Thinking outside the box survey questions

975 views

Published on

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
975
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Thinking outside the box survey questions

  1. 1. Thinking outsidethe SOX boxSOX survey questions
  2. 2. iii
  3. 3. Thinking outside the SOX boxSignificant opportunity existsto transform your SOX function In April 2011, Ernst & Young conducted a face-to-face survey with 225 global executives about their SOX compliance functions. For the most part, we found organizations are still treating SOX compliance the same way most of them originally looked at it: as a compliance exercise. A small proportion of the interviewees, however, have evolved their thinking. Their companies have come to look at SOX the way they look at many of their operations: as an opportunity to innovate, to automate and to gain competitive advantage. These are companies that have seen the correlation between certain SOX compliance practices and the ability of the SOX function to add value to the business — which 56% of the executives considered a key challenge for their SOX function. Thinking outside the SOX box reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors: 1. Automate controls 2. Offshore for lower-cost resources 3. Leverage IT investment 4. Innovate strategically Contacts Robert F. Cullen III Sapna Ahuja Partner, Advisory Services Senior Manager, Advisory Services +1 612 343 1000 +1 212 773 5928 robert.cullen@ey.com sapna.ahuja@ey.com For related thought leadership from Ernst & Young, please visit: ey.com 1
  4. 4. Survey questionsQ1. How satisfied are you with the quality of the work Q3. What are the key challenges faced by yourproduced by your SOX function? SOX function?SOX function satisfaction Satisfaction comparisonMost respondents are either satisfied or extremely satisfied with the quality The majority of respondents consider adding value to their business a keyof the work done by their SOX function. challenge of the SOX function. Note that cost/level of effort and innovation in control testing strategies Extremely 38% were originally asked separately in the questionnaire. Cost/Level of effort and 58% innovation in control 58% testing strategies 3% Adding value 56% to the business Somewhat Integration with 2% 44% other risk and compliance functions Extremely 0% Providing learning and career opportunities 37% for SOX personnel 0% 10% 20% 30% 40% 50% 60% Technology- 32% related challengesQ2. How satisfied are you with the quality of the work Controls monitoring 32%produced by your SOX function, the total cost of yourSOX function and the ability of your SOX function to Effectiveness 25% of resourcesadd value? Dealing with mergers or acquisitions of 16%Drop in SOX satisfaction private or non-SOX- compliant entitiesRespondents more likely to be extremely satisfied with SOX quality thanwith either cost or value. 15% Other 38% Extremely 19% at e 1% 13% None of the above 58% 0% 10% 20% 30% 40% 50% 60% Sat e 51% 55% Multiple responses allowed. 3% e ther at e or at e 24% 26% 2% Somewhat 7% at e 6% Extremely 0% t e 0% 0% 0% 10% 20% 30% 40% 50% 60% 70% Quality of work Cost ValueMultiple responses allowed.Percentages may not total 100 due to rounding.2
  5. 5. Q4. What is the company’s annual budget/ spend for Additionally, across the organization, e.g., InternalSOX compliance? Audit, business, etc., how many (est.) FTEs are allocated to SOX-related activities?Satisfaction comparisonThe majority of respondents consider adding value to their business a key Average Medianchallenge of the SOX function. 26 10Note that cost/level of effort and innovation in control testing strategieswere originally asked separately in the questionnaire. Q6. Do you use an outside service provider for SOX Less than 18% services? $0.5 million Outside service provider used for SOX services$0.5–$0.9 million 18% Majority of respondents have an outside provider for one or more SOX services. $1–$1.9 million 27% $2–$2.9 million 15% $3–$4.9 million 8% No Yes 48% 52% $5 million 14% or more 0% 5% 10% 15% 20% 25% 30% Average Median US$2,766,742 US$1,200,000 If yes, how do you use them?Q5. In total, approximately how many FTEs are Outside service provider usagededicated to and reside in the SOX function? Of all respondents who have an outside service provider, yesting is the key service used for the SOX function. 5% None 15% Testing 74% 9% Less than 2 6% Scoping/ 18% 42% risk assessment 2 to 5 34% PMO 7% 20% 6 to 10 15% All of the above 16% 13% 11 to 20 15% Other 14% 11% 21+ 16% 0% 10% 20% 30% 40% 50% 60% 70% 80% Multiple responses allowed. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% FTEs residing within the SOX function Other SOX-related FTEs across the organizationPercentages may not total 100 due to rounding. 3
  6. 6. Q6a. [If you use an outside provider] What percent If yes, what percent of Internal Audit budget/of the hours spent annually for SOX compliance are capacity is spent on SOX testing?performed by the external service provider, excluding Internal Audit resources spent on SOX testingexternal audit? Most respondents whose IA Department is involved in the SOX program sayInternal versus external time spent on SOX compliance that less than 25% of their budget & capacity is spent on SOX testing.The majority of respondents use their SOX external service provider for lessthan 25% of the hours spent annually on SOX. Less than 25% 59% Less than 25% 55% 26%–50% 29% 26 - 50% 22% 51%–75% 10% 51 - 75% 8% Over 75% 1% Over 75% 13% Dont know/ 1% unsure Don’t know/ 1% unsure 0% 10% 20% 30% 40% 50% 60% 70% 0% 10% 20% 30% 40% 50% 60% 70% Q8. What percentage of SOX work is performed byQ7. Is Internal Audit involved in the SOX program? the following:Internal Audit involvement in SOX program Total 100%For most respondents, the Internal Audit Department is involved with the SOX Resources at corporate headquarters 60%program. Regional resources at other company locations 26% Domestic third-party resources 9% Other 2% No 19% Offshore third-party resources 2% Offshore resources not at company locations 1% Yes 81%Percentages may not total 100 due to rounding.4
  7. 7. Q9. What percentage of the work performed by the Q11. What is your company’s total number of SOX-SOX compliance function (walkthroughs and testing) related controls?do your external auditors rely on? Total number of controlsReliance of external auditors on the SOX compliance The majority of respondents have fewer than 1000 controls.functionThe majority of respondents say that their external auditors rely on at Less than 250 19%least half of the walkthroughs and testing work performed by the SOXcompliance function. 250–499 24% Not available 7% 500–999 22% Less than 25% 14% Between 22% 1,000–2,499 26 - 50% 24% 2,500 or more 13% 51 - 75% 34% 0% 10% 20% 30% More than 75% 21% What percentage of your controls are “key” controls? 0% 10% 20% 30% 40% Key controls as % of total controls Average key control percentages provided for the corresponding categories on left. For fewer total controls, the % of key controls is higher than forQ10. Is SOX incorporated into your Enterprise Risk more controls.Management (ERM) program?Relationship between SOX and ERM Controls PercentageJust over half of respondents incorporate SOX into their ERM programs. Less than 250 79% 250–499 78% 500–999 72% Between 1,000–2,499 66% 2,500 or more 62% No Yes 48% 52%Percentages may not total 100 due to rounding. 5
  8. 8. Q12. On average, how many hours do you spend on Q14. What is the percentage of entity level controlseach key control? that make up your total key controls?Design and walkthroughs versus testing controls Entity level controls as percentage of total keyMost respondents spend less than five hours on design and walkthrough of controlseach control. Almost all respondents say that less than 25% of their SOX key controls areBy comparison, the majority of respondents spend 5 hours or more on entity-level controls.testing per control. Less than 10% of key controls are 54% entity-level controls Design 80% 13% 6% 1% 10%–25% of key controls are 40% entity-level controlsWalk-through 72% 25% 3% 26%–50% of key controls are entity- 5% level controls 51%–75% of key Testing 39% 39% 15% 8% controls are entity- 1% level controls 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% More than 75% of key controls are entity 1% Less than 5 hours 5 to 10 hours level controls 11 to 20 hours over 20 hours 0% 10% 20% 30% 40% 50% 60%Q13. What is the percentage of fully automated Q14a. Please provide percentage breakdown of indirectcontrols (vs. manual or IT dependent controls) that entity-level controls (e.g. tone at the top, policies andmake up your total key controls? procedures) vs. direct monitoring entity level controls (e.g., reconciliations, budget to actual analytics).Fully automated key controlsMost respondents say that less than a quarter of their key controls are fullyautomated. Type of entity-level controls % Indirect entity-level controls 50% No key controls 1% Direct monitoring entity-level controls 50% are fully automatedLess than 10% of key controls are 36% fully automated 10% to 25% of key controls are 41% fully automated 26% to 50% of key controls are 19% fully automated 51% to 75% of key controls are 3% fully automatedMore than 75% of key controls are 0% fully automated 0% 10% 20% 30% 40% 50%Percentages may not total 100 due to rounding.6
  9. 9. Q15. Do you perform a risk-based SOX scoping exercise? Q16. What impact did PCAOB AS5 have on your SOX scoping exercise? Risk-based scoping exercises Almost all of the respondents perform risk-based scoping exercises at least PCAOB A S5 impact once every year. The majority of respondents noted that the PCAOB AS5 has a moderate to significant impact on their scoping exercise. Yes, annually 66% 10%Yes, during initial scope 31% and review mid-year 31% No 2% 35% 0% 10% 20% 30% 40% 50% 60% 70% 25% Q15a. Please indicate the key attributes of your 0% 10% 20% 30% 40% approach to SOX scoping: Attributes of scoping A top-down, risk-based approach and a balance sheet and Income Q17. When was the last time a rationalization/ statement coverage are the key attributes to SOX scoping. optimization or some other innovative exercise By comparison, very few respondents say they use a bottom-up approach. conducted? Innovative exercises Top down, risk-based 84% Most respondents noted that they performed rationalization/ optimizationBalance sheet/income or other innovative exercises either this fiscal year or last. 84% statement coverage Current 52% Process-level 57% s a year Entity-level 48% ast s a year 19% Location coverage 43% Bottom-up 9% Two or more 24% years ago Other 9% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Not performed 4% Multiple responses allowed. 0% 10% 20% 30% 40% 50% 60% Percentages may not total 100 due to rounding. 7
  10. 10. Q17a. What techniques were used? Q18. What tools/software do you use as part of your scoping exercise?Key techniquesMost respondents utilized rationalization of in-scoping controls and the Excel® 90%majority rely on more periodic controls. Rationalization of 91% in-scope controls Third-party 19% vendor/software Increased reliance on higher-level quarterly/monthly 55% controls and less In-house – on transactional developed tool/ 14% controls software Automation/ Optimization of 42% SOX controls None 4% Globalstandardization of control set (if 41% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%multiple countries/ locations) Multiple responses allowed. Use of technology 22% for testing Q19. What is your SOX compliance approach for walkthroughs and testing? Implementation ofcontinuous controls 20% monitoring SOX compliance Testing and walkthroughs of key controls are performed annually by most 7% respondents. Other All controls 21% annually 11% None of the above 2% All key 50% controls annually 74% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Risk-based selection 28%Multiple responses allowed. of controls only 24% Rotational selection 7% of controls only 4% 7% Other 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% Walkthrough Testing Multiple responses allowed.Percentages may not total 100 due to rounding.8
  11. 11. Q20. What is the frequency of your testing and your Q22. For what percent of controls does the companyroll-forward approach? use Control self-assessment (CSA)?Key techniques Control self-assessmentFrequency results for testing and roll-forward fairly evenly distributed over The majority of respondents do not use CSA.the year among the respondents. Do not use Controls tested control 58% continuously throughout 4% self-assessment the year Majority of controls tested in Less than 25% 17% Q1 or Q2 and then roll-forward 23% procedures/testing re-performed in Q4 Majority of controls tested in 26%–50% 5% Q1 or Q2 and limited 25% roll-forward procedures performed in Q4 51%–75% 3%Majority of controls tested later in the year (late Q3/Q4), 29% no rollforward performed More than 75% 16% Controls testing spread 20% evenly throughout the year 0% 10% 20% 30% 40% 50% 60% 70% 0% 10% 20% 30% 40% Q23. For what percent of controls does the companyQ21. For what percent of SOX controls do you perform use peer reviews?continuous controls monitoring (e.g., leveragingBlackline to monitor account reconciliations)? Peer reviews The majority of respondents do not use peer reviews.Continuous controls monitoringAlmost all respondents say that they either do not perform continuous Do not usecontrols monitoring at all, or do so for less than 25% of all SOX controls. peer reviews 63% Do not perform continuous 65% Less than 25% 16%Continuous controls monitoring for SOX controls controls monitoring Less than 25% 28% 26%–50% 4% 26%–50% 3% 51%–75% 4% 51%–75% 1% More than 75% 12% 2% 0% 10% 20% 30% 40% 50% 60% 70% More than 75% 0% 10% 20% 30% 40% 50% 60% 70%Percentages may not total 100 due to rounding. 9
  12. 12. Q24. How often do you use the following as part of Q26. In what areas of control testing do you see theyour testing process? most SOX deficiencies?Tools used in the testing process Deficiencies in control testing area of SOXMost respondent either never or sometimes use advanced analytical The biggest reported problem faced in terms of SOX control testing relates to ITtechniques as part of their control testing process. general controls.Among those who use them often or always, data analytics are the mostpopular technique. IT General controls 51% Data Financial statement close process 9% 37% 42% 15% 6% analytics Estimation accounts/accruals 7%Automated testing 39% 44% 14% 3% Tax 5% methods Revenue 5% 1% Predictive Inventory 3% 88% 9% 2% modeling Purchasing 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Never Sometimes Often Always Derivatives 1% SAS 70/SSAE 16 1%Q25. How are SOX test results/documentation/findings primarily maintained and reported? Spreadsheets 0% Off-balance-sheet liabilities 0%Information sharingOne-third of the respondents use Microsoft Office Tools® across a shared drive. Other 14%One third of the respondents also selected “other.” 0% 10% 20% 30% 40% 50% 60% 0% 10% 20% 30% 40% Excel or Word documents in 34% a shared drive Paisley GRC 9% Teammate 8% OpenPages 8% Hardcopy 4% SAP GRC 3% Bwise 2% Archer 2% Other 28%Percentages may not total 100 due to rounding.10
  13. 13. Q27. How much do you leverage your SOX testing Q28a. If yes, what mechanism do you use?results with other departments in the company or Methods of fraud risk assessmentother compliance/reporting functions? The most popular methods of assessments are meetings and hotline calls,Leveraging SOX testing results although a third of respondents also noted the use of surveys.Respondents leverage SOX testing results most with the Internal Auditdepartment. Meetings with 73% business process owners IA 7% 13% 26% 54% Review of ethics/ 63% hotline calls Survey 37%Regulatory/ 33% 39% 19% 9%Compliance Other 27% Legal 51% 35% 11% 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Multiple responses allowed. Not at all Very little ModeratelyQ28. Do you conduct an annual fraud risk assessment? Q29. How satisfied are you with the ability of your SOX function to add value??Popularity of annual assessmentNearly two-thirds of the respondents conduct an annual fraud risk assessment. Value of SOX Function Fewer respondents were extremely satisfied with the value of the SOX function, as compared to cost and the quality of work. Over one-third of the population said they were less than satisfied with the ability of the SOX function to add value. No Extremely 13% 35% at e Yes Sat e 55% 65% e ther at e 26% or at e Somewhat 6% at e Extremely 0% t e 0% 10% 20% 30% 40% 50% 60%Percentages may not total 100 due to rounding. 11
  14. 14. Multiple question comparisons Q2.2. How satisfied are you with the total cost of your Q2.10. Is SOX incorporated into your Enterprise Risk SOX function? Management program? Q2.29. How satisfied are you with the ability of your Q2.29. How satisfied are you with the ability of your SOX function to add value? SOX function to add value? Enterprise Risk Management program Extremely 20% 42% 15% at e No 45% 43% 11% SOX incorporated intoSatisfaction with cost Sat e 39% 44% 14% e the at e 1% 44% 14% o at e Yes 21% 65% 14% Somewhat 88% 9% 2% at e 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% s e e e s s e Sat e Extremely at e Q2.7a. [If IA involved in SOX] What percent of Internal Q1.4. Annual revenue Audit budget/ capacity is spent on SOX testing? Q2.11. What is your company’s total number of Q2.29. How satisfied are you with the ability of your SOX-related controls? SOX function to add value? Less than $1b 36% 21% 36% 7% Less than 25% 29% 58% 13% $1 - 10b 23% 35% 23% 17% 4% Percentage of Internal Audit budget/ Annual revenue capacity spent on SOX testing $11 - 25b 22% 15% 22% 32% 10% 25 - 50% 37% 48% 15% $26 - 50b 8% 24% 20% 20% 28% Over 50% 38% 56% 6% More than $50b 4% 7% 18% 32% 39% Dont know/ unsure 50% 50% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Less than 250 250 - 499 500 - 999 1,000 - 2,499 2,500 or more 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% at s e tre e sat s e Percentages may not total 100 due to rounding. 12
  15. 15. Q1.4. Annual revenue Q2.21. For what percent of SOX controls do you perform continuous controls monitoring? Q2.16. What impact did PCAOB AS5 have on your SOX scoping exercise? Q2.29. How satisfied are you with the ability of your SOX function to add value? Less than $1b 20% 67% 7% 7% Do not perform continuous 65% $1 - 10b 15% 26% 36% 23% Continuous controls monitoring for SOX controls controls monitoringAnnual revenue $11 - 25b 7% 28% 35% 30% Less than 25% 28% $26 - 50b 4% 19% 56% 22% 26%–50% 3% More than $50b 43% 21% 36% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 51%–75% 1% No impact Minor impact Moderate impact i ni cant impact More than 75% 2% 0% 10% 20% 30% 40% 50% 60% 70% Q2.16. What impact did PCAOB AS5 have on your SOX scoping exercise? Q2.29. How satisfied are you with the ability of your Q2.22. For what percent of controls does the company SOX function to add value? use Control self-assessment (CSA)? Q2.29. How satisfied are you with the ability of your 11% 58% 32% SOX function to add value? 34% 52% 14% Continuous self assessment (CSA) used No 37% 51% 12% 5 38% 54% 9% 31% 59% 10% Yes 25% 60% 14% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% s e e e s s e Percentages may not total 100 due to rounding. 13
  16. 16. Q2.23. For what percent of controls does the company Percentages of CCM, CSA and peer review usage foruse peer reviews? those respondents who were less than satisfied with the ability of their SOX function to add value:Q2.29. How satisfied are you with the ability of yourSOX function to add value? 25% CSA 37% No 38% 50% 12%Peer reviews used 22% Peer review 38% Yes 22% 63% 15% Continuous 19% control 39% monitoring 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0% 5% 10% 15% 20% 25% 30% 35% 40% s e e e s s e Use technique Do not use techniqueQ2.28. Do you conduct an annual fraud riskassessment?Q2.29. How satisfied are you with the ability of yourSOX function to add value?Annual fraud risk assessment conducted No 41% 54% 4% Yes 27% 55% 18% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% s e e e s s ePercentages may not total 100 due to rounding.14
  17. 17. 15
  18. 18. 16
  19. 19. .
  20. 20. Ernst & YoungAssurance | Tax | Transactions | AdvisoryAbout Ernst & YoungErnst & Young is a global leader in assurance,tax, transaction and advisory services.Worldwide, our 141,000 people are united by ourshared values and an unwavering commitmentto quality. We make a difference by helping ourpeople, our clients and our wider communitiesachieve their potential.Ernst & Young refers to the global organizationof member firms of Ernst & Young GlobalLimited, each of which is a separate legal entity.Ernst & Young Global Limited, a UK companylimited by guarantee, does not provide servicesto clients. For more information about ourorganization, please visit www.ey.com© 2011 EYGM LimitedAll Rights Reserved.EYG No. BT0125This publication contains information in summary form and istherefore intended for general guidance only. It is not intendedto be a substitute for detailed research or the exercise ofprofessional judgment. Neither EYGM Limited nor any othermember of the global Ernst & Young organization can acceptany responsibility for loss occasioned to any person acting orrefraining from action as a result of any material in thispublication. On any specific matter, reference should be madeto the appropriate advisor.

×