3. Thinking outside the SOX box
Significant opportunity exists
to transform your SOX function
In April 2011, Ernst & Young conducted a face-to-face survey with 225 global executives
about their SOX compliance functions. For the most part, we found organizations are
still treating SOX compliance the same way most of them originally looked at it: as a
compliance exercise.
A small proportion of the interviewees, however, have evolved their thinking. Their
companies have come to look at SOX the way they look at many of their operations: as
an opportunity to innovate, to automate and to gain competitive advantage. These are
companies that have seen the correlation between certain SOX compliance practices and
the ability of the SOX function to add value to the business — which 56% of the executives
considered a key challenge for their SOX function.
Thinking outside the SOX box reveals four actions companies can take now to empower
their SOX functions to create fundamental advantages in their sectors:
1. Automate controls
2. Offshore for lower-cost resources
3. Leverage IT investment
4. Innovate strategically
Contacts
Robert F. Cullen III Sapna Ahuja
Partner, Advisory Services Senior Manager, Advisory Services
+1 612 343 1000 +1 212 773 5928
robert.cullen@ey.com sapna.ahuja@ey.com
For related thought leadership
from Ernst & Young, please visit:
ey.com
1
4. Survey questions
Q1. How satisfied are you with the quality of the work Q3. What are the key challenges faced by your
produced by your SOX function? SOX function?
SOX function satisfaction Satisfaction comparison
Most respondents are either satisfied or extremely satisfied with the quality The majority of respondents consider adding value to their business a key
of the work done by their SOX function. challenge of the SOX function.
Note that cost/level of effort and innovation in control testing strategies
Extremely 38%
were originally asked separately in the questionnaire.
Cost/Level of effort and
58% innovation in control 58%
testing strategies
3% Adding value 56%
to the business
Somewhat Integration with
2% 44%
other risk and
compliance functions
Extremely 0% Providing learning and
career opportunities 37%
for SOX personnel
0% 10% 20% 30% 40% 50% 60%
Technology- 32%
related challenges
Q2. How satisfied are you with the quality of the work Controls monitoring 32%
produced by your SOX function, the total cost of your
SOX function and the ability of your SOX function to Effectiveness 25%
of resources
add value?
Dealing with mergers
or acquisitions of 16%
Drop in SOX satisfaction private or non-SOX-
compliant entities
Respondents more likely to be extremely satisfied with SOX quality than
with either cost or value. 15%
Other
38%
Extremely 19%
at e 1%
13% None of the above
58% 0% 10% 20% 30% 40% 50% 60%
Sat e 51%
55%
Multiple responses allowed.
3%
e ther at e
or at e 24%
26%
2%
Somewhat
7%
at e
6%
Extremely 0%
t e 0%
0%
0% 10% 20% 30% 40% 50% 60% 70%
Quality of work Cost Value
Multiple responses allowed.
Percentages may not total 100 due to rounding.
2
5. Q4. What is the company’s annual budget/ spend for Additionally, across the organization, e.g., Internal
SOX compliance? Audit, business, etc., how many (est.) FTEs are
allocated to SOX-related activities?
Satisfaction comparison
The majority of respondents consider adding value to their business a key
Average Median
challenge of the SOX function. 26 10
Note that cost/level of effort and innovation in control testing strategies
were originally asked separately in the questionnaire.
Q6. Do you use an outside service provider for SOX
Less than 18% services?
$0.5 million
Outside service provider used for SOX services
$0.5–$0.9 million 18%
Majority of respondents have an outside provider for one or more SOX services.
$1–$1.9 million 27%
$2–$2.9 million 15%
$3–$4.9 million 8% No Yes
48% 52%
$5 million
14%
or more
0% 5% 10% 15% 20% 25% 30%
Average Median
US$2,766,742 US$1,200,000
If yes, how do you use them?
Q5. In total, approximately how many FTEs are Outside service provider usage
dedicated to and reside in the SOX function? Of all respondents who have an outside service provider, yesting is the key
service used for the SOX function.
5%
None 15%
Testing 74%
9%
Less than 2 6%
Scoping/ 18%
42% risk assessment
2 to 5
34%
PMO 7%
20%
6 to 10
15%
All of the above 16%
13%
11 to 20
15%
Other 14%
11%
21+
16%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Multiple responses allowed.
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
FTEs residing within the SOX function Other SOX-related FTEs across the organization
Percentages may not total 100 due to rounding. 3
6. Q6a. [If you use an outside provider] What percent If yes, what percent of Internal Audit budget/
of the hours spent annually for SOX compliance are capacity is spent on SOX testing?
performed by the external service provider, excluding
Internal Audit resources spent on SOX testing
external audit?
Most respondents whose IA Department is involved in the SOX program say
Internal versus external time spent on SOX compliance that less than 25% of their budget & capacity is spent on SOX testing.
The majority of respondents use their SOX external service provider for less
than 25% of the hours spent annually on SOX.
Less than 25% 59%
Less than 25% 55%
26%–50% 29%
26 - 50% 22%
51%–75% 10%
51 - 75% 8%
Over 75% 1%
Over 75% 13%
Don't know/
1%
unsure
Don’t know/ 1%
unsure 0% 10% 20% 30% 40% 50% 60% 70%
0% 10% 20% 30% 40% 50% 60% 70%
Q8. What percentage of SOX work is performed by
Q7. Is Internal Audit involved in the SOX program? the following:
Internal Audit involvement in SOX program Total 100%
For most respondents, the Internal Audit Department is involved with the SOX Resources at corporate headquarters 60%
program.
Regional resources at other company locations 26%
Domestic third-party resources 9%
Other 2%
No
19% Offshore third-party resources 2%
Offshore resources not at company locations 1%
Yes
81%
Percentages may not total 100 due to rounding.
4
7. Q9. What percentage of the work performed by the Q11. What is your company’s total number of SOX-
SOX compliance function (walkthroughs and testing) related controls?
do your external auditors rely on?
Total number of controls
Reliance of external auditors on the SOX compliance The majority of respondents have fewer than 1000 controls.
function
The majority of respondents say that their external auditors rely on at Less than 250 19%
least half of the walkthroughs and testing work performed by the SOX
compliance function.
250–499 24%
Not available 7%
500–999 22%
Less than 25% 14%
Between 22%
1,000–2,499
26 - 50% 24%
2,500 or more 13%
51 - 75% 34% 0% 10% 20% 30%
More than 75% 21% What percentage of your controls are “key” controls?
0% 10% 20% 30% 40% Key controls as % of total controls
Average key control percentages provided for the corresponding categories
on left. For fewer total controls, the % of key controls is higher than for
Q10. Is SOX incorporated into your Enterprise Risk more controls.
Management (ERM) program?
Relationship between SOX and ERM Controls Percentage
Just over half of respondents incorporate SOX into their ERM programs. Less than 250 79%
250–499 78%
500–999 72%
Between 1,000–2,499 66%
2,500 or more 62%
No Yes
48% 52%
Percentages may not total 100 due to rounding.
5
8. Q12. On average, how many hours do you spend on Q14. What is the percentage of entity level controls
each key control? that make up your total key controls?
Design and walkthroughs versus testing controls Entity level controls as percentage of total key
Most respondents spend less than five hours on design and walkthrough of controls
each control. Almost all respondents say that less than 25% of their SOX key controls are
By comparison, the majority of respondents spend 5 hours or more on entity-level controls.
testing per control.
Less than 10% of
key controls are 54%
entity-level controls
Design 80% 13% 6% 1%
10%–25% of key
controls are 40%
entity-level controls
Walk-through 72% 25% 3%
26%–50% of key
controls are entity- 5%
level controls
51%–75% of key
Testing 39% 39% 15% 8% controls are entity- 1%
level controls
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% More than 75% of key
controls are entity 1%
Less than 5 hours 5 to 10 hours level controls
11 to 20 hours over 20 hours 0% 10% 20% 30% 40% 50% 60%
Q13. What is the percentage of fully automated Q14a. Please provide percentage breakdown of indirect
controls (vs. manual or IT dependent controls) that entity-level controls (e.g. tone at the top, policies and
make up your total key controls? procedures) vs. direct monitoring entity level controls
(e.g., reconciliations, budget to actual analytics).
Fully automated key controls
Most respondents say that less than a quarter of their key controls are fully
automated. Type of entity-level controls %
Indirect entity-level controls 50%
No key controls
1% Direct monitoring entity-level controls 50%
are fully automated
Less than 10% of key
controls are 36%
fully automated
10% to 25% of key
controls are 41%
fully automated
26% to 50% of key
controls are 19%
fully automated
51% to 75% of key
controls are 3%
fully automated
More than 75% of key
controls are 0%
fully automated
0% 10% 20% 30% 40% 50%
Percentages may not total 100 due to rounding.
6
9. Q15. Do you perform a risk-based SOX scoping exercise? Q16. What impact did PCAOB AS5 have on your SOX
scoping exercise?
Risk-based scoping exercises
Almost all of the respondents perform risk-based scoping exercises at least PCAOB A S5 impact
once every year. The majority of respondents noted that the PCAOB AS5 has a moderate to
significant impact on their scoping exercise.
Yes, annually 66%
10%
Yes, during initial scope 31%
and review mid-year 31%
No 2%
35%
0% 10% 20% 30% 40% 50% 60% 70%
25%
Q15a. Please indicate the key attributes of your 0% 10% 20% 30% 40%
approach to SOX scoping:
Attributes of scoping
A top-down, risk-based approach and a balance sheet and Income
Q17. When was the last time a rationalization/
statement coverage are the key attributes to SOX scoping. optimization or some other innovative exercise
By comparison, very few respondents say they use a bottom-up approach. conducted?
Innovative exercises
Top down, risk-based 84%
Most respondents noted that they performed rationalization/ optimization
Balance sheet/income or other innovative exercises either this fiscal year or last.
84%
statement coverage
Current 52%
Process-level 57% s a year
Entity-level 48%
ast s a year 19%
Location coverage 43%
Bottom-up 9%
Two or more 24%
years ago
Other 9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Not performed 4%
Multiple responses allowed.
0% 10% 20% 30% 40% 50% 60%
Percentages may not total 100 due to rounding.
7
10. Q17a. What techniques were used? Q18. What tools/software do you use as part of your
scoping exercise?
Key techniques
Most respondents utilized rationalization of in-scoping controls and the
Excel® 90%
majority rely on more periodic controls.
Rationalization of 91%
in-scope controls Third-party
19%
vendor/software
Increased reliance
on higher-level
quarterly/monthly
55%
controls and less In-house –
on transactional developed tool/ 14%
controls
software
Automation/
Optimization of 42%
SOX controls
None 4%
Global
standardization of
control set (if 41%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
multiple countries/
locations)
Multiple responses allowed.
Use of technology 22%
for testing
Q19. What is your SOX compliance approach for
walkthroughs and testing?
Implementation of
continuous controls 20%
monitoring SOX compliance
Testing and walkthroughs of key controls are performed annually by most
7% respondents.
Other
All controls 21%
annually 11%
None of the above 2%
All key 50%
controls annually 74%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Risk-based selection 28%
Multiple responses allowed.
of controls only 24%
Rotational selection 7%
of controls only 4%
7%
Other 5%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Walkthrough Testing
Multiple responses allowed.
Percentages may not total 100 due to rounding.
8
11. Q20. What is the frequency of your testing and your Q22. For what percent of controls does the company
roll-forward approach? use Control self-assessment (CSA)?
Key techniques Control self-assessment
Frequency results for testing and roll-forward fairly evenly distributed over The majority of respondents do not use CSA.
the year among the respondents.
Do not use
Controls tested control 58%
continuously throughout 4% self-assessment
the year
Majority of controls tested in Less than 25% 17%
Q1 or Q2 and then roll-forward 23%
procedures/testing
re-performed in Q4
Majority of controls tested in 26%–50% 5%
Q1 or Q2 and limited 25%
roll-forward procedures
performed in Q4
51%–75% 3%
Majority of controls tested later
in the year (late Q3/Q4), 29%
no rollforward performed
More than 75% 16%
Controls testing spread 20%
evenly throughout the year
0% 10% 20% 30% 40% 50% 60% 70%
0% 10% 20% 30% 40%
Q23. For what percent of controls does the company
Q21. For what percent of SOX controls do you perform use peer reviews?
continuous controls monitoring (e.g., leveraging
Blackline to monitor account reconciliations)? Peer reviews
The majority of respondents do not use peer reviews.
Continuous controls monitoring
Almost all respondents say that they either do not perform continuous
Do not use
controls monitoring at all, or do so for less than 25% of all SOX controls. peer reviews
63%
Do not perform
continuous 65%
Less than 25% 16%
Continuous controls monitoring for SOX controls
controls
monitoring
Less than 25% 28%
26%–50% 4%
26%–50% 3%
51%–75% 4%
51%–75% 1%
More than 75% 12%
2% 0% 10% 20% 30% 40% 50% 60% 70%
More than 75%
0% 10% 20% 30% 40% 50% 60% 70%
Percentages may not total 100 due to rounding.
9
12. Q24. How often do you use the following as part of Q26. In what areas of control testing do you see the
your testing process? most SOX deficiencies?
Tools used in the testing process Deficiencies in control testing area of SOX
Most respondent either never or sometimes use advanced analytical The biggest reported problem faced in terms of SOX control testing relates to IT
techniques as part of their control testing process. general controls.
Among those who use them often or always, data analytics are the most
popular technique. IT General controls 51%
Data Financial statement close process 9%
37% 42% 15% 6%
analytics
Estimation accounts/accruals 7%
Automated
testing 39% 44% 14% 3% Tax 5%
methods
Revenue 5%
1%
Predictive Inventory 3%
88% 9% 2%
modeling
Purchasing 2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Never Sometimes Often Always Derivatives 1%
SAS 70/SSAE 16 1%
Q25. How are SOX test results/documentation/
findings primarily maintained and reported? Spreadsheets 0%
Off-balance-sheet liabilities 0%
Information sharing
One-third of the respondents use Microsoft Office Tools® across a shared drive. Other 14%
One third of the respondents also selected “other.”
0% 10% 20% 30% 40% 50% 60%
0% 10% 20% 30% 40%
Excel or Word documents in
34%
a shared drive
Paisley GRC 9%
Teammate 8%
OpenPages 8%
Hardcopy 4%
SAP GRC 3%
Bwise 2%
Archer 2%
Other 28%
Percentages may not total 100 due to rounding.
10
13. Q27. How much do you leverage your SOX testing Q28a. If yes, what mechanism do you use?
results with other departments in the company or
Methods of fraud risk assessment
other compliance/reporting functions?
The most popular methods of assessments are meetings and hotline calls,
Leveraging SOX testing results although a third of respondents also noted the use of surveys.
Respondents leverage SOX testing results most with the Internal Audit
department.
Meetings with 73%
business
process owners
IA 7% 13% 26% 54% Review of ethics/ 63%
hotline calls
Survey 37%
Regulatory/ 33% 39% 19% 9%
Compliance
Other 27%
Legal 51% 35% 11% 3%
0% 10% 20% 30% 40% 50% 60% 70% 80%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Multiple responses allowed.
Not at all Very little Moderately
Q28. Do you conduct an annual fraud risk assessment? Q29. How satisfied are you with the ability of your SOX
function to add value??
Popularity of annual assessment
Nearly two-thirds of the respondents conduct an annual fraud risk assessment. Value of SOX Function
Fewer respondents were extremely satisfied with the value of the SOX
function, as compared to cost and the quality of work. Over one-third of
the population said they were less than satisfied with the ability of the SOX
function to add value.
No Extremely 13%
35% at e
Yes Sat e 55%
65%
e ther at e
26%
or at e
Somewhat 6%
at e
Extremely 0%
t e
0% 10% 20% 30% 40% 50% 60%
Percentages may not total 100 due to rounding.
11
14. Multiple question comparisons
Q2.2. How satisfied are you with the total cost of your Q2.10. Is SOX incorporated into your Enterprise Risk
SOX function? Management program?
Q2.29. How satisfied are you with the ability of your Q2.29. How satisfied are you with the ability of your
SOX function to add value? SOX function to add value?
Enterprise Risk Management program
Extremely 20% 42% 15%
at e No 45% 43% 11%
SOX incorporated into
Satisfaction with cost
Sat e 39% 44% 14%
e the at e 1% 44% 14%
o at e Yes 21% 65% 14%
Somewhat 88% 9% 2%
at e
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
s e e e s s e
Sat e Extremely at e
Q2.7a. [If IA involved in SOX] What percent of Internal Q1.4. Annual revenue
Audit budget/ capacity is spent on SOX testing?
Q2.11. What is your company’s total number of
Q2.29. How satisfied are you with the ability of your SOX-related controls?
SOX function to add value?
Less than $1b 36% 21% 36% 7%
Less than 25% 29% 58% 13% $1 - 10b 23% 35% 23% 17% 4%
Percentage of Internal Audit budget/
Annual revenue
capacity spent on SOX testing
$11 - 25b 22% 15% 22% 32% 10%
25 - 50% 37% 48% 15%
$26 - 50b 8% 24% 20% 20% 28%
Over 50% 38% 56% 6%
More than $50b 4% 7% 18% 32% 39%
Don't know/
unsure 50% 50% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Less than 250 250 - 499 500 - 999 1,000 - 2,499 2,500 or more
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
at s e tre e sat s e
Percentages may not total 100 due to rounding.
12
15. Q1.4. Annual revenue Q2.21. For what percent of SOX controls do you
perform continuous controls monitoring?
Q2.16. What impact did PCAOB AS5 have on your
SOX scoping exercise? Q2.29. How satisfied are you with the ability of your
SOX function to add value?
Less than $1b 20% 67% 7% 7%
Do not perform
continuous 65%
$1 - 10b 15% 26% 36% 23%
Continuous controls monitoring for SOX controls
controls
monitoring
Annual revenue
$11 - 25b 7% 28% 35% 30%
Less than 25% 28%
$26 - 50b 4% 19% 56% 22%
26%–50% 3%
More than $50b 43% 21% 36%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
51%–75% 1%
No impact Minor impact Moderate impact i ni cant impact
More than 75% 2%
0% 10% 20% 30% 40% 50% 60% 70%
Q2.16. What impact did PCAOB AS5 have on your
SOX scoping exercise?
Q2.29. How satisfied are you with the ability of your Q2.22. For what percent of controls does the company
SOX function to add value? use Control self-assessment (CSA)?
Q2.29. How satisfied are you with the ability of your
11% 58% 32%
SOX function to add value?
34% 52% 14%
Continuous self assessment (CSA) used
No 37% 51% 12%
5
38% 54% 9%
31% 59% 10%
Yes 25% 60% 14%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
s e e e s s e
Percentages may not total 100 due to rounding.
13
16. Q2.23. For what percent of controls does the company Percentages of CCM, CSA and peer review usage for
use peer reviews? those respondents who were less than satisfied with
the ability of their SOX function to add value:
Q2.29. How satisfied are you with the ability of your
SOX function to add value?
25%
CSA
37%
No 38% 50% 12%
Peer reviews used
22%
Peer review
38%
Yes 22% 63% 15%
Continuous 19%
control
39%
monitoring
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
0% 5% 10% 15% 20% 25% 30% 35% 40%
s e e e s s e
Use technique Do not use technique
Q2.28. Do you conduct an annual fraud risk
assessment?
Q2.29. How satisfied are you with the ability of your
SOX function to add value?
Annual fraud risk assessment conducted
No 41% 54% 4%
Yes 27% 55% 18%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
s e e e s s e
Percentages may not total 100 due to rounding.
14
