Understanding internal controls over financial reporting (ICOFR) trends, challenges, and strategies can help your organization reflect on your program and identify opportunities for improvement. This survey captures organizations' strategic considerations, as well as more tactical information such as the extent of control automation for each process. In areas where your organization differs from the other respondents, it can give rise to insightful questions as to the reasons for this difference and whether it is a strength or potential weakness in your program. In areas where your response is similar to other respondents, it may let you know whether you are on the right track or allow you to commiserate over a shared challenge. KPMG LLP (KPMG) surveyed individuals at 100 organizations with responsibility for the ICOFR/Sarbanes-Oxley (SOX) program.
Luisa v. Esterházy
Partner, Risk & Compliance Services
KPMG AG Wirtschaftsprüfungsgesellschaft
The findings offer useful direction and provide a basis for comparison and further analysis. Key takeaways include:
- Organizations continue to focus on rationalizing controls and minimizing testing costs. The focus on both of these areas increased from 2017 to 2018, with 60% or more of surveyed organizations including these in their 2018 ICOFR program strategy. Rather than primarily focusing on rationalizing the number of controls, organizations should also focus on identifying the right key controls and documenting them with the appropriate precision, detail and depth.
- The largest improvement area cited relates to technology and control automation. 71% of organizations are looking to increase control automation, including increasing the use of data and analytics and robotic process automation within control performance. Increased control automation appears to be a significant opportunity for helping organizations to optimize their control portfolios.
- More than half of organizations are leveraging a specific technology solution to support the ICOFR program documentation and testing. Of those organizations using a specific technology (rather than desktop software), 52% implemented the technology solution within the past two years.
- Organizations may not be fully leveraging the flexibility available under the Security and Exchange Commission's (SEC) interpretive guidance. More than 40% of organizations do not modify their testing approach based on their external auditor's reliance model. These organizations appear to be following the same guidance that the Public Company Accounting Oversight Board (PCAOB) provides to define the procedures required of external auditors. Instead, they may be able to further use the SEC's interpretive guidance to focus more on their own objectives through the flexibility on documentation and control testing requirements.
Our global SOX service offerings are designed to enhance the efficiency and effectiveness of internal audit functions, enterprise risk management programs, reviews of third-party relationships and risk and controls management. Our professionals can augment and enhance an organization's existing risk management capabilities through the use of experienced risk and control professionals, supplemented by multidisciplinary skills from each of our service lines.
KPMG's professionals combine technical, market and business skills that allow them to deliver objective advice and guidance that helps clients grow their businesses, improve their performance, and manage risk more effectively. Our professionals have extensive experience working with global companies ranging from FORTUNE 500 companies to pre-IPO start-ups. We go beyond today's challenges to anticipate the potential long- and short-term consequences of shifting business and technology. With a worldwide presence, KPMG continues to build on our member firms' successes, thanks to our clear vision, values, and our people in 153 countries. We have the knowledge and experience to help clients navigate the global landscape.