0% found this document useful (0 votes)

175 views

Internal Controls Survey Report 2018

Uploaded by

kunal butola

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

175 views

Internal Controls Survey Report 2018

Uploaded by

kunal butola

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 24

2018

Internal
Controls
Survey
kpmg.com
Table of
contents
2018 Internal Controls Survey 2

Key takeaways 3

Detailed findings 4

Strategies 4

Areas of improvement 5

State of the ICOFR program 6

ICOFR documentation 8

Technology supporting the ICOFR program 12

ICOFR testing 13

ICOFR program costs 15

External auditor coordination 16

Technology use in controls 18

Survey demographics 20

About KPMG LLP 22

2018 Internal Controls Survey 1

2018 Internal
Controls Survey
Executive summary
Understanding internal controls over whether it is a strength or potential
financial reporting (ICOFR) trends, weakness in your program. In areas
challenges, and strategies can help where your response is similar to
your organization self-reflect on your other respondents, it may let you
program and identify opportunities know that you are on the right track
for improvement. This survey or allow you to commiserate related
captures organizations’ strategic to a shared challenge.
considerations, as well as more
KPMG LLP (KPMG) surveyed the
tactical information such as extent
individuals at 100 organizations
of control automation by process.
with responsibility for the ICOFR/
In areas where your organization Sarbanes-Oxley (SOX) program.
differs from the other respondents, The findings offer useful direction
it can drive insightful questions as and provide a basis for comparison
to what drives that difference and and further analysis.

“ Organizations have a variety of levers they can

pull to optimize their ICOFR programs. These
results highlight some of those - focusing
on identifying the right controls, improving
control automation, better utilizing technology
throughout the program, etc.”
- Sue King, KPMG’s SOX Solution Lead

The largest improvement area cited is related to technology and

control automation.
71% of organizations are looking to increase control automation, including increasing
the use of data and analytics and robotic process automation within control
performance. Increased control automation appears to be a significant opportunity for
helping organizations to optimize their control portfolios.

More than half of organizations are leveraging a specific technology

solution to support the ICOFR program documentation and testing.
Of those organizations using a specific technology (rather than desktop software),
52% implemented the technology solution within the past two years.

Organizations may not be fully leveraging the flexibility available under the
Securities and Exchange Commission’s (SEC’s) interpretive guidance.
More than 40% of organizations do not modify their testing approach based on their
external auditor’s reliance model. These organizations appear to be following the same
guidance that the Public Company Accounting Oversight Board (PCAOB) provides
to define the procedures required of external auditors. Instead, they may be able to
further use the SEC’s interpretive guidance to focus more on their own objectives
through the flexibility on documentation and control testing requirements.

Overall, organizations continued to focus on

the same five strategies in 2018 as in 2017.

Controls Minimize the Ensure Focus efforts on Change business

rationalization cost to test maximum the entity-level processes so that the
to reassess controls reliance by the and most critical controls are embedded
and potentially external auditor controls in the process, are
reduce key not performed just for
controls ICOFR, and are valuable
to the business

If organizations considered these three elements together, organizations may find more
impactful controls optimization results, impacting both control selection and the testing strategy.

87% 80% 76% 75% 66%

*Respondents ranked multiple statements

Top five areas with improvement or significant improvement needed:*

Increase control automation

71%
Reduce control performer cost/effort

44%
Reduce control testing cost/effort The top area for improvement
continues to be increasing
42% control automation. This was
an area of improvement for 51%
Improve quality of control evidence of organizations in 2017 and
rose to 71% in 2018. This may
41% be due to the increasing focus
on and availability of robotic
Reduce key control count process automation and
related technologies.
37%
*Respondents ranked multiple statements

More than
Maturing: Improved 5 years 8% 34% 58%
business processes that
have reduced the cost
of control performance,
reduced risk, and added As expected, organizations that have been SOX 404 compliant
value to the business longer tended to describe their ICOFR program as more mature.

Frequency with which issues identified through ICOFR testing are used to make changes to the process:
To enhance the control To change the process so controls To make a process more efficient
environment and reduce risk are more meaningful to the business regarding control performance
(not just performed for SOX) (i.e., increase automated controls)

Never Rarely Often Always Don’t know

Organizations are not consistently using the ICOFR testing results to reflect
on the process and then change the processes in order to reduce risk,
improve controls, or improve efficiency.

Our organization’s Our management,

culture and tone at Investors care about executive management,
the top support our material weaknesses and Board find our ICOFR
ICOFR program program to be valuable

Changes required to Our organization considers

remediate control issues ICOFR when planning
Our ICOFR program
are not only performed significant business
effectively improves
to make it through the initiatives, such as new
transparency in our
ICOFR process, but are information systems,
organization
also taken seriously process reengineering, or
going forward outsourcing

The new revenue

We often add key I am confident our
recognition and/or lease
controls based on controls would pass
accounting standards
external auditor (i.e., be effective), even
will increase our control
requests without testing them
performance efforts

Responses for these statements in 2018 were largely consistent

with the 2017 responses. The largest change was a decrease in the For the statements outlined
organizations that agreed that the new revenue recognition and/or in purple, agreement with the
lease accounting standards would increase their control performance statement increased as the
efforts. The average response of 3.8 in 2017 decreased to 3.5 in 2018, size of the organization (based
potentially due to organizations being further along in the process to on annual revenue) increased.
implement such standards and revised controls.

Risk and control matrix Process narratives Process flowcharts None of the above

94% 72% 60% 2%

*Respondents could select multiple responses

76% 67% 69% 51%

76% of those with a reliance strategy vs. 67% of those 69% of those with a reliance strategy vs. 51% of those
without a reliance strategy maintained narratives. without a reliance strategy maintained flowcharts.

61% or organizations
10% of organizations 44% of organizations
maintain / include
10% regularly maintain
only the risk and 44% maintain both
process narratives 61% both key and non-key
controls in their risk
control matrix. and flowcharts.
and control matrix.

Entity-Level Financial Fixed IT General HR & Inventory Order-to- Procure-to- Tax Treasury
Controls Reporting Assets Controls Payroll Management Cash Pay

Key controls that are manual (i.e., not automated) Key controls that are automated (i.e., IT application controls)

Processes with the highest percentage of automated controls were: IT general controls (39%),
procure-to-pay (37%) and order-to-cash (33%).

*Respondents selected the most closely related process names

Number of systems and applications (including the Enterprise Resource Planning system) that are
in scope for ICOFR testing:

39% 39% 12% 11%

1-10 11-25 26-50 More than 50

334 485
The Financial Services industry
The average total key control count had the highest average total
across all industries was 334. key control count at 485.

The average number of key controls increases as the company size (based on annual revenue) increases.

21% The average percentage of

automated controls was 21%.
35% 32% 31%

The lowest level of automated

controls were the Energy,
Natural Resources & The industries with the highest average automated
Chemicals (12%) and Financial controls were Healthcare & Life Sciences (35%),
Services (15%) industries. Technology (32%) and Media (31%).

Nearly all processes had relatively high percentages of standalone controls —

controls that are unique to a specific business unit, location, etc., and therefore
receive their own stand-alone samples for testing. This indicates that organizations
have limited standardization across locations which contributes to a more expensive
and higher risk control environment. This also generally leads to more testing.

54% 46%
Yes No

Larger organizations ($10 billion Less than one year 1-2 years
65% or more in annual revenue) were
most likely to use a specific
technology solution (65%). 3-5 years More than 5 years

Internal Audit Internal ICOFR Team External provider

81% 22% 21%

Internal Audit functions either in-house or outsourced

Self-testing Control self-assessments Peer testing

15% 14% 5%
Control owner executes test scripts to test the Control owner certifies that their controls are
operating effectiveness of their controls operating effectively, in lieu of independent testing

*Respondents could select multiple responses

For organizations where ICOFR testing is performed How use of an external provider for support with
by Internal Audit, the proportion of total Internal Audit ICOFR program changed from 2017 to 2018:
hours related to ICOFR:

1-25% Using external providers Using external providers

26-50% more in 2018 less in 2018
Using external providers
51-75% 76-100% about the same

41% of organizations spend more than 50% of their total Internal Audit hours on
ICOFR. For larger organizations (greater than $10 billion in revenue), only 14% spent
more than 50% of their total Internal Audit hours on ICOFR.

ICOFR compliance activities

6%
24% 42% 28% Costs decreased

Costs stayed the same

Cost and effort for management to perform the control activities 7% Costs increased

20% 54% 19% Don’t know

External auditor coordination

Differences in controls in scope for ICOFR testing in comparison to the external auditor:

More than 50% of Interestingly, these organizations were also

organizations reported more likely to agree with the statement

52% having more controls in scope

for testing than their external
auditor. Such organizations
“We often add key controls based on
external auditor requests.” This may
indicate that new controls are added
may have opportunities to based on external auditor requests and
rationalize and optimize their then are not properly reassessed for
control portfolio. ongoing significance and materiality.
Our organization has more controls in
scope for testing than our external auditor

23% 14% 6%
Our organization and our external Our organization and our external Our external auditor has more controls in
auditor have the same number of auditor have approximately the same scope for testing than our organization
controls in scope for testing and the number of controls in scope for testing;
controls are the same however, the controls vary

Test of design (i.e., a walkthrough)

1%
No reliance
33% 21% 24% 21% Minimal

Moderate
Test of effectiveness (i.e., control testing) 2% Fully, to the extent possible

11% 19% 34% 34% Not applicable/not performed

Able to quantify savings achieved as a result of Most common metrics used to quantify and/or
external auditor reliance, if applicable: monitor savings from external auditor reliance:*

1st Total fees saved

31% Yes
2nd Total hours saved

69% No
3rd Percent reduction
in fees

Percent reduction
4th in hours
The percentage increased from 23% in 2017 to
31% in 2018. Other impacts from reliance, such
as minimizing requests to control owners, may be 5th Other
more difficult to quantify.
*Respondents could select multiple responses

We modify sample sizes

We use templates (or nearly

similar formats) from external
audit in areas of reliance

We modify our
rollforward approach

We decrease the level of

documentation in areas of
non-reliance

We self-assess in
areas of non-reliance

Other

We do not change our

approach based on our external
auditor’s reliance model

*Respondents could select multiple responses

35% Yes 15% Yes

53% No 68% No
12% Don’t know 17% Don’t know

Use of data and analytics (D&A) within ICOFR program:*

D&A is not Sample ICOFR risk As part of a control Within control

used within our selections assessment activity performed testing
ICOFR program by management

Within the testing activities, D&A is primarily used in Organizations are increasing their use of D&A within
selecting samples for testing. 37% of organizations the performance of control activities (up from 22% in
had plans to increase the use of D&A to assist with 2017). 33% of organizations had plans to increase the
compliance activities (testing or reporting on controls). use of D&A to perform control activities.

*Respondents could select multiple responses

To perform a control activity: To assist with compliance activities (testing or reporting on controls):

85% 91%

8% 7% 4% 5%
Yes No Don’t know Yes No Don’t know

Plans to increase the use of RPA or other intelligent automation:

To perform a control activity: To assist with compliance activities (testing or reporting on controls):

57% 61%
24% 19% 20% 19%

Yes No Don’t know Yes No Don’t know

2% Less than 1 year 11% 1-2 years

10% 3-5 years 77% More than 5 years

1% 2%

14% 23% 40% 20%

Less than $100 million $100 – $499 million $500 million – $1.4 billion $1.5 – $9.9 billion $10 billion or more Don’t know

Organization’s total assets for the most recent fiscal year:

2%
9% 12% 32% 41% 4%

Less than $100 million $100 – $499 million $500 million – $1.4 billion $1.5 – $9.9 billion $10 billion or more Don’t know

Primary industry:

15% 13% 11% 11%

7% 7% 7%

Technology Energy, Natural Consumer Goods Industrial Banking & Financial Insurance
Resources & Manufacturing Capital Markets Services
Chemicals

6% 6% 8%
4% 2% 1% 1% 1%
Healthcare Media & Building, Retail Alternative Asset Life Sciences Other
Telecommunications Construction & Investments Management
Real Estate

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks of KPMG International. 2018 Internal Controls Survey 21
About KPMG LLP
Our Risk Assurance Services are designed to enhance the Our professionals have extensive experience working with
efficiency and effectiveness of internal audit functions, global companies ranging from FORTUNE 500 companies
enterprise risk management programs, reviews of third to pre-IPO start-ups. We go beyond today’s challenges to
party relationships and risk and controls management. Our anticipate the potential long- and short-term consequences of
professionals can augment and enhance an organization’s shifting business and technology. With a worldwide presence,
existing risk management capabilities through the use of KPMG continues to build on our member firms’ successes,
experienced risk and controls professionals, supplemented by thanks to our clear vision, values, and our people in 153
multidisciplinary skills from each of our Advisory service lines. countries. We have the knowledge and experience to help
clients navigate the global landscape.
KPMG’s Advisory professionals combine technical, market and
business skills that allow them to deliver objective advice and
guidance that helps Advisory’s clients grow their businesses,
improve their performance, and manage risk more effectively.

Deon Minnaar Sue King

Internal Audit and Enterprise Risk Partner, Advisory
Services Leader SOX Solutions Lead
T: 212-872-5634 T: 213-955-8399
[email protected] [email protected]

Susan Burkom Paige Woolery

Managing Director, Advisory Director, Advisory
SOX Center of Excellence SOX Center of Excellence
T: 410-949-8771 T: 713-319-3813
[email protected] [email protected]

Some or all of the services described herein may not be permissible

for KPMG audit clients and their affiliates or related entities.

kpmg.com/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to
provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the
future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.