Vladimir Matviychuk, profile picture
Uploaded byVladimir Matviychuk
1,080 views

Thinking outside the box (SOX)

This document discusses opportunities to transform a company's Sarbanes-Oxley (SOX) compliance function for competitive advantage. It identifies four actions: 1) automating manual controls to significantly reduce SOX costs and resource burden, 2) offshoring SOX functions for lower costs, 3) leveraging existing IT investments to improve SOX processes, and 4) innovating SOX execution strategically to enhance competitive positioning. A survey found that while most firms treat SOX as a compliance exercise, some have transformed their functions to drive value through automation, cost efficiencies, and strategic innovation around SOX practices.

Embed presentation

Downloaded 46 times
Thinking outside the SOX box Transforming your compliance function for competitive advantage
What if? What if you could: • Reduce your SOX compliance costs? You can … by making a bold move and • Be capable of quicker, more on-point changing how you think about and decision-making across your entire execute your SOX function. enterprise? • Free up existing resources for strategic initiatives? 3
Table of contents Page 1 Executive summary: Significant opportunity exists to transform your SOX function Our survey reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors. Page 2 1. Automating your controls Replacing manual detect controls with embedded automated controls will make a significant difference in the hours burned on SOX each year, resulting in an immediate impact on your cost-containment efforts. Page 4 2. Offshoring for lower-cost resources The SOX function procedures are now well codified — it’s time to realize cost efficiencies from globalizing your resources. Page 6 3. Leveraging your IT investment The benefits of going beyond simple automation and more comprehensively leveraging all of your IT resources also applies to your SOX function. Page 8 4. Innovating strategically Strategic innovation around SOX execution can enhance your competitive advantage. Page 13 Conclusion: Thinking differently about your SOX function SOX compliance is an opportunity to bring innovative approaches to help you drive more value into your operations. Page 14 Appendices: • Background • Industry breakdown
Executive summary Significant opportunity exists to transform your SOX function In April 2011, Ernst & Young conducted a face-to-face survey A small proportion of the interviewees, however, have evolved their with 225 global executives about their SOX compliance functions. thinking. Their companies have come to look at SOX the way they For the most part, we found organizations are still treating SOX look at many of their operations: as an opportunity to innovate, to compliance the same way most of them originally looked at it: as a automate and to gain competitive advantage. These are companies compliance exercise. that have seen the correlation between certain SOX compliance practices and the ability of the SOX function to add value to the business — which 56% of the executives considered a key challenge “Adding value to the business” identified for their SOX function. as a key challenge of SOX functions Thinking outside the SOX box reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors: What are the key challenges faced by your SOX function? 1. Automate controls The majority of respondents consider adding value to their business a key 2. Offshore for lower-cost resources challenge of the SOX function. 3. Leverage IT investment 4. Innovate strategically Cost/Level of effort and innovation in control 58% testing strategies The Who’s Who of this report Adding value 56% The executives who took part in the survey were all in positions to the business that gave them a close-up view of SOX activities at their Integration with companies — and they told us that the SOX function is definitely other risk and 44% on the C-suite radar: 78% of the survey participants report to compliance functions the CFO, CAE or the Controller. Providing learning and career opportunities 37% for SOX personnel We aimed for broad-based representation across industries, with 21 sectors involved, ranging from aerospace and defense to Technology- 32% telecommunications. The greatest number of respondents were related challenges in banking and capital markets and insurance, with 11% each of the total participants, followed by technology (9%), and power Controls monitoring 32% and utilities and consumer products (8%). See Appendices for full industry breakdown. Effectiveness 25% While we talked with executives at companies ranging in size from of resources less than US$1 billion in annual revenues to more than US$50 Dealing with mergers billion, the bulk of the participants (65%) were in the middle of the or acquisitions of 16% range, companies between US$1 billion and US$25 billion in size. private or non-SOX- compliant entities Other 15% 1% None of the above 0% 10% 20% 30% 40% 50% 60% Multiple responses allowed 1
1. Automating your controls When we asked the survey executives about the number of controls • 35% of our participants indicate that they have more than 1,000 tested by their SOX function, we got a good picture of just how controls, more than 60% of which are key controls. massive an undertaking SOX compliance is: Then factor in that, for 62% of the companies, the testing of key controls alone took at least five hours … per control. Add test of design, walk-through and all the controls that aren’t designated as Companies that reduce their total number key − which could be 20%–40% of the total number of controls − and of controls tend to focus on key controls the time in the field to actually perform all the manual controls. In short, SOX is a tremendous drain on resources that could be deployed on other, more value-added tasks. What is your company’s total number of It’s a diverse drain on resources, as well: survey participants SOX-related controls? revealed they were experiencing SOX deficiencies in more than 10 different areas of SOX testing, from derivatives to inventory, with Total number of SOX-related controls 51% saying that IT general controls were giving them the most The majority of respondents have fewer than 1,000 controls. problems (financial statement close process was the second-highest area of deficiencies at 9%). Less than 250 19% Testing is the most time-consuming 250–499 24% of the three key SOX activities On average, how many hours do you spend on each 500–999 22% key control? Design and walk-throughs versus testing controls Between 22% • Most respondents spend less than five hours on design and walk-through 1,000–2,499 of each control. • By comparison, the majority of respondents spend 5 hours or more on 2,500 or more 13% testing per control. 0% 10% 20% 30% Design 80% 13% 6% 1% What percentage of your controls are key controls? Controls Percentage Walk-through 72% 25% 3% Less than 250 79% 250–499 78% 500–999 72% Testing 39% 39% 15% 8% Between 1,000–2,499 66% 2,500 or more 62% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Key controls as a percentage of total controls Less than 5 hours 5 to 10 hours Average key control percentages are provided for the corresponding 11 to 20 hours over 20 hours categories on left. The fewer total controls, the higher the percentage of focus on key controls. Companies that reduce their total number of controls Percentages may not total 100 due to rounding. tend to focus on key controls. 2
Budget/Spend for SOX compliance Few key controls fully automated What is the company’s annual budget/spend for What is the percentage of fully automated controls SOX compliance? (vs. manual or IT-dependent controls) that make up your total key controls? Less than $0.5 million 18% Fully automated key controls • Most respondents say that less than 25% of their key controls are fully automated. $0.5–$0.9 million 18% And yet, only 3% of the executives have fully automated more than half of their key controls — and 78% have fully automated less than a quarter $1–$1.9 million 27% of their key controls. $2–$2.9 million 15% No key controls 1% are fully automated $3–$4.9 million 8% Less than 10% of key controls are 36% fully automated $5 million 14% 10% to 25% of key or more controls are 41% 0% 5% 10% 15% 20% 25% 30% fully automated 26% to 50% of key controls are 19% Average Median fully automated US$2,766,742 US$1,200,000 51% to 75% of key controls are 3% fully automated You can easily see why 39% of participants consider cost More than 75% of key to be one of their key challenges. The SOX spend data confirms controls are 0% fully automated that this can be a major budget item: 0% 10% 20% 30% 40% 50% • 37% spend at least US$2 million annually. • 14% spend at least US$5 million. Takeaway There is widespread recognition that automation frees up Increasing use of automated controls can reduce your resources to be put to better use elsewhere. By increasing costs in other ways too. We saw 55% of survey participants your use of preventative automated controls and “turning indicate that their external auditors relied on 51% or more on” key switches in IT systems, you can drive down the of the walk-throughs and testing work performed in-house. number of manual touch points and labor-intensive detect So, if you automate controls and do SOX right, you may also controls. Similarly, using automated tools in the SOX be able to increase reliance by your auditor. This may help controls-testing process will have an immediate impact on reduce the time spent by your SOX-function employees SOX costs. handling the inquiries and testing by the external auditors. 3
2. Offshoring for lower-cost resources Cosourcing is already being used extensively in the SOX arena: 50% • 81% of our survey executives said that Internal Audit was of survey participants said that they used outside service providers involved with their SOX program. for some part of their SOX-compliance work, with 66% using outside • 40% indicated that their Internal Audit department devoted at resources for testing. And yet: least a quarter of its budget or more to SOX activities. The majority of respondents use outside providers — most often for testing Do you use an outside service provider for If yes, how do you use them? SOX activities? Outside service provider usage Outside service provider used for SOX activities Testing is the key activity performed by outside service providers. Just over half the respondents have an outside provider for one or more SOX activities. Testing 74% Scoping/ 18% risk assessment No Yes PMO 7% 48% 52% All of the above 16% Other 14% 0% 10% 20% 30% 40% 50% 60% 70% 80% Multiple responses allowed. 4
Most IA departments are involved in the SOX program Is Internal Audit involved in the SOX program? If IA is used in the SOX program, what percent of IA budget/capacity is spent on SOX testing? Internal Audit involvement in SOX program For the majority of respondents, the Internal Audit department is involved Internal Audit resources on SOX testing with the SOX program. Most respondents whose Internal Audit department is involved in the SOX program say that less than 25% of its budget and capacity is spent on SOX. testing. Less than 25% 59% No 19% 26%–50% 29% 51%–75% 10% Yes 81% Over 75% 1% Don't know/ 1% unsure 0% 10% 20% 30% 40% 50% 60% 70% The outsourcing of activities that aren’t fundamental to meeting SOX work performance breakdown strategic business objectives has been a leading business practice for many years now. There is no question that it reduces costs and What percentage of SOX work is performed by the allows in-house resources to be applied to more strategic, core- business matters. The off-shoring of such less-strategic operations following: not only helps companies reduce costs, but it also allows them to practice “follow the sun” operations, which provide another means Total 100% for increasing the productivity of in-house and (or) domestically Resources at corporate headquarters 60% located resources. Yet only 3% of our survey participants were using offshore resources for their SOX function. Regional resources at other company locations 26% Domestic third-party resources 9% Takeaway Other 2% The basic procedures involved in the SOX function have Offshore third-party resources 2% been in practice for several years and are fairly well Offshore resources not at company locations 1% codified. Now is the time to realize the cost efficiencies that can be derived from globalizing your resources. 5
3. Leveraging your IT investment Let’s be clear: leveraging your IT investment goes far beyond turning on various automated controls in the systems and automating testing. There is a real opportunity to use technology Ernst & Young more strategically. Yet, we found only small percentages using more innovative technology-based techniques: Controls Review Tool • Only 21% employ data analytics regularly. Ernst & Young’s proprietary Controls • 88% never use predictive modeling. Review Tool (CRT) enables our teams • 65% do not use continuous controls monitoring. to quickly assess their clients’ current We found that 90% of survey participants still use Excel® controls strategy and assist in the for their scoping exercise, when there are other third-party identification of potential opportunities tools that can slice and dice risks and controls in order to optimize scoping. for improving the strategy for testing controls and improving controls-related documentation. Testing process: data analytics or The CRT presents internal controls predictive modeling? data in a user-friendly format, including How often do you use the following as part of your a summary of control statistics, a testing process? detailed breakdown of controls by processes and related applications, Tools used in the testing process and different views of the relationships Most respondents either never or sometimes use advanced analytical techniques as part of their control testing process. between controls and risks. The CRT Among those who use them often or always, data analytics is the most can also help provide visibility into popular technique. opportunities for rationalizing or optimizing controls, including better leveraging of automated controls. Data 37% 42% 15% 6% analytics Automated testing 39% 44% 14% 3% methods 1% Predictive 88% 9% 2% modeling 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Never Sometimes Often Always 6
Continuous controls monitoring Excel® favored for scoping exercises not widely used What tools/software do you use as part of your For what percent of SOX controls do you perform scoping exercise? continuous controls monitoring (e.g., leveraging Blackline to monitor account reconciliations)? Continuous controls monitoring Excel® 90% • Almost all respondents say that they either do not perform continuous controls monitoring at all, or do so for less than 25% of all SOX controls. Third-party 19% vendor/software Do not perform continuous 65% controls In-house – monitoring developed tool/ 14% software Less than 25% 28% None 4% 26%–50% 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 51%–75% 1% Multiple responses allowed. More than 75% 2% 0% 10% 20% 30% 40% 50% 60% 70% Percentages may not total 100 due to rounding. Takeaway Strategic use of your IT investment is a critical driver of competitive advantage. Our survey results suggest that this holds true for applying it to your SOX functions as well. 7
4. Innovating strategically Our survey explored the opportunities for applying innovative Specific innovative practices we asked about included: practices to the SOX function and found this to be a relatively • Use of control self-assessment (58% do not use at all) untapped option. • Peer reviews (63% do not use at all) For instance, when asked when the last time a controls rationalization/optimization or other innovative exercise had • Incorporating the SOX function into ERM program (48% do not) been conducted − only 52% of respondents said it had been • Creating more entity-level controls (94% had fewer than a quarter during the current fiscal year. of their key controls as entity-level controls) Incorporating the SOX function into Few key controls are entity-level controls Enterprise Risk Management What is the percentage of entity-level controls that Is SOX incorporated into your Enterprise Risk make up your total key controls? Management (ERM) program? Entity-level controls as percentage of total Relationship between SOX and ERM key controls Almost half of respondents do not incorporate SOX into their ERM programs. Less than 10% of key controls are 54% entity-level controls 10%–25% of key controls are 40% entity-level controls 26%–50% of key controls are entity- 5% No Yes level controls 48% 52% 51%–75% of key controls are entity- 1% level controls More than 75% of key controls are entity 1% level controls 0% 10% 20% 30% 40% 50% 60% Percentages may not total 100 due to rounding. The use of entity-level controls is a particularly under-utilized opportunity. Since one really effective entity-level monitoring control may eliminate the need to do many transaction-level controls, companies can significantly reduce the testing workload by properly designing robust and effective entity level controls. 8
Rationalization/optimization exercises have been performed When was the last time a rationalization/optimization If a rationalization/optimization or other or some other innovative exercise was conducted? innovative exercise was conducted, what techniques were used? Innovative exercises Only 52% performed rationalization/ optimization or other innovative Key techniques exercises this fiscal year. Most respondents utilized rationalization of in-scope controls. Current 52% Rationalization of 91% s a year in-scope controls Increased reliance on higher-level quarterly/monthly 55% ast s a year 19% controls and less on transactional controls Automation/ Two or more Optimization of 42% 24% SOX controls years ago Global standardization of control set (if 41% Not performed 4% multiple countries/ locations) Use of technology 22% 0% 10% 20% 30% 40% 50% 60% for testing Percentages may not total 100 due to rounding. Implementation of continuous controls 20% monitoring Other 7% None of the above 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Multiple responses allowed. 9
Control self-assessment not widely used Peer reviews not widely used For what percent of controls does the company use For what percent of controls does the company use control self-assessment (CSA)? peer reviews? CSA Peer reviews • The majority of respondents do not use CSA. • The majority of respondents do not use peer reviews. Do not use Do not use 63% control 58% peer reviews self-assessment 17% Less than 25% 16% Less than 25% 26%–50% 5% 26%–50% 4% 3% 51%–75% 4% 51%–75% More than 75% 12% More than 75% 16% 0% 10% 20% 30% 40% 50% 60% 70% 0% 10% 20% 30% 40% 50% 60% 70% Percentages may not total 100 due to rounding. Percentages may not total 100 due to rounding. 10
There appears to be good reason to explore such innovative The leveraging of SOX information and testing with other practices: they help deliver additional value for the business. departments that could put it to valuable use was also fairly For instance, of those survey participants who had incorporated minimal: their SOX function into their ERM program, 79% were satisfied or • Only 9% of participants indicate they “significantly” leverage extremely satisfied with the ability of their SOX function to add their SOX testing results with their regulatory and compliance value, while only 54% of those who hadn’t folded SOX into ERM functions. programs were similarly satisfied. Similar results were noted when we asked about continuous controls monitoring. • Only 3% of participants do the same with their legal department. Leveraging SOX information and testing across other functions/ departments within a company will decrease the burden felt by the SOX incorporated into ERM program and business units. Another point here is that there are opportunities to get a leg up on the competition by building the SOX function into satisfaction with value the regular ebb and flow of business operations — by using self assessments or peer reviews. Once you change the mindset at Is SOX incorporated into your ERM program? the business-unit level, the SOX function can move beyond compliance and into helping manage and monitor the business How satisfied are you with the ability of your SOX on a continuous basis. function to add value? Internal Audit most often leverages SOX testing results How much do you leverage your SOX testing results with other departments in the company or other No 45% 43% 11% compliance/reporting functions? o Leveraging SOX testing results o Respondents leverage SOX testing results most with the Internal Audit department. e Yes o o 21% 65% 14% IA 7% 13% 26% 54% 0% 20% 40% 60% 80% 100% ess s s e s e e e s s e Regulatory/ 33% 39% 19% 9% Percentages may not total 100 due to rounding. Compliance There are also opportunities to get ahead of the competition by exploring and developing innovative ways to generate more usable Legal 51% 35% 11% 3% SOX information and (or) put SOX testing/data to more diversified use. When we asked about the frequency of controls testing, we 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% found only 4% test continuously through the year. This is roughly the same percentage that has fully automated most controls Not at all Very little Moderately (which is probably required to make it economically feasible to do continuous testing). 11
Does this lack of innovation matter? Our survey participants seem Frequency of testing and roll-forward to think so. The participants whose companies refrain from using the most progressive testing and scoping practices are less satisfied approach with the ability of their SOX function to add value. What is the frequency of your testing and your roll- forward approach? Use of continuous controls monitoring, Key techniques CSA and peer reviews coincides with Frequency results for testing and rollforward are fairly evenly distributed fewer respondents being less than over the year among the respondents. satisfied with value of SOX function A greater percentage of respondents who were “less Controls tested continuously throughout 4% than satisfied” with the ability of their SOX function the year to add value do not use the most progressive or Majority of controls tested in innovative practices: Q1 or Q2 and then roll-forward 23% procedures/testing re-performed in Q4 Majority of controls tested in 25% Q1 or Q2 and limited 25% CSA roll-forward procedures 37% performed in Q4 Majority of controls tested later in the year (late Q3/Q4), 29% no rollforward performed 22% Peer review 38% Controls testing spread 20% evenly throughout the year 0% 10% 20% 30% 40% Continuous 19% control Percentages may not total 100 due to rounding. 39% monitoring 0% 5% 10% 15% 20% 25% 30% 35% 40% Use technique Do not use technique Takeaway In the global economy of the 21st century, innovation often plays a vital role in differentiating a company and bringing it to a position of industry leadership. Strategic innovation around SOX execution can lead to better strategic use of your existing resources. 12
Conclusion Thinking differently about your SOX function Thinking outside the SOX box shows that SOX compliance is an opportunity to bring innovative approaches to a subject area that has become somewhat stale and routine. Innovative practices and approaches improve the chances that a company will build more value into its operations, including: • Reductions in spend from a substantial line-item cost • More strategic allocations of financial-control resources • Greater consistency and efficiency of controls across locations through automation • Reduced stress and burden on in-house resources through a powerful combination of automation, outsourcing, and leveraging SOX work across the company • Using automated techniques (e.g., data analytics) — Expanded and more comprehensive risk coverage without increasing the budget When this shift in perspective occurs, there is ample opportunity to bring strategic innovation to the seemingly mundane SOX issues of scoping processes and testing strategies and execution. There are sophisticated tools to explore. Different approaches to acquiring and analyzing data can make the data more valuable, not only for compliance tasks, but for other previously unexplored purposes. 13
Appendices: Background Company revenues Internal Audit department and Internal Control department both own the SOX Annual revenue: administration and testing Annual revenue categories and responses The majority of the respondents fall into the category of US$1 billion to Who owns administration and testing components of US$25 billion in terms of their annual revenues. the SOX compliance function? Ownership of the SOX compliance function The Internal Audit department and the Internal Controls department are the Less than 7% $1 billion main divisions controlling the administration and testing components of SOX compliance for the current respondents. $1–$10 billion 42% Internal Audit 34% department 56% SOX/Internal $11–$25 billion 23% 52% Controls 29% department Finance and 14% accounting 10% $26–$50 billion 13% Business/Process 6% owners 17% More than 14% External service 2% $50 billion provider 14% Compliance/Risk 4% 0% 10% 20% 30% 40% 50% management 5% 2% Percentages may not total 100 due to rounding. Other 4% 0% 10% 20% 30% 40% 50% 60% Administration Testing Multiple responses allowed. 14
Industry breakdown SOX compliance function reports most Response by industry often to the CFO Industry categories To whom does the SOX compliance function report? The two industries with the maximum number of completed surveys were Banking and Capital Markets and Insurance. Reporting relationship of the SOX compliance function Insurance 11% Most respondents report to either the CFO, CAE or the Controller. Banking and capital markets 11% Technology 9% Consumer products 8% Power and utilities 8% CFO 45% Oil and gas 7% Automotive 7% Life sciences 7% CAE 20% iversi ed industrial products 6% Media and entertainment 6% Retail and wholesale 6% Controller 13% Telecommunications 5% Aerospace and defense 2% Asset management 2% 2% Legal counsel Chemicals 2% Mining and metals 2% Real Estate 2% 2% Chief ris of cer 2% Transportation Provider care 1% Chief compliance Airlines 1% 2% of cer Pro essional rms and services 1% Government and 0% public sector SOX steering t r r t 0% committee 2% Private equity 0% 0% 5% 10% 15% 15% Other 0% 10% 20% 30% 40% 50% Percentages may not total 100 due to rounding. 15
Contacts Is your SOX function geared for this transformation? Ernst & Young can help you explore this opportunity. Robert F. Cullen III Sapna Ahuja Partner, Advisory Services Senior Manager, Advisory Services +1 612 343 1000 +1 212 773 5928 robert.cullen@ey.com sapna.ahuja@ey.com For a copy of the complete SOX survey, please contact the above or your Ernst & Young engagement team. For related thought leadership from Ernst & Young, please visit: ey.com
Ernst & Young Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2011 EYGM Limited All Rights Reserved. EYG No. BT0117 This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

More Related Content

PDF
Thinking outside the box survey questions
byVladimir Matviychuk
 
PDF
Upgrade Your Customer Experience
byG3 Communications
 
PDF
Four Keys to Ensuring PLM Adoption
byPTC
 
PDF
Business in the Community Ireland CEO Survey October 2012
byAmarach Research
 
PDF
CEO Responsible Ireland survey 2012
byBusiness in the Community Ireland
 
DOCX
Protractor end-to-end testing framework for angular js
bycodeandyou forums
 
PDF
Testing Backbone applications with Jasmine
byLeon van der Grient
 
PPTX
Jasmine framework
byVishwanath KC
 
Thinking outside the box survey questions
byVladimir Matviychuk
 
Upgrade Your Customer Experience
byG3 Communications
 
Four Keys to Ensuring PLM Adoption
byPTC
 
Business in the Community Ireland CEO Survey October 2012
byAmarach Research
 
CEO Responsible Ireland survey 2012
byBusiness in the Community Ireland
 
Protractor end-to-end testing framework for angular js
bycodeandyou forums
 
Testing Backbone applications with Jasmine
byLeon van der Grient
 
Jasmine framework
byVishwanath KC
 

Viewers also liked

PDF
20150128 angular js_headless_testing
byBenjamin Neu
 
PPTX
интернет в социологии важнейшие информационные сайты дадададад)))
byfaqMEN
 
PDF
Testing Angular 2 Applications - HTML5 Denver 2016
byMatt Raible
 
PDF
Advanced Jasmine
byjbellsey
 
PPTX
The sweet smell of jasmine for testing JavaScript
byEmma Armstrong
 
PPTX
Automated Acceptance Testing Example
byHani Massoud
 
PDF
Angular Testing
byPriscila Negreiros
 
PDF
Carmen Popoviciu - Protractor styleguide | Codemotion Milan 2015
byCodemotion
 
PPTX
Better End-to-End Testing with Page Objects Model using Protractor
byKasun Kodagoda
 
PPTX
Protractor overview
byAbhishek Yadav
 
PPTX
Protractor training
bySergiy Stotskiy
 
PPTX
Protractor for angularJS
byKrishna Kumar
 
PDF
Advanced Jasmine - Front-End JavaScript Unit Testing
byLars Thorup
 
PDF
Protractor: Tips & Tricks
bySergey Bolshchikov
 
PDF
IT Control Objectives for SOX
byMahesh Patwardhan
 
PPTX
Slideshare.Com Powerpoint
byguested929b
 
20150128 angular js_headless_testing
byBenjamin Neu
 
интернет в социологии важнейшие информационные сайты дадададад)))
byfaqMEN
 
Testing Angular 2 Applications - HTML5 Denver 2016
byMatt Raible
 
Advanced Jasmine
byjbellsey
 
The sweet smell of jasmine for testing JavaScript
byEmma Armstrong
 
Automated Acceptance Testing Example
byHani Massoud
 
Angular Testing
byPriscila Negreiros
 
Carmen Popoviciu - Protractor styleguide | Codemotion Milan 2015
byCodemotion
 
Better End-to-End Testing with Page Objects Model using Protractor
byKasun Kodagoda
 
Protractor overview
byAbhishek Yadav
 
Protractor training
bySergiy Stotskiy
 
Protractor for angularJS
byKrishna Kumar
 
Advanced Jasmine - Front-End JavaScript Unit Testing
byLars Thorup
 
Protractor: Tips & Tricks
bySergey Bolshchikov
 
IT Control Objectives for SOX
byMahesh Patwardhan
 
Slideshare.Com Powerpoint
byguested929b
 

Similar to Thinking outside the box (SOX)

PPTX
Automation The Key To Success Ppt V5 (4)
bySandraKeaveny
 
PPTX
Role of HR in fostering innovation : a survey report
bySpadeWorx Software Services
 
PPTX
Role of HR in fostering innovation
bySpadeWorx Software Services
 
PDF
"Electronics Industry CEOs Executive Summary
byIBMElectronics
 
PDF
Gbe03485 usen
byTommy J
 
PDF
Ceo studies
byausrap
 
PDF
lu-agile-services.pdf
byROMANANDRESCancelado
 
PDF
IBM CEO Global Study 2012
byDouglas Burdett
 
PDF
From notification to participation slide share
byStefano Pogliani
 
PPTX
Oscpa webinar sox change readiness
byTiffany Crosby, Coach
 
PDF
HR Innovation: Mia Vanstraelen
byVlerick Business School
 
PDF
IBM Cognos - Få kontroll med ett CFO Dashboard
byIBM Sverige
 
PDF
Analyst Report: EMC IT - Leading the Transformation
byEMC
 
PPTX
2012 05 corp fin 1c
byGene Kim
 
PDF
IBM CEO Study: Transportation Industry Executive Summary
byIBMTransportation
 
PDF
Moving Financial Planning and Analysis to the Next Level
byCognizant
 
PDF
FDSeminar Controlling Christian Pauwels - Bimac
byFDMagazine
 
PDF
Co pilot of the business
byikaro1970
 
PDF
Embedding compliance: how to integrate sarbanes-oxley in your projects
by3gamma
 
PDF
Incentive Comp For The T&L Industry Part 1
byBethCarroll
 
Automation The Key To Success Ppt V5 (4)
bySandraKeaveny
 
Role of HR in fostering innovation : a survey report
bySpadeWorx Software Services
 
Role of HR in fostering innovation
bySpadeWorx Software Services
 
"Electronics Industry CEOs Executive Summary
byIBMElectronics
 
Gbe03485 usen
byTommy J
 
Ceo studies
byausrap
 
lu-agile-services.pdf
byROMANANDRESCancelado
 
IBM CEO Global Study 2012
byDouglas Burdett
 
From notification to participation slide share
byStefano Pogliani
 
Oscpa webinar sox change readiness
byTiffany Crosby, Coach
 
HR Innovation: Mia Vanstraelen
byVlerick Business School
 
IBM Cognos - Få kontroll med ett CFO Dashboard
byIBM Sverige
 
Analyst Report: EMC IT - Leading the Transformation
byEMC
 
2012 05 corp fin 1c
byGene Kim
 
IBM CEO Study: Transportation Industry Executive Summary
byIBMTransportation
 
Moving Financial Planning and Analysis to the Next Level
byCognizant
 
FDSeminar Controlling Christian Pauwels - Bimac
byFDMagazine
 
Co pilot of the business
byikaro1970
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
by3gamma
 
Incentive Comp For The T&L Industry Part 1
byBethCarroll
 

More from Vladimir Matviychuk

PDF
дети в интернете
byVladimir Matviychuk
 
PDF
Insights on it risk bcm
byVladimir Matviychuk
 
PDF
Insights on it risks evolving it landscape
byVladimir Matviychuk
 
PDF
Управление рисками - серебряная пуля или данность моды?
byVladimir Matviychuk
 
PDF
Building control efficiency: Rationalization, optimization and redesign
byVladimir Matviychuk
 
PDF
Insights on it risks cyber attacks
byVladimir Matviychuk
 
PDF
Роль ИТ в выявлении и предотвращении мошенничества на предприятии
byVladimir Matviychuk
 
PDF
Privacy trends 2011
byVladimir Matviychuk
 
PDF
2010 giss results_global and ua_2010
byVladimir Matviychuk
 
PDF
Effective risk management
byVladimir Matviychuk
 
PDF
как составить грамотный Slа
byVladimir Matviychuk
 
PDF
BCP intro
byVladimir Matviychuk
 
PDF
2010 GISS EY
byVladimir Matviychuk
 
PDF
Continious auditing
byVladimir Matviychuk
 
PPTX
Security certification overview
byVladimir Matviychuk
 
PDF
Legalcamp 2.0
byVladimir Matviychuk
 
PPTX
Security Innovation Forum
byVladimir Matviychuk
 
PPTX
Yalta_10 _ey-cio_forum
byVladimir Matviychuk
 
дети в интернете
byVladimir Matviychuk
 
Insights on it risk bcm
byVladimir Matviychuk
 
Insights on it risks evolving it landscape
byVladimir Matviychuk
 
Управление рисками - серебряная пуля или данность моды?
byVladimir Matviychuk
 
Building control efficiency: Rationalization, optimization and redesign
byVladimir Matviychuk
 
Insights on it risks cyber attacks
byVladimir Matviychuk
 
Роль ИТ в выявлении и предотвращении мошенничества на предприятии
byVladimir Matviychuk
 
Privacy trends 2011
byVladimir Matviychuk
 
2010 giss results_global and ua_2010
byVladimir Matviychuk
 
Effective risk management
byVladimir Matviychuk
 
как составить грамотный Slа
byVladimir Matviychuk
 
BCP intro
byVladimir Matviychuk
 
2010 GISS EY
byVladimir Matviychuk
 
Continious auditing
byVladimir Matviychuk
 
Security certification overview
byVladimir Matviychuk
 
Legalcamp 2.0
byVladimir Matviychuk
 
Security Innovation Forum
byVladimir Matviychuk
 
Yalta_10 _ey-cio_forum
byVladimir Matviychuk
 

Recently uploaded

PDF
Fraud Warning MOALA WALLET Exchange Exposed
byTraderKnowsReport
 
PDF
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
PDF
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
DOCX
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
PDF
𝐋𝐚𝐮𝐧𝐜𝐡 𝐘𝐨𝐮𝐫 𝐎𝐰𝐧 𝐀𝐥𝐥 𝐢𝐧 𝐎𝐧𝐞 𝐃𝐞𝐥𝐢𝐯𝐞𝐫𝐲 𝐀𝐩𝐩 𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐋𝐢𝐤𝐞 𝐆𝐥𝐨𝐯𝐨
byV3CUBE TECHNOLABS
 
DOCX
Buy Instagram Account Purchase_ A Safe and Secure Approach.docx
bybarbeymcdanielokczz
 
PDF
Securiport - Specializes In Civil Aviation And Intelligent Immigration Techno...
bySecuriport
 
PDF
Comments on Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
PPTX
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
PDF
Best Place to Learn Old or Aged Verified Paysera Accounts in WWW.pdf
byTopSelleriT
 
PPTX
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
PDF
Certification Training Course On New Skills Across Globe
bySprintzeal
 
PDF
Guide to Safely Buying Gmail Accounts for Safely-Aged.pdf
bysmartusapva.com
 
PDF
Step-by-Step 17 Guide to Purchasing Verified PayPal Account.pdf
byhttps://www.usaallhub.com/product/buy-verified-paypal-accounts/
 
PDF
Best Websites to Buy Google Voice Accounts in Bulk.pdf
bySinea kumar
 
DOCX
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
PDF
Rami Tawasha - Specializes In High-Impact Work
byRami Tawasha
 
PDF
Top Platform to Buy Facebook Accounts in Bulk Safely.pdf
byBuy Facebook Accounts
 
PDF
𝐖𝐚𝐠 𝐂𝐥𝐨𝐧𝐞 𝐏𝐞𝐭 𝐂𝐚𝐫𝐞 𝐀𝐩𝐩 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭
byV3CUBE TECHNOLABS
 
PDF
AI,Analytics, Digital HR, Agentic AI.pdf
bypgp25chinica
 
Fraud Warning MOALA WALLET Exchange Exposed
byTraderKnowsReport
 
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
𝐋𝐚𝐮𝐧𝐜𝐡 𝐘𝐨𝐮𝐫 𝐎𝐰𝐧 𝐀𝐥𝐥 𝐢𝐧 𝐎𝐧𝐞 𝐃𝐞𝐥𝐢𝐯𝐞𝐫𝐲 𝐀𝐩𝐩 𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐋𝐢𝐤𝐞 𝐆𝐥𝐨𝐯𝐨
byV3CUBE TECHNOLABS
 
Buy Instagram Account Purchase_ A Safe and Secure Approach.docx
bybarbeymcdanielokczz
 
Securiport - Specializes In Civil Aviation And Intelligent Immigration Techno...
bySecuriport
 
Comments on Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
Best Place to Learn Old or Aged Verified Paysera Accounts in WWW.pdf
byTopSelleriT
 
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
Certification Training Course On New Skills Across Globe
bySprintzeal
 
Guide to Safely Buying Gmail Accounts for Safely-Aged.pdf
bysmartusapva.com
 
Step-by-Step 17 Guide to Purchasing Verified PayPal Account.pdf
byhttps://www.usaallhub.com/product/buy-verified-paypal-accounts/
 
Best Websites to Buy Google Voice Accounts in Bulk.pdf
bySinea kumar
 
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
Rami Tawasha - Specializes In High-Impact Work
byRami Tawasha
 
Top Platform to Buy Facebook Accounts in Bulk Safely.pdf
byBuy Facebook Accounts
 
𝐖𝐚𝐠 𝐂𝐥𝐨𝐧𝐞 𝐏𝐞𝐭 𝐂𝐚𝐫𝐞 𝐀𝐩𝐩 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭
byV3CUBE TECHNOLABS
 
AI,Analytics, Digital HR, Agentic AI.pdf
bypgp25chinica
 

Thinking outside the box (SOX)

  • 1.
    Thinking outside the SOX box Transforming your compliance function for competitive advantage
  • 2.
    What if? What if you could: • Reduce your SOX compliance costs? You can … by making a bold move and • Be capable of quicker, more on-point changing how you think about and decision-making across your entire execute your SOX function. enterprise? • Free up existing resources for strategic initiatives? 3
  • 3.
    Table of contents Page1 Executive summary: Significant opportunity exists to transform your SOX function Our survey reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors. Page 2 1. Automating your controls Replacing manual detect controls with embedded automated controls will make a significant difference in the hours burned on SOX each year, resulting in an immediate impact on your cost-containment efforts. Page 4 2. Offshoring for lower-cost resources The SOX function procedures are now well codified — it’s time to realize cost efficiencies from globalizing your resources. Page 6 3. Leveraging your IT investment The benefits of going beyond simple automation and more comprehensively leveraging all of your IT resources also applies to your SOX function. Page 8 4. Innovating strategically Strategic innovation around SOX execution can enhance your competitive advantage. Page 13 Conclusion: Thinking differently about your SOX function SOX compliance is an opportunity to bring innovative approaches to help you drive more value into your operations. Page 14 Appendices: • Background • Industry breakdown
  • 4.
    Executive summary Significant opportunity exists to transform your SOX function In April 2011, Ernst & Young conducted a face-to-face survey A small proportion of the interviewees, however, have evolved their with 225 global executives about their SOX compliance functions. thinking. Their companies have come to look at SOX the way they For the most part, we found organizations are still treating SOX look at many of their operations: as an opportunity to innovate, to compliance the same way most of them originally looked at it: as a automate and to gain competitive advantage. These are companies compliance exercise. that have seen the correlation between certain SOX compliance practices and the ability of the SOX function to add value to the business — which 56% of the executives considered a key challenge “Adding value to the business” identified for their SOX function. as a key challenge of SOX functions Thinking outside the SOX box reveals four actions companies can take now to empower their SOX functions to create fundamental advantages in their sectors: What are the key challenges faced by your SOX function? 1. Automate controls The majority of respondents consider adding value to their business a key 2. Offshore for lower-cost resources challenge of the SOX function. 3. Leverage IT investment 4. Innovate strategically Cost/Level of effort and innovation in control 58% testing strategies The Who’s Who of this report Adding value 56% The executives who took part in the survey were all in positions to the business that gave them a close-up view of SOX activities at their Integration with companies — and they told us that the SOX function is definitely other risk and 44% on the C-suite radar: 78% of the survey participants report to compliance functions the CFO, CAE or the Controller. Providing learning and career opportunities 37% for SOX personnel We aimed for broad-based representation across industries, with 21 sectors involved, ranging from aerospace and defense to Technology- 32% telecommunications. The greatest number of respondents were related challenges in banking and capital markets and insurance, with 11% each of the total participants, followed by technology (9%), and power Controls monitoring 32% and utilities and consumer products (8%). See Appendices for full industry breakdown. Effectiveness 25% While we talked with executives at companies ranging in size from of resources less than US$1 billion in annual revenues to more than US$50 Dealing with mergers billion, the bulk of the participants (65%) were in the middle of the or acquisitions of 16% range, companies between US$1 billion and US$25 billion in size. private or non-SOX- compliant entities Other 15% 1% None of the above 0% 10% 20% 30% 40% 50% 60% Multiple responses allowed 1
  • 5.
    1. Automating yourcontrols When we asked the survey executives about the number of controls • 35% of our participants indicate that they have more than 1,000 tested by their SOX function, we got a good picture of just how controls, more than 60% of which are key controls. massive an undertaking SOX compliance is: Then factor in that, for 62% of the companies, the testing of key controls alone took at least five hours … per control. Add test of design, walk-through and all the controls that aren’t designated as Companies that reduce their total number key − which could be 20%–40% of the total number of controls − and of controls tend to focus on key controls the time in the field to actually perform all the manual controls. In short, SOX is a tremendous drain on resources that could be deployed on other, more value-added tasks. What is your company’s total number of It’s a diverse drain on resources, as well: survey participants SOX-related controls? revealed they were experiencing SOX deficiencies in more than 10 different areas of SOX testing, from derivatives to inventory, with Total number of SOX-related controls 51% saying that IT general controls were giving them the most The majority of respondents have fewer than 1,000 controls. problems (financial statement close process was the second-highest area of deficiencies at 9%). Less than 250 19% Testing is the most time-consuming 250–499 24% of the three key SOX activities On average, how many hours do you spend on each 500–999 22% key control? Design and walk-throughs versus testing controls Between 22% • Most respondents spend less than five hours on design and walk-through 1,000–2,499 of each control. • By comparison, the majority of respondents spend 5 hours or more on 2,500 or more 13% testing per control. 0% 10% 20% 30% Design 80% 13% 6% 1% What percentage of your controls are key controls? Controls Percentage Walk-through 72% 25% 3% Less than 250 79% 250–499 78% 500–999 72% Testing 39% 39% 15% 8% Between 1,000–2,499 66% 2,500 or more 62% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Key controls as a percentage of total controls Less than 5 hours 5 to 10 hours Average key control percentages are provided for the corresponding 11 to 20 hours over 20 hours categories on left. The fewer total controls, the higher the percentage of focus on key controls. Companies that reduce their total number of controls Percentages may not total 100 due to rounding. tend to focus on key controls. 2
  • 6.
    Budget/Spend for SOXcompliance Few key controls fully automated What is the company’s annual budget/spend for What is the percentage of fully automated controls SOX compliance? (vs. manual or IT-dependent controls) that make up your total key controls? Less than $0.5 million 18% Fully automated key controls • Most respondents say that less than 25% of their key controls are fully automated. $0.5–$0.9 million 18% And yet, only 3% of the executives have fully automated more than half of their key controls — and 78% have fully automated less than a quarter $1–$1.9 million 27% of their key controls. $2–$2.9 million 15% No key controls 1% are fully automated $3–$4.9 million 8% Less than 10% of key controls are 36% fully automated $5 million 14% 10% to 25% of key or more controls are 41% 0% 5% 10% 15% 20% 25% 30% fully automated 26% to 50% of key controls are 19% Average Median fully automated US$2,766,742 US$1,200,000 51% to 75% of key controls are 3% fully automated You can easily see why 39% of participants consider cost More than 75% of key to be one of their key challenges. The SOX spend data confirms controls are 0% fully automated that this can be a major budget item: 0% 10% 20% 30% 40% 50% • 37% spend at least US$2 million annually. • 14% spend at least US$5 million. Takeaway There is widespread recognition that automation frees up Increasing use of automated controls can reduce your resources to be put to better use elsewhere. By increasing costs in other ways too. We saw 55% of survey participants your use of preventative automated controls and “turning indicate that their external auditors relied on 51% or more on” key switches in IT systems, you can drive down the of the walk-throughs and testing work performed in-house. number of manual touch points and labor-intensive detect So, if you automate controls and do SOX right, you may also controls. Similarly, using automated tools in the SOX be able to increase reliance by your auditor. This may help controls-testing process will have an immediate impact on reduce the time spent by your SOX-function employees SOX costs. handling the inquiries and testing by the external auditors. 3
  • 7.
    2. Offshoring forlower-cost resources Cosourcing is already being used extensively in the SOX arena: 50% • 81% of our survey executives said that Internal Audit was of survey participants said that they used outside service providers involved with their SOX program. for some part of their SOX-compliance work, with 66% using outside • 40% indicated that their Internal Audit department devoted at resources for testing. And yet: least a quarter of its budget or more to SOX activities. The majority of respondents use outside providers — most often for testing Do you use an outside service provider for If yes, how do you use them? SOX activities? Outside service provider usage Outside service provider used for SOX activities Testing is the key activity performed by outside service providers. Just over half the respondents have an outside provider for one or more SOX activities. Testing 74% Scoping/ 18% risk assessment No Yes PMO 7% 48% 52% All of the above 16% Other 14% 0% 10% 20% 30% 40% 50% 60% 70% 80% Multiple responses allowed. 4
  • 8.
    Most IA departmentsare involved in the SOX program Is Internal Audit involved in the SOX program? If IA is used in the SOX program, what percent of IA budget/capacity is spent on SOX testing? Internal Audit involvement in SOX program For the majority of respondents, the Internal Audit department is involved Internal Audit resources on SOX testing with the SOX program. Most respondents whose Internal Audit department is involved in the SOX program say that less than 25% of its budget and capacity is spent on SOX. testing. Less than 25% 59% No 19% 26%–50% 29% 51%–75% 10% Yes 81% Over 75% 1% Don't know/ 1% unsure 0% 10% 20% 30% 40% 50% 60% 70% The outsourcing of activities that aren’t fundamental to meeting SOX work performance breakdown strategic business objectives has been a leading business practice for many years now. There is no question that it reduces costs and What percentage of SOX work is performed by the allows in-house resources to be applied to more strategic, core- business matters. The off-shoring of such less-strategic operations following: not only helps companies reduce costs, but it also allows them to practice “follow the sun” operations, which provide another means Total 100% for increasing the productivity of in-house and (or) domestically Resources at corporate headquarters 60% located resources. Yet only 3% of our survey participants were using offshore resources for their SOX function. Regional resources at other company locations 26% Domestic third-party resources 9% Takeaway Other 2% The basic procedures involved in the SOX function have Offshore third-party resources 2% been in practice for several years and are fairly well Offshore resources not at company locations 1% codified. Now is the time to realize the cost efficiencies that can be derived from globalizing your resources. 5
  • 9.
    3. Leveraging yourIT investment Let’s be clear: leveraging your IT investment goes far beyond turning on various automated controls in the systems and automating testing. There is a real opportunity to use technology Ernst & Young more strategically. Yet, we found only small percentages using more innovative technology-based techniques: Controls Review Tool • Only 21% employ data analytics regularly. Ernst & Young’s proprietary Controls • 88% never use predictive modeling. Review Tool (CRT) enables our teams • 65% do not use continuous controls monitoring. to quickly assess their clients’ current We found that 90% of survey participants still use Excel® controls strategy and assist in the for their scoping exercise, when there are other third-party identification of potential opportunities tools that can slice and dice risks and controls in order to optimize scoping. for improving the strategy for testing controls and improving controls-related documentation. Testing process: data analytics or The CRT presents internal controls predictive modeling? data in a user-friendly format, including How often do you use the following as part of your a summary of control statistics, a testing process? detailed breakdown of controls by processes and related applications, Tools used in the testing process and different views of the relationships Most respondents either never or sometimes use advanced analytical techniques as part of their control testing process. between controls and risks. The CRT Among those who use them often or always, data analytics is the most can also help provide visibility into popular technique. opportunities for rationalizing or optimizing controls, including better leveraging of automated controls. Data 37% 42% 15% 6% analytics Automated testing 39% 44% 14% 3% methods 1% Predictive 88% 9% 2% modeling 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Never Sometimes Often Always 6
  • 10.
    Continuous controls monitoring Excel® favored for scoping exercises not widely used What tools/software do you use as part of your For what percent of SOX controls do you perform scoping exercise? continuous controls monitoring (e.g., leveraging Blackline to monitor account reconciliations)? Continuous controls monitoring Excel® 90% • Almost all respondents say that they either do not perform continuous controls monitoring at all, or do so for less than 25% of all SOX controls. Third-party 19% vendor/software Do not perform continuous 65% controls In-house – monitoring developed tool/ 14% software Less than 25% 28% None 4% 26%–50% 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 51%–75% 1% Multiple responses allowed. More than 75% 2% 0% 10% 20% 30% 40% 50% 60% 70% Percentages may not total 100 due to rounding. Takeaway Strategic use of your IT investment is a critical driver of competitive advantage. Our survey results suggest that this holds true for applying it to your SOX functions as well. 7
  • 11.
    4. Innovating strategically Oursurvey explored the opportunities for applying innovative Specific innovative practices we asked about included: practices to the SOX function and found this to be a relatively • Use of control self-assessment (58% do not use at all) untapped option. • Peer reviews (63% do not use at all) For instance, when asked when the last time a controls rationalization/optimization or other innovative exercise had • Incorporating the SOX function into ERM program (48% do not) been conducted − only 52% of respondents said it had been • Creating more entity-level controls (94% had fewer than a quarter during the current fiscal year. of their key controls as entity-level controls) Incorporating the SOX function into Few key controls are entity-level controls Enterprise Risk Management What is the percentage of entity-level controls that Is SOX incorporated into your Enterprise Risk make up your total key controls? Management (ERM) program? Entity-level controls as percentage of total Relationship between SOX and ERM key controls Almost half of respondents do not incorporate SOX into their ERM programs. Less than 10% of key controls are 54% entity-level controls 10%–25% of key controls are 40% entity-level controls 26%–50% of key controls are entity- 5% No Yes level controls 48% 52% 51%–75% of key controls are entity- 1% level controls More than 75% of key controls are entity 1% level controls 0% 10% 20% 30% 40% 50% 60% Percentages may not total 100 due to rounding. The use of entity-level controls is a particularly under-utilized opportunity. Since one really effective entity-level monitoring control may eliminate the need to do many transaction-level controls, companies can significantly reduce the testing workload by properly designing robust and effective entity level controls. 8
  • 12.
    Rationalization/optimization exercises havebeen performed When was the last time a rationalization/optimization If a rationalization/optimization or other or some other innovative exercise was conducted? innovative exercise was conducted, what techniques were used? Innovative exercises Only 52% performed rationalization/ optimization or other innovative Key techniques exercises this fiscal year. Most respondents utilized rationalization of in-scope controls. Current 52% Rationalization of 91% s a year in-scope controls Increased reliance on higher-level quarterly/monthly 55% ast s a year 19% controls and less on transactional controls Automation/ Two or more Optimization of 42% 24% SOX controls years ago Global standardization of control set (if 41% Not performed 4% multiple countries/ locations) Use of technology 22% 0% 10% 20% 30% 40% 50% 60% for testing Percentages may not total 100 due to rounding. Implementation of continuous controls 20% monitoring Other 7% None of the above 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Multiple responses allowed. 9
  • 13.
    Control self-assessment notwidely used Peer reviews not widely used For what percent of controls does the company use For what percent of controls does the company use control self-assessment (CSA)? peer reviews? CSA Peer reviews • The majority of respondents do not use CSA. • The majority of respondents do not use peer reviews. Do not use Do not use 63% control 58% peer reviews self-assessment 17% Less than 25% 16% Less than 25% 26%–50% 5% 26%–50% 4% 3% 51%–75% 4% 51%–75% More than 75% 12% More than 75% 16% 0% 10% 20% 30% 40% 50% 60% 70% 0% 10% 20% 30% 40% 50% 60% 70% Percentages may not total 100 due to rounding. Percentages may not total 100 due to rounding. 10
  • 14.
    There appears tobe good reason to explore such innovative The leveraging of SOX information and testing with other practices: they help deliver additional value for the business. departments that could put it to valuable use was also fairly For instance, of those survey participants who had incorporated minimal: their SOX function into their ERM program, 79% were satisfied or • Only 9% of participants indicate they “significantly” leverage extremely satisfied with the ability of their SOX function to add their SOX testing results with their regulatory and compliance value, while only 54% of those who hadn’t folded SOX into ERM functions. programs were similarly satisfied. Similar results were noted when we asked about continuous controls monitoring. • Only 3% of participants do the same with their legal department. Leveraging SOX information and testing across other functions/ departments within a company will decrease the burden felt by the SOX incorporated into ERM program and business units. Another point here is that there are opportunities to get a leg up on the competition by building the SOX function into satisfaction with value the regular ebb and flow of business operations — by using self assessments or peer reviews. Once you change the mindset at Is SOX incorporated into your ERM program? the business-unit level, the SOX function can move beyond compliance and into helping manage and monitor the business How satisfied are you with the ability of your SOX on a continuous basis. function to add value? Internal Audit most often leverages SOX testing results How much do you leverage your SOX testing results with other departments in the company or other No 45% 43% 11% compliance/reporting functions? o Leveraging SOX testing results o Respondents leverage SOX testing results most with the Internal Audit department. e Yes o o 21% 65% 14% IA 7% 13% 26% 54% 0% 20% 40% 60% 80% 100% ess s s e s e e e s s e Regulatory/ 33% 39% 19% 9% Percentages may not total 100 due to rounding. Compliance There are also opportunities to get ahead of the competition by exploring and developing innovative ways to generate more usable Legal 51% 35% 11% 3% SOX information and (or) put SOX testing/data to more diversified use. When we asked about the frequency of controls testing, we 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% found only 4% test continuously through the year. This is roughly the same percentage that has fully automated most controls Not at all Very little Moderately (which is probably required to make it economically feasible to do continuous testing). 11
  • 15.
    Does this lackof innovation matter? Our survey participants seem Frequency of testing and roll-forward to think so. The participants whose companies refrain from using the most progressive testing and scoping practices are less satisfied approach with the ability of their SOX function to add value. What is the frequency of your testing and your roll- forward approach? Use of continuous controls monitoring, Key techniques CSA and peer reviews coincides with Frequency results for testing and rollforward are fairly evenly distributed fewer respondents being less than over the year among the respondents. satisfied with value of SOX function A greater percentage of respondents who were “less Controls tested continuously throughout 4% than satisfied” with the ability of their SOX function the year to add value do not use the most progressive or Majority of controls tested in innovative practices: Q1 or Q2 and then roll-forward 23% procedures/testing re-performed in Q4 Majority of controls tested in 25% Q1 or Q2 and limited 25% CSA roll-forward procedures 37% performed in Q4 Majority of controls tested later in the year (late Q3/Q4), 29% no rollforward performed 22% Peer review 38% Controls testing spread 20% evenly throughout the year 0% 10% 20% 30% 40% Continuous 19% control Percentages may not total 100 due to rounding. 39% monitoring 0% 5% 10% 15% 20% 25% 30% 35% 40% Use technique Do not use technique Takeaway In the global economy of the 21st century, innovation often plays a vital role in differentiating a company and bringing it to a position of industry leadership. Strategic innovation around SOX execution can lead to better strategic use of your existing resources. 12
  • 16.
    Conclusion Thinking differently about your SOX function Thinking outside the SOX box shows that SOX compliance is an opportunity to bring innovative approaches to a subject area that has become somewhat stale and routine. Innovative practices and approaches improve the chances that a company will build more value into its operations, including: • Reductions in spend from a substantial line-item cost • More strategic allocations of financial-control resources • Greater consistency and efficiency of controls across locations through automation • Reduced stress and burden on in-house resources through a powerful combination of automation, outsourcing, and leveraging SOX work across the company • Using automated techniques (e.g., data analytics) — Expanded and more comprehensive risk coverage without increasing the budget When this shift in perspective occurs, there is ample opportunity to bring strategic innovation to the seemingly mundane SOX issues of scoping processes and testing strategies and execution. There are sophisticated tools to explore. Different approaches to acquiring and analyzing data can make the data more valuable, not only for compliance tasks, but for other previously unexplored purposes. 13
  • 17.
    Appendices: Background Company revenues Internal Audit department and Internal Control department both own the SOX Annual revenue: administration and testing Annual revenue categories and responses The majority of the respondents fall into the category of US$1 billion to Who owns administration and testing components of US$25 billion in terms of their annual revenues. the SOX compliance function? Ownership of the SOX compliance function The Internal Audit department and the Internal Controls department are the Less than 7% $1 billion main divisions controlling the administration and testing components of SOX compliance for the current respondents. $1–$10 billion 42% Internal Audit 34% department 56% SOX/Internal $11–$25 billion 23% 52% Controls 29% department Finance and 14% accounting 10% $26–$50 billion 13% Business/Process 6% owners 17% More than 14% External service 2% $50 billion provider 14% Compliance/Risk 4% 0% 10% 20% 30% 40% 50% management 5% 2% Percentages may not total 100 due to rounding. Other 4% 0% 10% 20% 30% 40% 50% 60% Administration Testing Multiple responses allowed. 14
  • 18.
    Industry breakdown SOX compliance function reports most Response by industry often to the CFO Industry categories To whom does the SOX compliance function report? The two industries with the maximum number of completed surveys were Banking and Capital Markets and Insurance. Reporting relationship of the SOX compliance function Insurance 11% Most respondents report to either the CFO, CAE or the Controller. Banking and capital markets 11% Technology 9% Consumer products 8% Power and utilities 8% CFO 45% Oil and gas 7% Automotive 7% Life sciences 7% CAE 20% iversi ed industrial products 6% Media and entertainment 6% Retail and wholesale 6% Controller 13% Telecommunications 5% Aerospace and defense 2% Asset management 2% 2% Legal counsel Chemicals 2% Mining and metals 2% Real Estate 2% 2% Chief ris of cer 2% Transportation Provider care 1% Chief compliance Airlines 1% 2% of cer Pro essional rms and services 1% Government and 0% public sector SOX steering t r r t 0% committee 2% Private equity 0% 0% 5% 10% 15% 15% Other 0% 10% 20% 30% 40% 50% Percentages may not total 100 due to rounding. 15
  • 19.
    Contacts Is your SOXfunction geared for this transformation? Ernst & Young can help you explore this opportunity. Robert F. Cullen III Sapna Ahuja Partner, Advisory Services Senior Manager, Advisory Services +1 612 343 1000 +1 212 773 5928 robert.cullen@ey.com sapna.ahuja@ey.com For a copy of the complete SOX survey, please contact the above or your Ernst & Young engagement team. For related thought leadership from Ernst & Young, please visit: ey.com
  • 20.
    Ernst & Young Assurance| Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2011 EYGM Limited All Rights Reserved. EYG No. BT0117 This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.