For 5 years, the software company Workiva has partnered with a Linke09dIn group, SOX and Internal Controls Professionals Group to survey companies about their SOX compliance program.
Their 2020 State of the SOX/Internal Controls Market Report has some interesting content. 428 professionals responded, making it quite credible.
One of the early observations in the report is about the number of key controls and how many are labeled as ‘entity-level.’
Unfortunately, while they say “there is a correlation between the number of controls and the size of the company’s revenue,” their graphic makes it hard to see the average number of key controls for different size organizations.
One of the points I make in my SOX Masters training is that as revenue grows, so should materiality. As a result, the number of ways in which an error could occur that would cause a material misstatement of the consolidated financials shrinks. The correlation between the number of key controls and revenue should not be anything like a straight line.
While 48% of the respondents have 250 or fewer key controls, 15% have more than 1,000.
No wonder that one of the observations in the survey is that people are looking to drive efficiencies into the program.
In my book and class, I talk about the fact that there are multiple levels in any organization. Each may have controls that can be relied upon, whether at corporate, business unit, country, or location. So the term ‘entity’ level can take you in the wrong direction.
There is a section on deficiencies, but it does not help us understand the cause of material weaknesses or significant deficiencies.
59% had no significant deficiencies and 83% no material weaknesses. That indicates, IMHO, too many had issues that had to be reported to the board or, worse, led to an assessment of ICFR as ineffective.
As you might expect, there is a section on the use of technology.
It is interesting that 12% say they have implemented continuous control monitoring for SOX and 56% are considering it.
I hope they realize that there’s a huge difference between monitoring data and activities and monitoring controls. If their software does not provide assurance that the controls are performing consistently as intended and are adequately designed, they have a problem. Just because the data is without error doesn’t mean that any controls were performed.
The role of internal audit is confusing to me. They say 45% are in charge of managing the SOX compliance program but only 33% are in charge of project management.
Setting that inconsistency aside, 77% have internal audit performing the testing.
One highly troubling result is that 31% of internal audit teams are spending more than half their time on SOX. That may be OK if they are still able to perform audits on the more significant sources of risk to enterprise objectives. 44% of companies have very small audit teams (less than 5) and 74% have fewer than 10 auditors. So it is not possible to draw any conclusions from the survey’s figures on the number of ‘operational audits’ (presumably all the non-SOX audits, but that is a misuse of the term ‘operational audits’). If they have 5 auditors performing 10 audits, that may be appropriate.
As I said, I am encouraged that the respondents recognize the need for improved efficiency. 60% say they are focused on control optimization and 53% on control rationalization.
Overall, this has a few good points but the survey and its analysis have significant deficiencies.
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024
- The risk to an organization of technology debt or deficit - December 11, 2023
- When enterprise risk-based audit plans are not enough - November 15, 2023