Home > Risk > Congratulations to Protiviti on 2013 SOX Survey

Congratulations to Protiviti on 2013 SOX Survey

After a few years of criticizing Protiviti for the lost opportunities represented by prior years’ surveys, I am happy to say that this year’s publication (available here) is very much better and a useful read for boards, senior financial management, internal auditors, and external audit firm partners and lead managers.

I was pleased to see Protiviti was able to report that:

  • More organizations are refining their scope using a top-down and risk-based approach to identify the combination of key controls to test. Prior reports indicated that management at many organizations had become complacent and accepting of their unrefined scope
  • External auditors were increasing their reliance on the work of internal auditors. I like how Protiviti separated the results of reliance on management testing, first by whether it was performed by internal auditors, and then based on the size of the company

The tables showing the extent of reliance are useful, although they should have asked about reliance on management testing for high-risk key controls rather than assuming it was zero.

However, the extent of reliance is disappointing. Why do so few external auditors place reliance on management testing (especially when performed by internal audit) of at least 75% of both low and moderate-risk controls? I was able to achieve 80% reliance for all key controls at my last two companies!

SOX managers, internal auditors, executives and boards will find other information of use. For example, some will be interested in the analysis of automated key controls.

What do you like/dislike? Are you encouraged, discouraged, or left unmoved?

  1. CG
    May 29, 2013 at 9:22 AM

    I’ve only been able to find online the 16-page document that includes the highlights from the survey. In previous years, they’ve produced a much longer document (50+ pages) that includes the full survey results. Any insight on where we can find the full survey? Thanks.

    • Norman Marks
      May 29, 2013 at 10:56 AM

      The full survey is available from the Protiviti site.

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Evangelist and Mentor for better run business

    • Jim DeLoach
      May 31, 2013 at 8:23 PM

      Hello, CG. We noted in the Introduction of the report that the complete findings are available on our site in the form of a presentation. Go to the Protiviti website at http://www.protiviti.com/SOXSurvey. Look at the bottom of the page below the “Download” button where it refers to a presentation detailing the complete results.

  2. Linda DiPaola, CPA CISA CGEIT
    May 29, 2013 at 10:05 AM

    I totally agree with your point of view on lack of reliance by external auditors on management testing. So many companies still let the external auditors dictate how much they will or won’t rely on management’s work; I think if management saw it quantified just once, they might reconsider . . .

  3. May 30, 2013 at 6:42 AM

    One of the things that strickes me is that they still talk about the ‘cost of SOx compliancy’. To my opion, what SOx is asking is to be ‘in control’ and that belongs to ‘business as usual’. Second, if you look at the costs you should also look at the benefits. There have been studies proving that organisations that are more ‘in control’ not only have less ‘incidents’ (and costs thereof, see information security) but also perform better in general, offer more value and therefor are better valued by shareholders and other stakeholders.

  4. June 20, 2013 at 11:56 AM

    Whether the assessment is the traditional “likelihood and impact” approach for each of the identified risks, or management chooses to utilize the risk factors identified by the PCAOB/SEC, or some other method entirely, the point of the exercise is to give external auditors a view into management’s evaluation of what could go wrong. Ranking the relative risk of the resulting misstatements, and the controls that mitigate those risks, then provides a tool for framing the “reliance” discussion. In year one, auditors may then be more comfortable relying on management’s testing of those controls that mitigate low level risks. As time progresses and the risk discussion matures, management and auditors may achieve a balance of reperformance and reliance resulting in reduced cost of compliance.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: