Congratulations to Protiviti on 2013 SOX Survey
After a few years of criticizing Protiviti for the lost opportunities represented by prior years’ surveys, I am happy to say that this year’s publication (available here) is very much better and a useful read for boards, senior financial management, internal auditors, and external audit firm partners and lead managers.
I was pleased to see Protiviti was able to report that:
- More organizations are refining their scope using a top-down and risk-based approach to identify the combination of key controls to test. Prior reports indicated that management at many organizations had become complacent and accepting of their unrefined scope
- External auditors were increasing their reliance on the work of internal auditors. I like how Protiviti separated the results of reliance on management testing, first by whether it was performed by internal auditors, and then based on the size of the company
The tables showing the extent of reliance are useful, although they should have asked about reliance on management testing for high-risk key controls rather than assuming it was zero.
However, the extent of reliance is disappointing. Why do so few external auditors place reliance on management testing (especially when performed by internal audit) of at least 75% of both low and moderate-risk controls? I was able to achieve 80% reliance for all key controls at my last two companies!
SOX managers, internal auditors, executives and boards will find other information of use. For example, some will be interested in the analysis of automated key controls.
What do you like/dislike? Are you encouraged, discouraged, or left unmoved?