Take control of your internal controls

With increased regulatory scrutiny, changes in key accounting standards and pressures from external auditors, companies need to take control of their SOX programs — or it may take control of them. Below are the key 2016 survey* findings highlighting areas for companies to consider in taking a proactive approach to maturing their SOX program.

Companies may be overly focused on aligning with the external auditor and maximizing reliance

  • 81% companies whose primary strategy for SOX programs in 2016 was to maximize external auditor reliance.
  • 89% companies that had no difference between what the company had in scope/tested vs. the external auditor.

Companies should take a proactive role in establishing their own strategy and making decisions related to their controls and overall ICOFR program, including an economic and risk-based decision about external audit reliance. 

Companies are very focused on minimizing costs, but are focused on compliance costs rather than also considering performance costs, which is the larger opportunity.

  • 83% companies whose SOX program strategy was focused on minimizing compliance costs.
  • 15% companies whose greatest focus was reducing control performer efforts.

In efforts to minimize SOX costs, companies are primarily looking at compliance costs (testing and auditing) as these costs are more ‘visible’ to the company. However, most of the total cost of controls is generally related to the performance of controls (design, execution and administration). 

Companies are not fully leveraging technology to transform their control portfolios and SOX programs

  • 18% average number of total controls that are automated. 
  • 8% companies using data analytic procedures in the execution of their SOX program. 
  • 14% companies using continuous monitoring

Companies generally have invested significant resources into implementing enterprise resource planning and other key systems, as well as designing information technology general controls over those systems. Companies now need to continue focusing on implementing and monitoring additional automated controls within those systems to reduce risk and reduce the cost of controls.

Companies are not using SOX as a way to add value to their processes

  • In companies where the Internal Audit department participates in SOX activities:
    •  55% Internal audit departments spend ≥ 75% total hours on SOX
  • 57% Companies strategically improving business processes to: 
    • decrease the cost of control performance,
    • reduce risk, and
    • add value.

When SOX is part of a company’s culture and the program is working efficiently, the program can add value rather than just being a compliance exercise. This can allow more time and money to be focused toward broader Internal Audit and value creation initiatives that align with the broader corporate values and strategies

*Surveys were completed by KPMG professionals based on their experience in providing SOX services to their clients. The KPMG professionals have a detailed understanding of their client’s internal controls over financial reporting. The experiences of 59 client engagement teams are represented in the survey responses. The findings offer useful direction and provide a basis for comparison and further analysis. Click here to download the full survey.

Related content


KPMG 2016 internal sox survey infographic