KPMG LLP is pleased to present the findings from our new SOX survey. This report provides a detailed look at the SOX programs implemented by companies of varying industries and sizes, from governance and strategy to details on execution and costs.
Our report presents summary findings and key measures from the survey data and is designed to provide insight, useful direction, and provides a basis for comparison and further analysis.
Additionally, KPMG analyzed comparative metrics from this survey to our 2016 survey to highlight notable differences in the SOX program landscape over the past 6 years.
Key observations
Program structure/ Governance
- 90% of the participants considered their SOX program to be in a matured or an evolved state
- Controls optimization and Improving business processes were reported as key focus areas for SOX programs
- 88% of participants reported that their organization’s culture is supportive of the SOX program
- 67% reported that the SOX program’s impact is considered while planning business initiatives
- 89% of the companies reported External Auditor reliance on their SOX program
- Use of External Auditor templates and modifying sample sizes were reported as ways to increase reliance
- Despite high External Auditor reliance, 85% of the companies couldn’t quantify the savings achieved on their organization’s testing
- A fifth of the companies reported that SOX testing contributes to >60% of their total Internal Audit budget each year
Program budget
- 40% of participants reported an increase in the year-over- year cost of their SOX program
- Participants indicated the increase was driven by changes in company structure, increase in key control counts, and new system implementations
- Overall, average budget for the SOX program was reported to be $1.6M, and 11,800 hours
- Average cost of compliance per control, basis responses, was calculated as $3,200
- Average hours per control for ToE testing was reported to be 12 hours
- Transactional controls required the most hours (16 hours per control) for ToE testing, whereas entitylevel controls required the least hours per control (9 hours per control).
- ToE was reported as the most timeconsuming SOX activity followed by process walkthroughs, and test of design
Risk assessment
New system implementation, process reengineering, and acquisitions, divestitures and/or reorganizations were reported as the most considered factors during SOX risk assessment in 2022
New or superseded accounting pronouncements and regulatory changes were some other common factors considered in the risk assessment process
A majority of the participants reported their company’s in-scope control count to be more than or same as the External Auditor
46% of participants reported that their IA team is responsible for the performance of SOX risk assessment related activity
Maximum outsourcing was seen in ToE activity and the least outsourcing was seen in SOX strategy and reporting activities
Control environment
- On average, key control count increased by 41% in 2022 (463 controls) when compared with 2016 (329 controls)
- Non-key controls constituted 44% of the total controls and 66% of the companies document nonkey controls
- ~80% of total controls were reported as manual or IT dependent manual controls
- In large-size companies ($20B+), 37% of total controls reported to be automated
- Overall average of automated controls stood at 21%
- 65% of participants reported they have modified their control portfolio in 2022
Testing
- 94% of companies performed their ToE in two or more phases
- >60% of companies assigned risk levels to their controls
- 76% of companies modified their sample size based on the risk levels
- 66% of participants reported use of data analytics in their SOX program
- Sample selection and control testing phases were noted as areas with the highest application of data analytics
- 38% of companies report reduction in their program’s in-scope control count. Tech enablement and controls optimization noted as key drivers for the decrease
- Audit committee communication and reporting focused on reporting control exceptions and the associated remediation activities
- Companies reported an average of 9 control deficiencies in 2022
- Majority number of control deficiencies were reported in GITC, order to cash, and financial reporting and close processes
Technologies and tools
- 69% of companies utilized a GRC technology for their SOX program
- AuditBoard and Workiva’s Wdesk were the most utilized technologies amongst the participants using GRC technology
- Companies have also started incorporating other technologies such as Archer and TeamMate in their SOX programs
- Participants reported use of a GRC tool primarily for tasks related to control testing, workflow management and status reporting
- 50% of participants reported the External Auditor had access to their GRC technology
- >90% of companies surveyed were either fully or somewhat satisfied with their current GRC technology
- Ability to customize and simplified user interface were reported as required enhancements in GRC technologies
