Automated internal controls may be the buzzword for compliance with Section 404 of Sarbanes-Oxley, but most companies still rely on old-fashioned manual controls even today, nearly six years after 404 first started going into effect.

So says the latest study from KPMG’s 404 Institute. According to its 2009 benchmarking report on SOX compliance efforts—which surveyed more than 1,000 businesses that comply with Section 404—more than half say 80 percent of their key controls are still manual. Another 24 percent say about 60 percent of their key controls are still manual, and 10 percent say it’s split 50-50.

Only 10 percent say a majority of their key controls are automated.

The good news: many companies are reporting fewer deficiencies (and much fewer material weaknesses) and expending fewer hours to conduct their internal control testing. The benchmarking report contends that automation is at least partly to credit for that, despite the slow pace of adoption.


“Leading companies that had the forethought to invest early on in their internal controls processes have tended to emerge as leaders in terms of efficiency and effectiveness of their compliance efforts,” says Lawrence Raff, a KPMG partner and executive director of the 404 Institute.

Those leading companies tend to have proportionately more automated controls than their peers, which helps them test a similar volume of key controls at lower cost in fewer hours, Raff says. That, in turn, lowers compliance costs overall.

Cost, however, is still a big part of why companies aren’t rushing to automate internal controls in the first place. “Companies aren’t spending money on IT infrastructure,” says Tom Basilo, chief executive of consulting firm WithumSmith+Brown Global Assurance. “With the economy the way it is, I don’t think there’s a lot of motivation to make any drastic changes.”

When studying companies by revenue size, no group has done much automation. Worst are companies with less than $250 million in revenue (only 18 percent reporting most of their controls are automated), and best are companies with $5 billion or more in revenue (only 22 percent saying most controls are automated). Mid-sized companies all fall in that 18-22 percent range as well.


Many companies have “developed process they’re satisfied with and for now, they’ve decided they’ll live with the extended consequences of using manual controls and processes,” Basilo says. Plus, he adds, the group within the company that determines and designs the testing process—usually the internal audit group—is often used to more manual processes and “isn’t necessarily comfortable with automated processes.”

The report also shows that relatively few companies have bought into the idea of “embedded testing”—ongoing testing by process-owners throughout the year, rather than testing by a separate group such as compliance or internal audit. Observers say that, too, is in line with what they see in practice.

“I suspect if they conduct the same survey two or three years from now, we’ll see increased use of automated controls.”

—Tom Basilo,

Chief Executive,

WithumSmith+Brown Global Assurance

“I’m not seeing a lot of movement towards embedded testing, given the level of objectivity and independence that is expected of the controls testing process,” says Anthony Chan, a partner in the auditing firm Berdon LLP.

He contends that most companies have little incentive to adopt embedded testing because that won’t necessarily reduce outside audit work. “Unless the process-owners involved in the testing process have the requisite audit background, it would be difficult for external auditors to place appropriate reliance on the work performed and reduce their testing,” he says.

What’s more, he adds, many process-owners (who are, don’t forget, business managers first and foremost) have taken on additional operational work during the recession, making it difficult for management to push for embedded testing while the economy still stinks.

According to the KPMG study, only 28 percent of the companies surveyed use embedded testing. That number was highest among companies with revenue of $5 billion or more (41 percent) and lowest among companies in the $250 million to $1 billion range (16 percent).

Of that 72 percent who don’t use embedded testing, only 7 percent say they plan to do so within the next year. Forty-two percent of the group say they have no plans to use embedded testing at all. Instead, Chan says he sees companies moving some testing away from internal audit and more toward outside parties rather than process-owners.

Not a Fun Time

Meanwhile, the report shows that Section 404 compliance remains a time-consuming exercise for most companies. Across all respondents, 38 percent reported that last year they spent more than 9,000 hours on 404 compliance efforts, including internal hours spent by the company and by outside service providers (but excluding external audit hours). Another 40 percent, however, spent 4,500 hours or less.


What is the estimated percentage of

your company’s manual key controls

versus automated key controls? (A

manual control is a control performed

by an individual whereas an automated

control is performed with programmed



Less Than $250 Million

$250 Million to $1 Billion

$1 Billion to $5 Billion

$5 Billion or More


100% Automated






80% Automated






60% Automated






50% Automated






40% Automated






20% Automated






100% Manual






KPMG Benchmarking Report on Automated Controls (2009).

The study also shows that companies still do the bulk of their Section 404 testing during the second half of the year—a habit frowned upon by the compliance wonks, who say companies should ideally conduct testing throughout the year. Overall, the survey found, companies do nearly 70 percent of their testing in the third an fourth quarters.

Only 4 percent of companies reported material weaknesses at the time of their 2008 certifications, although a whopping 94 percent confessed deficiencies of some kind, and 37 percent said those deficiencies were significant.

But among smaller companies—those with less than $250 million in annual revenue—fully 9 percent admitted having a material weakness. Chan, who works primarily with that population, says that statistic is “alarming.”

“Either their testing is not effective, or it’s not identifying the underlying control weaknesses,” he says. “If their testing is effective, we should expect fewer significant deficiencies and material weaknesses as of the year-end, since management would have the ability to remediate the control deficiencies earlier during the year when the weaknesses were identified.”


Michael Cangemi, president and CEO of the Cangemi Co. and a former president of Financial Executives International, says companies “are past the crisis mode” and should be looking for ways to expand coverage while reducing cost.

“Investments in automation that provide hard-dollar business benefits, in addition to reducing compliance costs, make sense in the current business environment,” he says. He adds that Auditing Standard No. 5, introduced by the Public Company Accounting Oversight Board in 2007 to alleviate high Section 404 compliance costs, encourages automated controls to reduce cost and controls automation as a means to lower audit costs and improve controls reliability.

Basilo says more companies may be willing to invest in automation efforts when the economy improves.

“I suspect if they conduct the same survey two or three years from now, we’ll see increased use of automated controls,” he says. “The benefits are significant.”

Chan, however, says there are “inherent limitations to how much testing can be automated” because certain key controls, such as the analysis of goodwill for impairment, require the use of professional judgment—and you can’t automate that.