Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

The 2023 KPMG SOX report

Insights based on a 2022 survey of over 150 SOX professionals across industry sectors

KPMG LLP is pleased to present the findings from our new SOX survey. This report provides a detailed look at the SOX programs implemented by companies of varying industries and sizes, from governance and strategy to details on execution and costs.

Our report presents summary findings and key measures from the survey data and is designed to provide insight, useful direction, and provides a basis for comparison and further analysis.

Additionally, KPMG analyzed comparative metrics from this survey to our 2016 survey to highlight notable differences in the SOX program landscape over the past 6 years.

Key observations

Program structure/Governance

  • 90% of the participants considered their SOX program to be in a matured or an evolved state
  • Controls optimization and Improving business processes were reported as key focus areas for SOX programs
  • 88% of participants reported that their organization’s culture is supportive of the SOX program
  • 67% reported that the SOX program’s impact is considered while planning business initiatives
  • 89% of the companies reported External Auditor reliance on their SOX program
  • Use of External Auditor templates and modifying sample sizes were reported as ways to increase reliance
  • Despite high External Auditor reliance, 85% of the companies couldn’t quantify the savings achieved on their organization’s testing
  • A fifth of the companies reported that SOX testing contributes to >60% of their total Internal Audit budget each year

Program budget

  • 40% of participants reported an increase in the year-over- year cost of their SOX program
  • Participants indicated the increase was driven by changes in company structure, increase in key control counts, and new system implementations
  • Overall, average budget for the SOX program was reported to be $1.6M, and 11,800 hours
  • Average cost of compliance per control, basis responses, was calculated as $3,200
  • Average hours per control for ToE testing was reported to be 12 hours
  • Transactional controls required the most hours (16 hours per control) for ToE testing, whereas entitylevel controls required the least hours per control (9 hours per control). 
  • ToE was reported as the most timeconsuming SOX activity followed by process walkthroughs, and test of design

Risk assessment

  • New system implementation, process reengineering, and acquisitions, divestitures and/or reorganizations were reported as the most considered factors during SOX risk assessment in 2022
  • New or superseded accounting pronouncements and regulatory changes were some other common factors considered in the risk assessment process 
  • A majority of the participants reported their company’s in-scope control count to be more than or same as the External AuditorAverage hours per control for ToE testing was reported to be 12 hours
  • 46% of participants reported that their IA team is responsible for the performance of SOX risk assessment related activity
  • Maximum outsourcing was seen in ToE activity and the least outsourcing was seen in SOX strategy and reporting activities

Control environment

  • On average, key control count increased by 41% in 2022 (463 controls) when compared with 2016 (329 controls)
  • Non-key controls constituted 44% of the total controls and 66% of the companies document nonkey controls
  • ~80% of total controls were reported as manual or IT dependent manual controls
  • In large-size companies ($20B+), 37% of total controls reported to be automated
  • Overall average of automated controls stood at 21%
  • 65% of participants reported they have modified their control portfolio in 2022

Testing

  • 94% of companies performed their ToE in two or more phases
  • >60% of companies assigned risk levels to their controls
  • 76% of companies modified their sample size based on the risk levels
  • 66% of participants reported use of data analytics in their SOX program
  • Sample selection and control testing phases were noted as areas with the highest application of data analytics
  • 38% of companies report reduction in their program’s in-scope control count. Tech enablement and controls optimization noted as key drivers for the decrease
  • Audit committee communication and reporting focused on reporting control exceptions and the associated remediation activities
  • Companies reported an average of 9 control deficiencies in 2022
  • Majority number of control deficiencies were reported in GITC, order to cash, and financial reporting and close processes

Technologies and tools

  • 69% of companies utilized a GRC technology for their SOX program
  • AuditBoard and Workiva’s Wdesk were the most utilized technologies amongst the participants using GRC technology
  • Companies have also started incorporating other technologies such as Archer and TeamMate in their SOX programsSample selection and control testing phases were noted as areas with the highest application of data analytics
  • Participants reported use of a GRC tool primarily for tasks related to control testing, workflow management and status reporting
  • 50% of participants reported the External Auditor had access to their GRC technology
  • >90% of companies surveyed were either fully or somewhat satisfied with their current GRC technology
  • Ability to customize and simplified user interface were reported as required enhancements in GRC technologies

Dive into our thinking:

2023 KPMG SOX report

Download PDF

Explore more

Meet our team

Image of Sue King
Sue King
Partner and SOX Solutions Lead, KPMG US

Explore other services tailored to your business

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline