Home > Risk > A review of the Protiviti 2012 SOX survey

A review of the Protiviti 2012 SOX survey

Protiviti has published their 2012 Sarbanes-Oxley Compliance Survey, an updated version of their 2011 survey, which I reviewed a year ago.

It is my view that before writing a report like this, you need to understand what readers want – and that is answers to questions relevant to their practice. I suggested in last year’s review what those questions might be and asked that Protiviti answer them in their next (i.e., the 2012) report; I understand from their leadership that they did consider my input.

Before I get to whether they have answered the questions relevant to company practices, I would like to point out one great value in the report: they will provide companies with reports that focus on their specific situation (such as industry or company size). Contact them at the numbers or email addresses shown on page 54.

Now let’s see if we have the answers we need.

1.       Key controls
  • What is the average number of key controls for companies? (Mean, median, and how much do the numbers vary?)
The study talks about the number of entity-level and process controls (not mentioning IT general controls) and then the percentage that are considered key controls. In 2011 the average was 91 entity-level and 401 process controls. The average percentage of those that are key is not shown, so no determination can be made of the number of key controls.
  • How does that vary by company size?
Not covered by the report, but is presumably available on demand.
  • How does that vary by industry?
Not covered by the report, but is presumably available on demand.
  • How does that vary depending on whether a single ERP is used?
Not covered by the report.
  • How does that vary when the majority of processes are performed by a shared service center?
Not covered by the report.
  • What are the trends?
Not covered by the report.
  • What percentage of key controls are automated controls? How many are hybrid? How many are at the entity-level (corporate vs. regional vs. division)? How many are IT general controls?
Page 22 discusses the number of key controls that are automated. 41% have at least 20% automated; 30% have 20% – 49%.The other questions are not covered by the report.
2.    Cost
  • What is the average total SOX program?
The survey says that most companies spend between $100k and $500k, although 34% of large companies (defined as having revenue of $10b or more) are spending at least $2m.
  • How does that vary by company size?
Protiviti reports that smaller companies spend less. Unfortunately, they did not look at spend as a percentage of revenue or provide other meaningful statistics.
  • How does that vary by industry?
Not covered by the report, but is presumably available on demand.
  • How does that vary depending on whether a single ERP is used?
Not covered by the report.
  • How does that vary when the majority of processes are performed by a shared service center?
Not covered by the report.
  • What are the trends?
Not covered by the report.
  • What percentage of the cost relates to the testing of automated controls?
Not covered by the report.
  • What percentage of the cost relates to the testing of IT general controls?
Not covered by the report.
3.       Reliance by external auditors
  • What is the average level of reliance (in terms of percentage of key controls)?
The report provides, on page 18, two charts that show reliance for low-risk and moderate-risk areas. There is no overall average and reliance for high-risk is only mentioned as being less – or not at all.
  • How does that vary for low risk and high risk controls?
See the charts on page 18. Greater reliance is placed for low-risk areas.
  • How does that vary by company size?
Not covered by the report, but is presumably available on demand.
  • How does that vary by industry?
Not covered by the report, but is presumably available on demand.
  • How does that vary by type of control (manual vs. automated vs. IT general controls)?
Not covered by the report.
  • How does that vary by audit firm?
Not covered by the report.
  • How does that vary when internal audit does the work rather than management, rather than another independent testing group?
The charts show a significant increase in reliance when internal audit does the work. 33% of companies report 75% or greater reliance for low risk, 17% report 75% reliance for moderate risk.
4.       Use of automation
How much use is made of automation for:

  • Program management, including scheduling, remediation management, and reporting.
Not covered by the report.
  • Process and control documentation.
This is addressed on page 39: a total of 84% are using some form of automation for process and testing documentation.
  • Documentation of testing.
See above.
  • Surveys and self-assessments.
Presumably covered by the above.
  • Automated testing of controls.
Not covered by the report.
How valuable are each of the above? Not covered by the report.

The survey has a great deal of other commentary on topics such as the value of the SOX work, whether smaller organizations should be exempt, or whether there should be rotation of the external audit firm. I don’t know about you, but I leave these matters for Congress and don’t find the discussions useful to practitioners.

Protiviti did note that:

  • Organizations are reducing the number of key controls, primarily by focusing on key controls. Unfortunately, the comparative data is between the first year of compliance and 2011, which says nothing about what has happened in the last year.
  • The opportunity remains to automate key controls. However, Protiviti did not comment on the use of technology to test controls.
  • “Many large companies are at or near the end of their efforts to improve the maturity of their Sarbanes-Oxley compliance processes”. While that is the majority view of respondents, the companies I talk to still have significant opportunities to improve.
  • Only about 72% are satisfied with the level of external auditor reliance on management testing for low-risk areas, 67% for moderate-risk areas. The question was not addressed for high-risk areas (and the external audit can place some level of reliance on management testing in these areas, at its discretion and subject to the whims of PCAOB examiners).

The chart on page 25 is useful, describing the strategies that companies are using this year to improve efficiency.

Unfortunately, the survey does not share any information on how often internal audit performs SOX testing for management – or what percentage of that testing it performs. Neither does it say how often the PMO reports to internal audit. Instead, it survey who has “primary responsibility for overseeing/organizing Sarbanes-Oxley compliance efforts” – which should always be management.

I repeat my request that Protiviti address the questions in the table, to which I would add these questions:

5. Use of internal audit

  • How many companies use internal audit to perform testing?
  • What is the average percentage of key controls that is tested by internal audit?
  • Has significant value been obtained by having internal audit perform the testing?
  • Does internal audit have sufficient resources to perform SOX testing and fulfill its assurance and consulting services responsibilities?
  • How often does the PMO report to internal audit?

While I request this of Protiviti, and they have again said they would consider my input, I would be happy to see these questions answered by any firm.

What do you think?

One final (self-serving) comment: my best-selling book on optimizing the SOX program is now available from the IIA bookstore. It is available as a soft copy download, or as a paperback (see the foot of the IIA page). By way of full disclosure, it includes a review from Protiviti’s Bob Hirth.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: