Thinking outside the box (SOX)


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Thinking outside the box (SOX)

  1. 1. Thinking outside the SOX boxTransforming your compliance function for competitive advantage
  2. 2. What if? What if you could: • Reduce your SOX compliance costs? You can … by making a bold move and • Be capable of quicker, more on-point changing how you think about and decision-making across your entire execute your SOX function. enterprise? • Free up existing resources for strategic initiatives?3
  3. 3. Table of contentsPage 1 Executive summary: Significant opportunity exists to transform your SOX function Our survey reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors.Page 2 1. Automating your controls Replacing manual detect controls with embedded automated controls will make a significant difference in the hours burned on SOX each year, resulting in an immediate impact on your cost-containment efforts.Page 4 2. Offshoring for lower-cost resources The SOX function procedures are now well codified — it’s time to realize cost efficiencies from globalizing your resources.Page 6 3. Leveraging your IT investment The benefits of going beyond simple automation and more comprehensively leveraging all of your IT resources also applies to your SOX function.Page 8 4. Innovating strategically Strategic innovation around SOX execution can enhance your competitive advantage.Page 13 Conclusion: Thinking differently about your SOX function SOX compliance is an opportunity to bring innovative approaches to help you drive more value into your operations.Page 14 Appendices: • Background • Industry breakdown
  4. 4. Executive summary Significant opportunity exists to transform your SOX function In April 2011, Ernst & Young conducted a face-to-face survey A small proportion of the interviewees, however, have evolved their with 225 global executives about their SOX compliance functions. thinking. Their companies have come to look at SOX the way they For the most part, we found organizations are still treating SOX look at many of their operations: as an opportunity to innovate, to compliance the same way most of them originally looked at it: as a automate and to gain competitive advantage. These are companies compliance exercise. that have seen the correlation between certain SOX compliance practices and the ability of the SOX function to add value to the business — which 56% of the executives considered a key challenge “Adding value to the business” identified for their SOX function. as a key challenge of SOX functions Thinking outside the SOX box reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors: What are the key challenges faced by your SOX function? 1. Automate controls The majority of respondents consider adding value to their business a key 2. Offshore for lower-cost resources challenge of the SOX function. 3. Leverage IT investment 4. Innovate strategicallyCost/Level of effort and innovation in control 58% testing strategies The Who’s Who of this report Adding value 56% The executives who took part in the survey were all in positions to the business that gave them a close-up view of SOX activities at their Integration with companies — and they told us that the SOX function is definitely other risk and 44% on the C-suite radar: 78% of the survey participants report to compliance functions the CFO, CAE or the Controller. Providing learning and career opportunities 37% for SOX personnel We aimed for broad-based representation across industries, with 21 sectors involved, ranging from aerospace and defense to Technology- 32% telecommunications. The greatest number of respondents were related challenges in banking and capital markets and insurance, with 11% each of the total participants, followed by technology (9%), and power Controls monitoring 32% and utilities and consumer products (8%). See Appendices for full industry breakdown. Effectiveness 25% While we talked with executives at companies ranging in size from of resources less than US$1 billion in annual revenues to more than US$50 Dealing with mergers billion, the bulk of the participants (65%) were in the middle of the or acquisitions of 16% range, companies between US$1 billion and US$25 billion in size. private or non-SOX- compliant entities Other 15% 1% None of the above 0% 10% 20% 30% 40% 50% 60% Multiple responses allowed 1
  5. 5. 1. Automating your controlsWhen we asked the survey executives about the number of controls • 35% of our participants indicate that they have more than 1,000tested by their SOX function, we got a good picture of just how controls, more than 60% of which are key controls.massive an undertaking SOX compliance is: Then factor in that, for 62% of the companies, the testing of key controls alone took at least five hours … per control. Add test of design, walk-through and all the controls that aren’t designated asCompanies that reduce their total number key − which could be 20%–40% of the total number of controls − andof controls tend to focus on key controls the time in the field to actually perform all the manual controls. In short, SOX is a tremendous drain on resources that could be deployed on other, more value-added tasks.What is your company’s total number of It’s a diverse drain on resources, as well: survey participantsSOX-related controls? revealed they were experiencing SOX deficiencies in more than 10 different areas of SOX testing, from derivatives to inventory, withTotal number of SOX-related controls 51% saying that IT general controls were giving them the mostThe majority of respondents have fewer than 1,000 controls. problems (financial statement close process was the second-highest area of deficiencies at 9%).Less than 250 19% Testing is the most time-consuming 250–499 24% of the three key SOX activities On average, how many hours do you spend on each 500–999 22% key control? Design and walk-throughs versus testing controls Between 22% • Most respondents spend less than five hours on design and walk-through 1,000–2,499 of each control. • By comparison, the majority of respondents spend 5 hours or more on2,500 or more 13% testing per control. 0% 10% 20% 30% Design 80% 13% 6% 1%What percentage of your controls are key controls? Controls Percentage Walk-through 72% 25% 3% Less than 250 79% 250–499 78% 500–999 72% Testing 39% 39% 15% 8% Between 1,000–2,499 66% 2,500 or more 62% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%Key controls as a percentage of total controls Less than 5 hours 5 to 10 hoursAverage key control percentages are provided for the corresponding 11 to 20 hours over 20 hourscategories on left. The fewer total controls, the higher the percentage offocus on key controls. Companies that reduce their total number of controls Percentages may not total 100 due to rounding.tend to focus on key controls. 2
  6. 6. Budget/Spend for SOX compliance Few key controls fully automated What is the company’s annual budget/spend for What is the percentage of fully automated controls SOX compliance? (vs. manual or IT-dependent controls) that make up your total key controls? Less than $0.5 million 18% Fully automated key controls • Most respondents say that less than 25% of their key controls are fully automated.$0.5–$0.9 million 18% And yet, only 3% of the executives have fully automated more than half of their key controls — and 78% have fully automated less than a quarter $1–$1.9 million 27% of their key controls. $2–$2.9 million 15% No key controls 1% are fully automated $3–$4.9 million 8% Less than 10% of key controls are 36% fully automated $5 million 14% 10% to 25% of key or more controls are 41% 0% 5% 10% 15% 20% 25% 30% fully automated 26% to 50% of key controls are 19% Average Median fully automated US$2,766,742 US$1,200,000 51% to 75% of key controls are 3% fully automated You can easily see why 39% of participants consider cost More than 75% of key to be one of their key challenges. The SOX spend data confirms controls are 0% fully automated that this can be a major budget item: 0% 10% 20% 30% 40% 50% • 37% spend at least US$2 million annually. • 14% spend at least US$5 million. Takeaway There is widespread recognition that automation frees up Increasing use of automated controls can reduce your resources to be put to better use elsewhere. By increasing costs in other ways too. We saw 55% of survey participants your use of preventative automated controls and “turning indicate that their external auditors relied on 51% or more on” key switches in IT systems, you can drive down the of the walk-throughs and testing work performed in-house. number of manual touch points and labor-intensive detect So, if you automate controls and do SOX right, you may also controls. Similarly, using automated tools in the SOX be able to increase reliance by your auditor. This may help controls-testing process will have an immediate impact on reduce the time spent by your SOX-function employees SOX costs. handling the inquiries and testing by the external auditors. 3
  7. 7. 2. Offshoring for lower-cost resourcesCosourcing is already being used extensively in the SOX arena: 50% • 81% of our survey executives said that Internal Audit wasof survey participants said that they used outside service providers involved with their SOX program.for some part of their SOX-compliance work, with 66% using outside • 40% indicated that their Internal Audit department devoted atresources for testing. And yet: least a quarter of its budget or more to SOX activities.The majority of respondents use outside providers — most often for testingDo you use an outside service provider for If yes, how do you use them?SOX activities? Outside service provider usageOutside service provider used for SOX activities Testing is the key activity performed by outside service providers.Just over half the respondents have an outside provider for one or moreSOX activities. Testing 74% Scoping/ 18% risk assessment No Yes PMO 7% 48% 52% All of the above 16% Other 14% 0% 10% 20% 30% 40% 50% 60% 70% 80% Multiple responses allowed. 4
  8. 8. Most IA departments are involved in the SOX programIs Internal Audit involved in the SOX program? If IA is used in the SOX program, what percent of IA budget/capacity is spent on SOX testing?Internal Audit involvement in SOX programFor the majority of respondents, the Internal Audit department is involved Internal Audit resources on SOX testingwith the SOX program. Most respondents whose Internal Audit department is involved in the SOX program say that less than 25% of its budget and capacity is spent on SOX. testing. Less than 25% 59% No 19% 26%–50% 29% 51%–75% 10% Yes 81% Over 75% 1% Dont know/ 1% unsure 0% 10% 20% 30% 40% 50% 60% 70% The outsourcing of activities that aren’t fundamental to meetingSOX work performance breakdown strategic business objectives has been a leading business practice for many years now. There is no question that it reduces costs andWhat percentage of SOX work is performed by the allows in-house resources to be applied to more strategic, core- business matters. The off-shoring of such less-strategic operationsfollowing: not only helps companies reduce costs, but it also allows them to practice “follow the sun” operations, which provide another means Total 100% for increasing the productivity of in-house and (or) domestically Resources at corporate headquarters 60% located resources. Yet only 3% of our survey participants were using offshore resources for their SOX function. Regional resources at other company locations 26% Domestic third-party resources 9% Takeaway Other 2% The basic procedures involved in the SOX function have Offshore third-party resources 2% been in practice for several years and are fairly well Offshore resources not at company locations 1% codified. Now is the time to realize the cost efficiencies that can be derived from globalizing your resources.5
  9. 9. 3. Leveraging your IT investmentLet’s be clear: leveraging your IT investment goes far beyondturning on various automated controls in the systems andautomating testing. There is a real opportunity to use technology Ernst & Youngmore strategically. Yet, we found only small percentages using moreinnovative technology-based techniques: Controls Review Tool• Only 21% employ data analytics regularly. Ernst & Young’s proprietary Controls• 88% never use predictive modeling. Review Tool (CRT) enables our teams• 65% do not use continuous controls monitoring. to quickly assess their clients’ currentWe found that 90% of survey participants still use Excel® controls strategy and assist in thefor their scoping exercise, when there are other third-party identification of potential opportunitiestools that can slice and dice risks and controls in order tooptimize scoping. for improving the strategy for testing controls and improving controls-related documentation.Testing process: data analytics or The CRT presents internal controlspredictive modeling? data in a user-friendly format, includingHow often do you use the following as part of your a summary of control statistics, atesting process? detailed breakdown of controls by processes and related applications,Tools used in the testing process and different views of the relationshipsMost respondents either never or sometimes use advanced analyticaltechniques as part of their control testing process. between controls and risks. The CRTAmong those who use them often or always, data analytics is the most can also help provide visibility intopopular technique. opportunities for rationalizing or optimizing controls, including better leveraging of automated controls. Data 37% 42% 15% 6% analyticsAutomated testing 39% 44% 14% 3% methods 1% Predictive 88% 9% 2% modeling 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Never Sometimes Often Always 6
  10. 10. Continuous controls monitoring Excel® favored for scoping exercisesnot widely used What tools/software do you use as part of yourFor what percent of SOX controls do you perform scoping exercise?continuous controls monitoring (e.g., leveragingBlackline to monitor account reconciliations)?Continuous controls monitoring Excel® 90%• Almost all respondents say that they either do not perform continuous controls monitoring at all, or do so for less than 25% of all SOX controls. Third-party 19% vendor/softwareDo not perform continuous 65% controls In-house – monitoring developed tool/ 14% software Less than 25% 28% None 4% 26%–50% 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 51%–75% 1% Multiple responses allowed.More than 75% 2% 0% 10% 20% 30% 40% 50% 60% 70% Percentages may not total 100 due to rounding. Takeaway Strategic use of your IT investment is a critical driver of competitive advantage. Our survey results suggest that this holds true for applying it to your SOX functions as well.7
  11. 11. 4. Innovating strategicallyOur survey explored the opportunities for applying innovative Specific innovative practices we asked about included:practices to the SOX function and found this to be a relatively • Use of control self-assessment (58% do not use at all)untapped option. • Peer reviews (63% do not use at all)For instance, when asked when the last time a controlsrationalization/optimization or other innovative exercise had • Incorporating the SOX function into ERM program (48% do not)been conducted − only 52% of respondents said it had been • Creating more entity-level controls (94% had fewer than a quarterduring the current fiscal year. of their key controls as entity-level controls)Incorporating the SOX function into Few key controls are entity-level controlsEnterprise Risk Management What is the percentage of entity-level controls thatIs SOX incorporated into your Enterprise Risk make up your total key controls?Management (ERM) program? Entity-level controls as percentage of totalRelationship between SOX and ERM key controlsAlmost half of respondents do not incorporate SOX into their ERMprograms. Less than 10% of key controls are 54% entity-level controls 10%–25% of key controls are 40% entity-level controls 26%–50% of key controls are entity- 5% No Yes level controls 48% 52% 51%–75% of key controls are entity- 1% level controls More than 75% of key controls are entity 1% level controls 0% 10% 20% 30% 40% 50% 60% Percentages may not total 100 due to rounding. The use of entity-level controls is a particularly under-utilized opportunity. Since one really effective entity-level monitoring control may eliminate the need to do many transaction-level controls, companies can significantly reduce the testing workload by properly designing robust and effective entity level controls. 8
  12. 12. Rationalization/optimization exercises have been performed When was the last time a rationalization/optimization If a rationalization/optimization or other or some other innovative exercise was conducted? innovative exercise was conducted, what techniques were used? Innovative exercises Only 52% performed rationalization/ optimization or other innovative Key techniques exercises this fiscal year. Most respondents utilized rationalization of in-scope controls. Current 52% Rationalization of 91% s a year in-scope controls Increased reliance on higher-level quarterly/monthly 55%ast s a year 19% controls and less on transactional controls Automation/ Two or more Optimization of 42% 24% SOX controls years ago Global standardization of control set (if 41%Not performed 4% multiple countries/ locations) Use of technology 22% 0% 10% 20% 30% 40% 50% 60% for testing Percentages may not total 100 due to rounding. Implementation of continuous controls 20% monitoring Other 7% None of the above 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Multiple responses allowed. 9
  13. 13. Control self-assessment not widely used Peer reviews not widely used For what percent of controls does the company use For what percent of controls does the company use control self-assessment (CSA)? peer reviews? CSA Peer reviews • The majority of respondents do not use CSA. • The majority of respondents do not use peer reviews. Do not use Do not use 63% control 58% peer reviewsself-assessment 17% Less than 25% 16% Less than 25% 26%–50% 5% 26%–50% 4% 3% 51%–75% 4% 51%–75% More than 75% 12%More than 75% 16% 0% 10% 20% 30% 40% 50% 60% 70% 0% 10% 20% 30% 40% 50% 60% 70% Percentages may not total 100 due to rounding. Percentages may not total 100 due to rounding. 10
  14. 14. There appears to be good reason to explore such innovative The leveraging of SOX information and testing with other practices: they help deliver additional value for the business. departments that could put it to valuable use was also fairly For instance, of those survey participants who had incorporated minimal: their SOX function into their ERM program, 79% were satisfied or • Only 9% of participants indicate they “significantly” leverage extremely satisfied with the ability of their SOX function to add their SOX testing results with their regulatory and compliance value, while only 54% of those who hadn’t folded SOX into ERM functions. programs were similarly satisfied. Similar results were noted when we asked about continuous controls monitoring. • Only 3% of participants do the same with their legal department. Leveraging SOX information and testing across other functions/ departments within a company will decrease the burden felt by the SOX incorporated into ERM program and business units. Another point here is that there are opportunities to get a leg up on the competition by building the SOX function into satisfaction with value the regular ebb and flow of business operations — by using self assessments or peer reviews. Once you change the mindset at Is SOX incorporated into your ERM program? the business-unit level, the SOX function can move beyond compliance and into helping manage and monitor the business How satisfied are you with the ability of your SOX on a continuous basis. function to add value? Internal Audit most often leverages SOX testing results How much do you leverage your SOX testing results with other departments in the company or other No 45% 43% 11% compliance/reporting functions?o Leveraging SOX testing resultso Respondents leverage SOX testing results most with the Internal Audit department.e Yeso o 21% 65% 14% IA 7% 13% 26% 54% 0% 20% 40% 60% 80% 100% ess s s e s e e e s s e Regulatory/ 33% 39% 19% 9% Percentages may not total 100 due to rounding. Compliance There are also opportunities to get ahead of the competition by exploring and developing innovative ways to generate more usable Legal 51% 35% 11% 3% SOX information and (or) put SOX testing/data to more diversified use. When we asked about the frequency of controls testing, we 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% found only 4% test continuously through the year. This is roughly the same percentage that has fully automated most controls Not at all Very little Moderately (which is probably required to make it economically feasible to do continuous testing). 11
  15. 15. Does this lack of innovation matter? Our survey participants seem Frequency of testing and roll-forward to think so. The participants whose companies refrain from using the most progressive testing and scoping practices are less satisfied approach with the ability of their SOX function to add value. What is the frequency of your testing and your roll- forward approach? Use of continuous controls monitoring, Key techniques CSA and peer reviews coincides with Frequency results for testing and rollforward are fairly evenly distributed fewer respondents being less than over the year among the respondents. satisfied with value of SOX function A greater percentage of respondents who were “less Controls tested continuously throughout 4% than satisfied” with the ability of their SOX function the year to add value do not use the most progressive or Majority of controls tested in innovative practices:Q1 or Q2 and then roll-forward 23% procedures/testing re-performed in Q4 Majority of controls tested in 25% Q1 or Q2 and limited 25% CSA roll-forward procedures 37% performed in Q4Majority of controls tested later in the year (late Q3/Q4), 29% no rollforward performed 22% Peer review 38% Controls testing spread 20% evenly throughout the year 0% 10% 20% 30% 40% Continuous 19% control Percentages may not total 100 due to rounding. 39% monitoring 0% 5% 10% 15% 20% 25% 30% 35% 40% Use technique Do not use technique Takeaway In the global economy of the 21st century, innovation often plays a vital role in differentiating a company and bringing it to a position of industry leadership. Strategic innovation around SOX execution can lead to better strategic use of your existing resources. 12
  16. 16. Conclusion Thinking differently about your SOX function Thinking outside the SOX box shows that SOX compliance is an opportunity to bring innovative approaches to a subject area that has become somewhat stale and routine. Innovative practices and approaches improve the chances that a company will build more value into its operations, including: • Reductions in spend from a substantial line-item cost • More strategic allocations of financial-control resources • Greater consistency and efficiency of controls across locations through automation • Reduced stress and burden on in-house resources through a powerful combination of automation, outsourcing, and leveraging SOX work across the company • Using automated techniques (e.g., data analytics) — Expanded and more comprehensive risk coverage without increasing the budget When this shift in perspective occurs, there is ample opportunity to bring strategic innovation to the seemingly mundane SOX issues of scoping processes and testing strategies and execution. There are sophisticated tools to explore. Different approaches to acquiring and analyzing data can make the data more valuable, not only for compliance tasks, but for other previously unexplored purposes.13
  17. 17. Appendices: Background Company revenues Internal Audit department and Internal Control department both own the SOX Annual revenue: administration and testing Annual revenue categories and responses The majority of the respondents fall into the category of US$1 billion to Who owns administration and testing components of US$25 billion in terms of their annual revenues. the SOX compliance function? Ownership of the SOX compliance function The Internal Audit department and the Internal Controls department are the Less than 7% $1 billion main divisions controlling the administration and testing components of SOX compliance for the current respondents. $1–$10 billion 42% Internal Audit 34% department 56% SOX/Internal$11–$25 billion 23% 52% Controls 29% department Finance and 14% accounting 10%$26–$50 billion 13% Business/Process 6% owners 17% More than 14% External service 2% $50 billion provider 14% Compliance/Risk 4% 0% 10% 20% 30% 40% 50% management 5% 2% Percentages may not total 100 due to rounding. Other 4% 0% 10% 20% 30% 40% 50% 60% Administration Testing Multiple responses allowed. 14
  18. 18. Industry breakdown SOX compliance function reports most Response by industry often to the CFO Industry categories To whom does the SOX compliance function report? The two industries with the maximum number of completed surveys were Banking and Capital Markets and Insurance. Reporting relationship of the SOX compliance function Insurance 11% Most respondents report to either the CFO, CAE or the Controller. Banking and capital markets 11% Technology 9% Consumer products 8% Power and utilities 8% CFO 45% Oil and gas 7% Automotive 7% Life sciences 7% CAE 20% iversi ed industrial products 6% Media and entertainment 6% Retail and wholesale 6% Controller 13% Telecommunications 5% Aerospace and defense 2% Asset management 2% 2% Legal counsel Chemicals 2% Mining and metals 2% Real Estate 2% 2%Chief ris of cer 2% Transportation Provider care 1%Chief compliance Airlines 1% 2% of cer Pro essional rms and services 1% Government and 0% public sector SOX steering t r r t 0% committee 2% Private equity 0% 0% 5% 10% 15% 15% Other 0% 10% 20% 30% 40% 50% Percentages may not total 100 due to rounding. 15
  19. 19. ContactsIs your SOX function geared for this transformation? Ernst & Young can helpyou explore this opportunity.Robert F. Cullen III Sapna AhujaPartner, Advisory Services Senior Manager, Advisory Services+1 612 343 1000 +1 212 773 sapna.ahuja@ey.comFor a copy of the complete SOX survey, please contact the above or your Ernst & Youngengagement team.For related thought leadershipfrom Ernst & Young, please
  20. 20. Ernst & YoungAssurance | Tax | Transactions | AdvisoryAbout Ernst & YoungErnst & Young is a global leader in assurance, tax,transaction and advisory services. Worldwide,our 141,000 people are united by our sharedvalues and an unwavering commitment to quality.We make a difference by helping our people, ourclients and our wider communities achieve theirpotential.Ernst & Young refers to the global organization ofmember firms of Ernst & Young Global Limited,each of which is a separate legal entity.Ernst & Young Global Limited, a UK companylimited by guarantee, does not provide servicesto clients. For more information about ourorganization, please visit & Young LLP is a client-serving memberfirm of Ernst & Young Global Limited operatingin the US.© 2011 EYGM LimitedAll Rights Reserved.EYG No. BT0117This publication contains information in summary form and istherefore intended for general guidance only. It is not intended tobe a substitute for detailed research or the exercise of professionaljudgment. Neither EYGM Limited nor any other member of theglobal Ernst & Young organization can accept any responsibility forloss occasioned to any person acting or refraining from action asa result of any material in this publication. On any specific matter,reference should be made to the appropriate advisor.