quarter of their key controls are fully automated.

0% 10% 20% 30% 40% 50%

More than 75% of key controls are

fully automated

51% to 75% of key controls are

fully automated


fully automated


fully automated

Less than 10% of key controls are

fully automated

No key controls are fully automated 1%

36%

41%

19%

3%

0%

Q14. What is the percentage of entity level controls that make up your total key controls?

Entity level controls as percentage of total key controlsAlmost all respondents say that less than 25% of their SOX key controls are entity-level controls.

0% 10% 20% 30% 40% 50% 60%

More than 75% of key controls are entity

level controls

51%–75% of key controls are entity-

level controls

26%–50% of key controls are entity-

level controls

10%–25% of key controls are

entity-level controls

Less than 10% of key controls are

entity-level controls54%

40%

5%

1%

1%

Q14a. Please provide percentage breakdown of indirect entity-level controls (e.g. tone at the top, policies and procedures) vs. direct monitoring entity level controls (e.g., reconciliations, budget to actual analytics).

Type of entity-level controls %Indirect entity-level controls 50%

Direct monitoring entity-level controls 50%


7

Q15. Do you perform a risk-based SOX scoping exercise?

Risk-based scoping exercisesAlmost all of the respondents perform risk-based scoping exercises at least once every year.

66%

31%

2%No

Yes, during initial scopeand review mid-year

Yes, annually

0% 50%20% 40%10% 30% 70%60%

Q15a. Please indicate the key attributes of your approach to SOX scoping:

Attributes of scopingA top-down, risk-based approach and a balance sheet and Income statement coverage are the key attributes to SOX scoping.

By comparison, very few respondents say they use a bottom-up approach.

57%

48%

43%

9%

9%Other

Bottom-up

Location coverage

Entity-level

Process-level

0% 70%20% 40%10%

84%Balance sheet/incomestatement coverage

84%Top down, risk-based

100%90%80%60%50%30%

Q16. What impact did PCAOB AS5 have on your SOX scoping exercise?

PCAOB A S5 impactThe majority of respondents noted that the PCAOB AS5 has a moderate to signifi cant impact on their scoping exercise.

10%

31%

35%

25%

0% 40%20% 30%10%

Q17. When was the last time a rationalization/ optimization or some other innovative exercise conducted?

Innovative exercisesMost respondents noted that they performed rationalization/ optimization or other innovative exercises either this fi scal year or last.

0% 10% 20% 30% 40% 50% 60%

Not performed

Two or more years ago

ast s a year

Current s a year

52%

19%

24%

4%



8

Q17a. What techniques were used?

Key techniquesMost respondents utilized rationalization of in-scoping controls and the majority rely on more periodic controls.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

None of the above

Other

Implementation ofcontinuous controls

monitoring

Use of technology for testing

Global standardization of

control set (if multiple countries/

locations)

Automation/Optimization of

SOX controls

Increased reliance on higher-level

quarterly/monthly controls and less on transactional

controls

Rationalization of in-scope controls 91%

55%

42%

41%

22%

20%

7%

2%

Q18. What tools/software do you use as part of your scoping exercise?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

None

In-house – developed tool/

software

Third-party vendor/software

Excel® 90%

19%

14%

4%

Q19. What is your SOX compliance approach for walkthroughs and testing?

SOX complianceTesting and walkthroughs of key controls are performed annually by most respondents.





Walkthrough Testing

0%

7%5%Other

7%4%

Rotational selectionof controls only

28%24%

Risk-based selectionof controls only

50%74%

All key controls annually

21%11%

All controls annually

80%70%60%50%40%30%20%10%

9

Q20. What is the frequency of your testing and your roll-forward approach?

Key techniquesFrequency results for testing and roll-forward fairly evenly distributed over the year among the respondents.

0% 10% 20% 30% 40%

Controls testing spreadevenly throughout the year

Majority of controls tested later in the year (late Q3/Q4),

no rollforward performed

Majority of controls tested in Q1 or Q2 and limited

roll-forward proceduresperformed in Q4

Majority of controls tested inQ1 or Q2 and then roll-forward

procedures/testingre-performed in Q4

Controls testedcontinuously throughout

the year4%

23%

25%

29%

20%

Q21. For what percent of SOX controls do you perform continuous controls monitoring (e.g., leveraging Blackline to monitor account reconciliations)?

Continuous controls monitoringAlmost all respondents say that they either do not perform continuous controls monitoring at all, or do so for less than 25% of all SOX controls.

0% 10% 20% 30% 40% 50% 60% 70%

More than 75%

51%–75%

26%–50%

Less than 25%

Do not perform continuous

controls monitoring

65%

28%

3%

1%

2%Cont

inuo

us c

ontr

ols

mon

itori

ng fo

r SO

X co

ntro

ls

Q22. For what percent of controls does the company use Control self-assessment (CSA)?

Control self-assessment The majority of respondents do not use CSA.

0% 10% 20% 30% 40% 50% 60% 70%

More than 75%

51%–75%

26%–50%

Less than 25%

Do not use control

self-assessment58%

17%

5%

16%

3%

Q23. For what percent of controls does the company use peer reviews?

Peer reviews The majority of respondents do not use peer reviews.

0% 10% 20% 30% 40% 50% 60% 70%

More than 75%

51%–75%

26%–50%

Less than 25%

Do not use peer reviews 63%

16%

4%

4%

12%


10

Q25. How are SOX test results/documentation/ fi ndings primarily maintained and reported?

Information sharingOne-third of the respondents use Microsoft Offi ce Tools® across a shared drive.

One third of the respondents also selected “other.”

Q26. In what areas of control testing do you see the most SOX defi ciencies?

Defi ciencies in control testing area of SOXThe biggest reported problem faced in terms of SOX control testing relates to IT general controls.

5%

5%

3%

2%

1%

1%

0%

0%

14%Other

Off-balance-sheet liabilities

Spreadsheets

SAS 70/SSAE 16

Derivatives

Purchasing

Inventory

Revenue

Tax

0% 60%20% 30%10%

7%Estimation accounts/accruals

9%Financial statement close process

51%IT General controls

40% 50%


Q24. How often do you use the following as part of your testing process?

Tools used in the testing process Most respondent either never or sometimes use advanced analytical techniques as part of their control testing process.

Among those who use them often or always, data analytics are the most popular technique.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Predictive modeling

Automated testing

methods

Data analytics

Never AlwaysOftenSometimes

6%15%42%37%

3%

2%88%

39% 44% 14%

1%

9%

34%

9%

8%

8%

4%

3%

2%

2%

28%

0% 10% 20% 30% 40%

Excel or Word documents in a shared drive

Paisley GRC

Teammate

OpenPages

Hardcopy

SAP GRC

Bwise

Archer

Other

11

Q27. How much do you leverage your SOX testing results with other departments in the company or other compliance/reporting functions?

Leveraging SOX testing results Respondents leverage SOX testing results most with the Internal Audit department.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Legal

Regulatory/Compliance

IA

Not at all ModeratelyVery little

54%26%13%7%

9%

3%51%

33% 39% 19%

11%35%

Q28. Do you conduct an annual fraud risk assessment?

Popularity of annual assessment Nearly two-thirds of the respondents conduct an annual fraud risk assessment.

Yes65%

No35%

Q28a. If yes, what mechanism do you use?

Methods of fraud risk assessmentThe most popular methods of assessments are meetings and hotline calls, although a third of respondents also noted the use of surveys.

73%

63%

37%

27%Other

Survey

Review of ethics/hotline calls

Meetings with business

process owners

0% 60%20% 30%10% 80%40% 50% 70%



Q29. How satisfi ed are you with the ability of your SOX function to add value??

Value of SOX FunctionFewer respondents were extremely satisfi ed with the value of the SOX function, as compared to cost and the quality of work. Over one-third of the population said they were less than satisfi ed with the ability of the SOX function to add value.

0% 10% 20% 30% 40% 50%

Extremelyt e

Somewhatat e

e ther at eor at e

Sat e

Extremelyat e 13%

55%

26%

6%

0%

60%

12

Q2.10. Is SOX incorporated into your Enterprise Risk Management program?

Q2.29. How satisfi ed are you with the ability of your SOX function to add value?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Yes

No

e e s s es e

11%43%45%

14%21% 65%SOX

inco

rpor

ated

into

En

terp

rise

Ris

k M

anag

emen

t pr

ogra

m

Q1.4. Annual revenue

Q2.11. What is your company’s total number of SOX-related controls?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

More than $50b

$26 - 50b

$11 - 25b

$1 - 10b

Less than $1b

Less than 250 2,500 or more1,000 - 2,499

36%21%36%

39%

23%

22% 32%22%

18% 32%

28%8%

7%

500 - 999 250 - 499

7%

35%

15%

24% 20%20%

10%

4%17%23%

4%

Ann

ual r

even

ue


Q2.7a. [If IA involved in SOX] What percent of Internal Audit budget/ capacity is spent on SOX testing?


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Don't know/unsure

Over 50%

25 - 50%

Less than 25%

tre e sat s eat s e

13%58%29%

50%

37% 48% 15%

38%

50%

56% 6%

Perc

enta

ge o

f Int

erna

l Aud

it b

udge

t/ca

paci

ty s

pent

on

SOX

tes

ting

Q2.2. How satisfi ed are you with the total cost of your SOX function?


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Somewhat at e

e the at eo at e

Sat e

Extremelyat e

Extremely at eSat e

15%42%20%

2%88%

39% 44% 14%

1%

9%

44% 14%

Sati

sfac

tion

wit

h co

st

Multiple question comparisons

13

Q1.4. Annual revenue

Q2.16. What impact did PCAOB AS5 have on your SOX scoping exercise?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

More than $50b

$26 - 50b

$11 - 25b

$1 - 10b

Less than $1b

No impact i ni cant impact

7%67%20%

36%

15%

35%7%

21%

22%4%

43%

Moderate impactMinor impact

7%

26%

28%

19% 56%

30%

23%36%

Ann

ual r

even

ue

Q2.16. What impact did PCAOB AS5 have on your SOX scoping exercise?


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

32%58%11%

10%31%

34% 52% 14%

38%

59%

54% 9%

5

Q2.21. For what percent of SOX controls do you perform continuous controls monitoring?


0% 10% 20% 30% 40% 50% 60% 70%

More than 75%

51%–75%

26%–50%

Less than 25%

Do not perform continuous

controls monitoring

65%

28%

3%

1%

2%Cont

inuo

us c

ontr

ols

mon

itori

ng fo

r SO

X co

ntro

ls


Q2.22. For what percent of controls does the company use Control self-assessment (CSA)?


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Yes

No

e e s s es e

12%51%37%

14%25% 60%

Cont

inuo

us s

elf a

sses

smen

t (CS

A) u

sed

14

Q2.28. Do you conduct an annual fraud risk assessment?


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Yes

No

e e s s es e

4%54%41%

18%27% 55%

Ann

ual f

raud

risk

ass

essm

ent c

ondu

cted


Percentages of CCM, CSA and peer review usage for those respondents who were less than satisfi ed with the ability of their SOX function to add value:

0% 5% 10% 15% 20% 25% 30% 35% 40%

Continuous control

monitoring

Peer review

CSA25%

37%

22%

38%

19%

39%

Use technique Do not use technique

Q2.23. For what percent of controls does the company use peer reviews?


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Yes

No

e e s s es e

12%50%38%

15%22% 63%

Peer

revi

ews

used

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com

© 2011 EYGM LimitedAll Rights Reserved.

EYG No. BT0125

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

Thinking outside the box survey questions

Business

Transcript of Thinking outside the box survey questions