A KPMG survey of technology companies has found that the cost of Sarbanes-Oxley compliance is falling, the number of key controls shrinking, and, most surprisingly, the number of automated controls declining as well.
The third annual report, surveying controllers, compliance managers, and chief audit executives from 41 electronics and software businesses, does not purport to be the final say in the state of internal controls. But its authors and other compliance experts say that, with the exception perhaps of controls automation, the findings broadly represent the sector as a whole.
Among the key findings:
More than 80 percent said the cost of compliance with Section 404 of SOX fell in 2008 from the previous year, with half citing declines of 10 percent or more;
New guidance—in particular Accounting Standard No. 5—helped 71 percent reduce the number of controls tested;
The average number of key controls fell 4 percent, from 364 in 2007 to 350 in 2008. A reduction in key controls related to financial processes drove this; in contrast, IT-related controls rose 10 percent;
The percentage of automated key controls fell to 22 percent last year, from 25 percent in 2007.
The cost declines, respondents said, came from following AS5 guidance and focusing on top-down, risk-based controls—which cost less to implement, monitor, and test than the scads of lower-level controls companies had been forced to test in the early days of SOX compliance, before AS5 arrived in 2007.
KPMG KEY FINDINGS
SOX 404 Compliance Costs—Trends and Factors:
Over 80 percent of respondents say company’s total cost of SOX 404 compliance
decreased in the last year. Almost half said their compliance costs decreased by
more than 10 percent.
The biggest factors impacting SOX 404 cost reduction related to companies reacting
to the latest SOX 404 guidance (76 percent), a fee reduction by their external
auditor (52 percent), and improving the quality of controls (48 percent).
Seventy-one percent of respondents said that the latest SOX 404 guidance allowed
them to reduce the number of controls tested. One-third indicated they reduced
the sample sizes used to test controls and 17 percent said they reduced the frequency
of testing.
A significant majority said that SOX implementation led to improved issues visibility
(68 percent) and elimination of unnecessary controls (59 percent).
Almost one-quarter say they have implemented (12 percent), or are in the process
of implementing (10 percent), an integrated GRC application suite. Another 34 percent
are considering implementation, but have not yet formalized an implementation plan.
No one tool stands out in the implementation of a GRC application suite (see table below).
Over half (57 percent) have implemented or upgraded their ERP system, or plan to
within the year:
—Nearly 40 percent have no plans for an implementation or an upgrade
—Of 15 companies that have implemented an ERP system, 8 expect the number
of automated controls to increase
Source
KPMG Internal Controls Study of Technology Companies (2009).
The study also tried to assess whether companies had managed to leverage their SOX compliance investments into improved insights about business processes and, ideally, more efficiency and lower costs. Forty-six percent of respondents said implementing SOX controls had indeed helped their organization consolidate and standardize processes. Another 41 percent said SOX-related work had bolstered operational controls and improved efficiency.
Lamoureux
“It’s showing people are starting to try to leverage the effort they’ve put into Sarbanes-Oxley, to get as much value out of it as they can,” says Tom Lamoureux, KPMG’s risk advisory leader for the electronics, software and services sectors, and a co-author of the study.
The broad conclusions jibe with those of an Institute of Internal Auditors study, “Why ERM is Vital,” released in February. Based on four case studies and the responses of 251 chief audit executives, the IIA report found that embracing a culture of risk management and control—rather than simply meeting compliance benefits—“meets regulatory requirements in a more efficient and effective manner, while supporting organizational viability and competitiveness on an ongoing basis.”
IIA President Richard Chambers says that study and others had also found that companies “were either holding a steady level of Sarbanes-Oxley controls” or decreasing the resources they were dedicating to them.
Chambers
“All the data points from all the surveys would indicate that what the KPMG study found is true on a much broader level,” Chambers says.
Chambers does credit AS5 as an important bit of help in driving down compliance costs. But equally important, he adds, is the experience audit executives have been gaining over the years at rationalizing their company’s controls and wringing out more compliance efficiency.
Proper Use of Automation
Where the KPMG study seems to diverge from conventional wisdom is in automated controls. Chambers and just about every other expert in the auditing field constantly say that automated controls are vital to keeping compliance costs down; the report’s finding that companies had fewer automated controls last year does seems anomalous.
POPULAR GRC TOOLS
The current GRC application market is made up of numerous application vendors providing a variety of functions or point solutions underneath the broader GRC umbrella. The most commonly used GRC tools are:
GRC Tool
PercentageCurrently Use
PercentagePlan to Use
ACL
19%
7%
Oracle GRC
11%
11%
Open Pages
11%
4%
SAP GRC
11%
0%
Paisley
7%
11%
Symantec
7%
4%
Source
KPMG Internal Controls Study of Technology Companies (2009).
“I’d be very interested in seeing this same survey next year, because I think we may see larger numbers of automated controls, especially in cases where one control can be used many times,” says Robert Stroud, international vice president of ISACA and an “IT governance evangelist” at software maker CA. Both at CA and through his work with ISACA, Stroud says, he is seeing cross-industry interest in reducing the number of manual controls.
Stroud
In particular, Stroud adds, automated controls are attractive in cases where investment in a single, well-considered control can satisfy the diverse demands of SOX, the Gramm-Leach-Bliley Act, HIPAA privacy rules, and state or industry-specific requirements.
Stroud says forward-thinking organizations should study their controls to assess their efficiency and validity before formalizing them in digital code. In addition, companies with an eye on cost in a tough economy are looking for cost savings by removing manual collection points and complex spreadsheets. Replacing them, Stroud says, will be automated controls embedded in business processes so that controls steer behavior and allow audit teams “to actually consider exceptions, rather than looking at every transaction for violations.”
At Frontier Communications, a $2.2 billion telecommunications firm, 2008 was a “bedrock year” for taking a hard look at key controls, says Neil Frieser, the company’s vice president of internal audit.
“What we found in some cases was that things defined as key controls really weren’t, and in some cases we added controls that weren’t on the radar screen,” Frieser says.
For AS5-driven control rationalization, Frieser gives the example of verifying annual code-of-conduct reviews. Instead of polling a large sample of employees individually, one can conduct simpler testing of a document that tracks code-of-conduct compliance.
“Because you’re testing and monitoring a higher-level control, you can actually do a lot less work,” he says. The net number of Frontier’s key controls fell, which in turn can lower external audit costs.
Another positive development, Frieser says, is external auditors’ increasing comfort with the work of his internal-audit team. “They’re going to be relying on my team more than they have in the past, and that’s another reason why auditors may be able to lower their fees,” he says.
About a quarter of KPMG’s respondents had either implemented, or are currently installing, integrated governance, risk, and control software packages; another 34 percent are considering software for controls automation.
Frontier is not currently among that latter group, Frieser says. At a previous employer with 12 divisions, international operations and about $25 billion in annual sales, electronic dashboards were vital to managing a compliance effort involving some 700 people. At Frontier, a smaller and more centralized business, a team of four internal auditors manages the whole job all with spreadsheets, he says.
“I think it’s a decision that companies have to make based on inherent business risks and costs involved,” Frieser says.
No comments yet