2023 Sox Survey

2023 KPMG
SOX report
Based on a 2022 external survey of SOX teams and their

experiences with regards to their SOX program governance
and execution
© 2023 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member
firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
01 Executive summary 3
02 Program structure/governance 7
03 Program budget 15
Table of 04 Risk assessment 24
contents 05 Control environment 29
06 Testing 35
07 Technologies and tools 47
08 Survey demographics 52
© 2023 KPMG LLP, a Delaware limited
© 2023liability
KPMGpartnership
LLP, a Delaware
and a limited
member liability
firm ofpartnership
the KPMG andglobal
a member
organization
firm of
ofthe KPMG global organization of independent member
independent member firms affiliated
firmswith
affiliated
KPMGwithInternational
KPMG International
Limited, a private
Limited,English
a private
company
Englishlimited
companyby limited by guarantee. All rights reserved.
2
guarantee. All rights reserved.
01
Executive
Summary
KPMG 2022 SOX Survey
01 02 03 04
Background Demographics Results Other considerations
• This survey was • The experiences • The results were derived • Readers should consider
completed by KPMG of 153 participants, from a web-based multiple benchmarks
clients or other from companies of survey that was (e.g., mean, median,
US companies varying sizes and conducted from July etc.) for comparison and
representatives based industries, are through September 2022 should draw their own
on their experience in represented in the • The data presented has conclusions regarding an
managing SOX survey responses been categorized by individual company’s
programs for their • Detailed demographics industry and company SOX 404 program
company have been presented size, wherever relative to their
• The respondents were within a separate section necessary appropriate peer group
professionals with a of the survey report • Results and figures
detailed understanding reported are as of the
of their company’s most recent fiscal year
internal controls over end (predominantly
financial reporting 12/31/21)
4
KPMG 2022 SOX Survey
Survey demographics by annual revenue
KPMG LLP (KPMG) is pleased to present
71% 12% 17% the findings from our latest internal
controls survey. Our survey provides
Revenue less Revenue between Revenue greater
than $10B $10B-$19.9B than $20B a detailed look at the SOX programs
implemented by companies of varying
industries and sizes, from governance and
Key industries covered strategy to details on execution and costs.
Our report presents summary findings
and key measures from the survey data
and is designed to provide insight, useful
Technology Energy & Natural Industrial Financial direction, and provides a basis for
& Software Resources Manufacturing Services
comparison and further analysis.
Additionally, KPMG analyzed comparative
metrics from this survey to our 2016 survey
to highlight notable differences in the SOX
Banking Retail or Insurance Building,
and Capital Consumer Construction
program landscape over the past 6 years.
Markets goods & Real Estate
Source – ‘2022 SOX Survey Analysis', KPMG LLP (US), 2022.
5
KPMG 2022 SOX Survey – Key Takeaways
SOX program Control Environment Technologies Focus areas
budgets and costs
• The average SOX program • 69% of the companies • Improvement in quality
• The average total key control
budget, across all size used a Governance, Risk of control evidence,
count (including IT controls),
companies, was reported as and Compliance (GRC) communication with External
was 463 key controls in 2022
$1.6M and 11,800 hours technology for their SOX Audit, and increase in
which represents an increase
program (increased from External Audit reliance were
• The average cost of from 329 key controls in 2016
49% in 2016) reported as the key focus
compliance, including cost
• 21% of total controls were areas for SOX programs
of control performance and • 92% of companies that use
reported as automated in
testing, was calculated as a GRC tool were either fully • Controllership played
2022, an increase from
$3,200 per control or somewhat satisfied with a significant role in the
18% in 2016
their current GRC technology non-testing SOX activities.
• The average hours to test a
(increased from 70% in 2016) Third party outsourcing
control for operating
was most prevalent in
effectiveness was reported as • 66% of participants reported
controls testing
12 hours per control which is use of data analytics in their
an increase from 9 hours per SOX program (increased
control in 2016 * from 8% in 2016)
* Note that the population size and composition of company's survey in 2016 and 2022 is different, so this comparison is a data point but not directly
comparable
6
02
Program
structure/
Governance
Key observations: Program structure/Governance
• 90% of the • 88% of • 89% of the • Despite high • A fifth of the

participants participants companies External Auditor companies
considered their reported that their reported External reliance, 85% reported that SOX
SOX program to organization’s Auditor reliance of the companies testing contributes
be in a matured or
culture is on their SOX couldn’t quantify to >60% of their
an evolved state
supportive of the program the savings total Internal Audit
• Controls SOX program achieved on their budget each year
optimization • Use of External
• 67% reported Auditor templates organization’s
and Improving
that the SOX and modifying testing
business
processes were program’s impact sample sizes
reported as key is considered were reported
focus areas for while planning as ways to
SOX programs business increase reliance
initiatives
8
90% of the participants considered their SOX program to be in
a matured or an evolved state
Q. Where do you consider your SOX program’s maturity level is at?
Maturing – improved business processes (such as shared services)

which have reduced the cost of control performance, reduced risk and 47%
added value to the business
Evolving – improved risk assessment and scoping, and rationalized

43%
controls (optimization of current control environment
Developing – still identifying the correct key controls 10%
n=153
9
‘Control optimization’ and ‘improving business process’ were
reported as key focus areas
KPMG Point of View
Companies have rightly shifted focus from minimizing compliance costs in 2016 (83% of the respondents selected the option) to minimizing
performance costs, in 2022. This strategy will allow companies to focus on the total cost of controls and the quality, effectiveness and efficiency of
the controls.
Q. What were the organization's objectives for its SOX program?
57%
Participants reported that their
43% 88% company’s culture and tone at the
top support the SOX program
36% 33%
19% Companies considered the SOX
7%
67% program’s impact when planning
significant business initiatives
Control Improve Maximum Minimize SOX Others We do not Participants reported involvement
optimization business
processes
reliance
by External
compliance
costs
have a clear
objective 42% of the IA team in developing SOX
strategy
Auditors
Respondents could select more than one option. n=153
Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.
10
External Auditor reliance on Internal Audit/Management
teams’ testing increased from 71%, in 2016, to 89% in 2022
KPMG Point of View
Internal and external auditors have increased their communication and collaboration efforts in order to reduce the impact of compliance on control
operators by streamlining the testing programs. In response, organizations have seen an increase in external auditor reliance as a result of adopting
the external auditors testing templates and agreeing control testing procedures.
Q. Did the External Auditor rely on the SOX controls testing Q. What percentage of your Test of Operating Effectiveness (ToE)
performed by IA/SOX/management testing teams? (2016 Vs 2022) procedures did the External Auditor rely on? (2016 Vs 2022)
89% 64%
71%
38%
29% 20%
15% 16%
12%
11%
Yes No 0-20% 21-60% >60%
2016 (n=59) 2022 (n=144) 2016 (n=57) 2022 (n=128)
This question is only answered by the respondents who selected “yes” in External
Auditor reliance
11
Many companies used the same or similar testing
templates or modified their sample sizes to increase
External Auditor reliance
Q. How did your organization modify its approach based on your External Auditor’s (EA) reliance model?
41%
33%
28%
20%
16%
8% 7%
Use templates Modify Do not change Modify roll Decrease the level Self-assess Others
(or nearly similar sample sizes approach forward of documentation (no independent
formats) from EA based on EA's approach in areas of testing) in areas
in areas of reliance reliance model non-reliance of non-reliance
12
85% of participants reported that they were unable to quantify
savings achieved due to External Auditor reliance on their
management testing
KPMG Point of View
• There have been significant efforts made by companies to align their SOX program with the External Auditor requirements. However, companies
have not been able to analyze a return on this investment
• Companies must assess the impact, if any, of their External Auditor reliance strategy and take an informed decision about the same
Q. Are you able to quantify the savings achieved as a result of External Audit reliance on your organization’s testing in 2022? If yes, please
provide percentage of estimated savings.
85%
16%
Average percentage of
estimated savings, achieved
15% as a result of external audit
reliance (n=19)
Yes No
n=127
13
Majority of the IA teams participating in SOX spent 40% or
more of their hours in SOX
KPMG Point of View
The decrease of hours spent by the Internal Audit department, as compared to 2016, is reflective of the evolving role of Internal Audit. Traditionally
seen as a compliance shop, companies are now taking advantage of the process and risk expertise within the Internal Audit department and
leveraging that skill-set to assess operations across the organization.
Q. For Internal Audit departments participating in SOX, what percentage of total Internal Audit hours were related to SOX in 2022?
55%
35%
30%
22%
16% 16%
13% 13%
0-20% 21-40% 41-60% >60%

2016 (n=58) 2022 (n=129)
n=153
14
03
Program
Budget
Key observations: Program budget
• 40% of participants • Overall, average • Average cost of • Transactional • ToE was reported
reported an budget for the compliance per controls required as the most time-
increase in the SOX program was control, basis the most hours (16 consuming SOX
year-over- year reported to be responses, was hours per control) activity followed by
cost of their SOX $1.6M, and calculated as for ToE testing, process
program 11,800 hours $3,200 whereas entity- walkthroughs, and
• Participants • Average hours level controls test of design
indicated the per control for required the least
increase was ToE testing was hours per control
driven by changes reported to be (9 hours
in company 12 hours per control).
structure, increase
in key control
counts, and
new system
implementations
16
40% of companies experienced increasing costs in their SOX
program from 2021 to 2022
The cost trends below reflect costs related to control documentation, testing, SOX program governance, etc. (and do not include the cost of control
performance).
Q. Did your SOX program costs increase/decrease over the past year (2022 compared to 2021)? If so, what was the driver of the change?
Drivers for the increase in the SOX program cost (2022):

• Change in business structure (e.g., acquisitions, decentralization, etc.)
• Increase in testing, documentation, and number of controls
40% • Implementation of new systems

42%
2022 (n=153) • Increase in labor cost
Drivers for the decrease in the SOX program cost (2022)

• Technology enablement in SOX programs
18% • Increased efficiency in controls testing
• Change in audit approach/support, and company’s cost control
activities
Increased Decreased No change
17
Average budget for the clients’ SOX program, across
industries and company sizes, was reported as $1.6M
and 11,800 hours
Q. What was the budget, in dollars, for your SOX program, including both internal and external resources?
Companies average $2.0

$1.0
$1.6M budget for SOX program
in terms of dollar spend
$0.6
Bottom quartile Median Top quartile
Figures are in $M n=83
Q. What was the budget, in hours, for your SOX program, including both internal and external resources?
14,105
Companies average 7,500
11,800 budget for SOX program
in terms of hours
4,000
Bottom quartile Median Top quartile
Figures are in hours n=83
18
Companies with revenue over $20B reported a significantly
higher SOX program budget Technology and insurance
companies allocated the highest budget to their
SOX programs
Q. What was the budget, in dollars, for your SOX program, including both internal and external resources? – (By company size and Industry)
Technology & software $2.5

Large-size organizations Insurance $2.1
$4.5
($20B+) Industrial manufacturing $2.0
(n=10) Building, construction and real estate $2.0
Consumer goods manufacturing $1.8
Mid-size organizations Financial services $1.7
$2.4 Media and telecommunications
($10B -$19.9B) $1.7
(n=7) Banking and capital markets $1.0
Retail or consumer goods $0.8
Small-size organizations Energy, natural resources and chemicals $0.6
$1.1 Life sciences $0.5
(less than $10B)
(n=66) Others $1.8
Figures are in $M n=83

• Similar averages were noted for company sizes $100M-$500M, $500M-$1.5B and $1.5B - $9.9B. Therefore, the population counts were merged resulting in a total count of 66 companies.
• Differences in SOX program budgets were driven by varying company sizes and not by industry
• Other industries - Asset Management, Alternative Investments, Automotive, Agriculture, Human Capital, Healthcare, Federal, State and Local, Education, Research,, Mining, Power and Utilities, Waste management, and Logistics
19
Average cost of compliance per control, across companies,
was calculated as ~$3200. Significantly higher cost was noted
for companies with revenue >$10B
Cost of compliance, by company size Cost of compliance, by industry
Financial Services $4,271

Large-size organizations Insurance $4,176
$4,262 Technology & Software
($20B+) $3,850
(n=10) Retail or Consumer goods $3,240
Industrial Manufacturing $3,228
Mid-size organizations Consumer Goods Manufacturing $3,180
$4,545
($10B -$19.9B) Banking and Capital Markets $2,202
(n=7) Media and Telecommunications $2,004
Energy, Natural Resources and Chemicals $1,931
Small-size organizations Building, Construction and Real Estate $1,467
$2,957
(less than $10B) Life Sciences $826
(n=66)
Others $3,795
n=83
• Similar averages were noted for company sizes $100M-$500M, $500M-$1.5B and $1.5B - $9.9B. Therefore, the population counts were merged resulting in a total count of 66 companies.
• Differences in SOX program budgets were driven by varying company sizes and not by industry
• Cost of compliance includes the cost of performance and testing a control (ToD and ToE). The numbers shown above were calculated by dividing the SOX budget by the control count reported by the participants.
• Other industries - Asset Management, Alternative Investments, Automotive, Agriculture, Human Capital, Healthcare, Federal, State and Local, Education, Research,, Mining, Power and Utilities, Waste management, and Logistics
20
Transactional controls had the highest average testing hours
at 16 hours per control
Transactional controls have higher average testing times due to the larger sample sizes tested for controls with frequencies of daily or
more than daily. 62% of the participants reported the testing is performed in 2 or more phases during a year, which adds to the efforts to
test these controls.
Q. How many hours did you spend per control, on average, testing the operating effectiveness for the following control types for
the fiscal year?
Transactional control with 20+ samples 16
Daily control with 10+ samples 13

12
IT general control 13
hours
Management review control 12
IT application control Average testing hours per

11
control for test of operating
Monthly/quarterly control with 2-5 samples effectiveness (ToE)
11
Entity-level/organization level control 9

n=83
21
Companies, across sizes, spent the majority of their efforts on
test of operating effectiveness
97% of the participants reported that they perform walkthroughs. However, the majority of these companies spend <1000 hours on this
activity. Companies must assess the value being derived from performing walkthroughs and determine whether the money and time spent
is justified, and also adapt how they perform and/or document walkthrough activities
Q. What was the approximate effort (in% of total hours), in total across all processes, for each of the following activities during the most
recent SOX compliance year?
4% 4%
Small-size organizations Performing walkthrough
12% 4% 4% 6% 66%
(less than $10B)
(n=109) Process narratives
3% 3%
ELC assessment
Mid-size organizations
8% 2% 3% 6% 75% Remediation coordination and testing
($10B -$19.9B)
(n=18) Process flowcharts
2% 3%
Risk and Control Matrix (RACM)
Large-size organizations
10% 3% 4% 7% 71% Test of Effectiveness
($20B+)
(n=26)
n=153
22
Of the companies requiring to be SOX compliant, the majority
reported that >20% of their SOX program budget was fulfilled
by outsourced providers
Q. What% of your SOX program budget was fulfilled by outsourced Q. What% of your SOX program budget was fulfilled by outsourced
providers (e.g., co-sourced programs)? providers – by company size
38% 7% 7%
30% 13% 20%
14% 33%
24% 33%
23%
19%
15% 47%
37% 40%
Small-size Mid-size Large-size

organizations organizations organizations
(less than $10B) ($10B -$19.9B) ($20B+)
0-20% 21-40% 41-60% >60% (n=93) (n=15) (n=15)
Only those participants who selected ‘Yes’ for the company requiring to be SOX
404a or 404b compliant question were considered for this section (n=130) n=123 0-20% 21-40% 41-60% >60%
23
04
Risk
assessment
Key observations: Risk assessment
New system New or A majority of 46% of participants Maximum

implementation, superseded the participants reported that outsourcing was
process accounting reported their their IA team is seen in ToE activity
reengineering, pronouncements company’s responsible for and the least
and acquisitions, and regulatory in-scope control the performance outsourcing was
divestitures and/or changes were count to be more of SOX risk seen in SOX
reorganizations some other than or same as assessment strategy and
were reported common factors the External related activity reporting activities
as the most considered in the Auditor
considered factors risk assessment
during SOX process
risk assessment
in 2022
25
93% of the companies considered system implementation/
process re-engineering during their SOX risk assessment
Q. What factors were considered during the SOX Risk Assessment?
93%
78%
74%
70%
63%
58%
10%
System Acquisitions, Regulatory changes New New or Significant Other

implementations divestitures (SOX, PCAOB business superseded employee or business
and process and/or regulations initiatives accounting service provider changes
reengineering reorganizations and interpretations, pronouncements turnover
efforts HIPAA, SEC, etc.)
26
>80% of the participants reported their company’s in-scope
controls (business & IT) were either more than or the same as
the External Auditor
Q. Were there differences between what your organization had in- Q. Were there differences between what your organization had in-
scope and what the External Auditor had in-scope for business scope and what the External Auditor had in-scope for IT controls
process controls testing in 2022? testing in 2022?
29%
32%
2022 (n=153) 50% 2022 (n=153)

55%
16%
18%
External Auditor had External Auditor had Company had the same controls
less controls in-scope more controls in-scope in-scope as the External Auditor
27
Majority of the participants reported that IA function was
responsible for their SOX program’s testing activities
Controllership played a significant role in the non-testing SOX activities. Third party outsourcing was most
prevalent in controls testing.
Q. Who was responsible for the performance of the following activities in 2022?
SOX strategy 49% 42% 9%
SOX risk assessment 44% 46% 10%
Controls documentation creation and/or updates 56% 34% 10%
Test of design 26% 54% 20%
Test of Effectiveness 20% 56% 24%
Remediation coordination 42% 45% 12%
Reporting 41% 51% 8%
Coordination with External Auditor 44% 45% 11%
Controllership/finance and accounting/SOX department Internal audit Outsourced to 3rd party provider
n=153
28
05
Control
environment
Key observations: Control environment
• On average, • Non-key controls • ~80% of total • In large-size • 65% of

key control count constituted 44% controls were companies participants
increased by of the total reported as ($20B+), 37% reported they
41% in 2022 controls and manual or IT of total controls have modified
(463 controls) 66% of the dependent reported to be their control
when compared companies manual controls automated portfolio in 2022
with 2016 (329 document non- • Overall average
controls) key controls of automated
controls stood
at 21%
30
On average, key control count increased by 41% in 2022
(463 controls) when compared with 2016 (329 controls)
Q. What was the total number of SOX key controls (Business Process and IT)?
Average number of Split of SOX key controls by organization size in 2022

463 total key controls (all
companies) in 2022
904 894
351
(n=83)
Average number of
329 total key controls (all
companies) in 2016
Small-size organizations
(less than $10B)
Mid-size organizations
($10B -$19.9B)
Large-size
organizations ($20B+)
(n=66) (n=7) (n=10)
(n=57)
Q. Split of average total key and non-key controls (for companies documenting non-key controls)
of companies documented
66% non-key controls in 2022
SOX program
2022 56% 44% 718
(n=55)
of companies documented 2016 55% 45% 460

47% non-key controls in 2016
SOX program
Key Non-key controls
(n=31)
31
On average, 21% of the total controls were automated. This
percentage was significantly higher for companies with
revenue >$20B
Q. What percentage of your total 2022 SOX in-scope controls were Q. Percent of total controls that are automated in% –
automated/manual/IT dependent manual? by revenue size
82% 37%
51%
20% 20%
28%
18% 21%
Automated Manual IT dependent - Small-size Mid-size Large-size

manual organizations organizations organizations
(less than $10B) ($10B -$19.9B) ($20B+)
2016 (n=51) 2022 (n=153) (n=109) (n=18) (n=26)
Percentage figures are the averages of total firms surveyed, respectively. Above chart depicts the percent of total controls that are automated
2016 survey did not include ‘IT dependent’ as a response option across varying company’s size, respectively. n=153
32
IT SOX program –In-scope systems and average control count
Q. How many systems were in-scope for the SOX program in 2022?
23
17
10
Average systems
17 were in-scope for
the SOX program
Small-size organizations Mid-size organizations Large-size organizations
(less than $10B) ($10B -$19.9B) ($20B+)
n=69
What were the number of in-scope IT Controls (General Controls + Application Controls) in 2022?
70 68 57
Average number of
69 in-scope IT Controls
(General Controls +
Application Controls) Small-size organizations Mid-size organizations Large-size organizations
(less than $10B) ($10B -$19.9B) ($20B+)
n=69
33
65% of participants reported modification to their control
portfolio
Q. Which of the following areas were impacted by the modifications
Q. Did you modify your control portfolio in 2022?
to your control portfolio?
Reduced in-scope control count 47%
35% Increased in-scope control count 46%
2022 (n=153) Increased automated controls and

32%
reduced manual controls
65% Reduced control performance time 14%
Others 12%
Yes No
Participants who have selected “yes” in modifications to their control portfolio
section, can respond to this question. Hence the varying sample size.
A modification would entail a significant change in control count/scope. Minor
changes to existing control information wasn’t assumed as a modification. Respondents could select more than one option. n=99
34
06
Testing
Key Observations: Testing
• 94% of companies • 66% of • 38% of companies • Audit committee • Companies

performed their participants report reduction communication reported an
ToE in two or reported use of in their program’s and reporting average of
more phases data analytics in in-scope control focused on 9 control
• >60% of their SOX count. Tech reporting control deficiencies
companies program enablement and exceptions and in 2022
assigned risk • Sample selection controls the associated • Majority number
levels to their and control testing optimization noted remediation of control
controls phases were as key drivers for activities deficiencies were
noted as areas the decrease reported in GITC,
• 76% of companies
modified their with the highest order to cash, and
sample size application of data financial reporting
based on the analytics and close
risk levels processes
36
94% of the participants reported that their company SOX
program’s effectiveness testing is conducted in two or more
phases, each compliance year
Q. How many Test of Effectiveness (ToE) phases occur each compliance year to cover the sample size in completion?
62%
54%
37%
32%
7%
4% 2% 2%
Samples are all tested Samples are tested Samples are tested Samples are tested
in one phase in two phases each year in three phases each year in more than three
phases each year
2016(n=57) 2022(n=153)
37
63% of participants reported assigning of risk levels to their
SOX program controls. 76% of these companies modified their
sample sizes based on the risk levels
Q. Did you modify sample size based on the risk associated with
Q. Did you assign risk levels to your controls? the control?
24%
37%
2022 (n=153) Yes No 2022 (n=96)
63%
76%
Participants who have selected “yes” in assign risk levels to their controls, can respond
to this question. Hence the varying sample size
38
Compared to 8% in 2016, 66% of participants reported use of
data analytics in their SOX program. Most prevalent in ‘sample
selection’ and ‘controls testing’
Q. In the execution of any phase of the SOX program, to what Q. In which phases of your SOX program did you use data
extent did you use the following activities? analytics?
66%
53% 63%
45%
34% 35%
33%
14%
8% 9%
5%
Data analytics Continuous Control self Automation bots Risk Sample Control Others
procedures monitoring assessments or scripts assessment selection testing
controls
2016 (n=59) 2022 (n=153)

Participants who have selected “yes” in use of data analytics, to execute SOX program
Above chart depicts the combined percentage of participants, who have selected -
section, can respond to this question. Hence the varying sample size.
Minimal, Moderate, and High usage of various activities, while executing their SOX
program, respectively. Respondents could select more than one option n=101
39
38% of companies reported reduction in their program’s in-
scope control count. Tech enablement and controls
optimization noted as key drivers for the decrease
Q. Has your in-scope control count increased/decreased year over year (2022 compared to 2021)? What was the driver of the change?
Drivers for increased in-scope control count:

• New systems/processes due to new business or activity
31% 31% • Increased scope of work, newly added controls, and changes in control
process
• Acquisitions
2022 (n=153)
Drivers for decreased in-scope control count:

• Automation
• New system implementation (ERPs, OS, DB)
38% • Control optimization/rationalization
• Increased co-ordination/alignment with External Auditor and
management
• Other reasons (divested business, moved to private entity)
Increased Decreased No change
40
>70% of participants reported a significant or moderate level
of focus on testing related to Information Provided by Entity
(IPE) and Management Review Controls (MRC)
Q. During control testing in 2022, what was the extent of effort
related to IPE (Information Provided by Entity)/Completeness and Q. During control testing in 2022, what was the extent of effort
Accuracy (C&A) testing? related to MRC (Management Review Controls)?
n n
Moderate time and consideration Moderate time and consideration

during testing 45% during testing 49%
Significant time and consideration Limited time and consideration

during testing 33% during testing 24%
1 1
5 5
Limited time and consideration 1 Significant time and consideration 1
during testing 17% 1 during testing 22% 1
5 5
1 1
No time and consideration
1 No time and consideration
1
during testing 5% 5 during testing 5% 5
2 2
n=153 n=153
41
Control exceptions and remediation activities were reported
as most likely SOX elements to be communicated to audit
committees at a detailed level
Q. Which of the following elements are included in your Audit Committee communications and reporting?
Remediation activities 58% 20% 16% 6%

2%
Control exceptions/deficiencies 49% 27% 22%
1%
Testing progress 69% 21% 9%
Program calendar 70% 14% 5% 11%
In-scope control counts 56% 22% 3% 19%
Risk assessment 67% 13% 4% 16%
High-level only By process In detail Not communicated

n=153
42
5% of companies surveyed in 2022 reported Material
Weaknesses (MWs). In 2016, 7% of companies surveyed
reported MWs
Q. How many material weakness’ by process did you have in your SOX program? (2016 Vs 2022)
Financial reporting
Fixed assets 2 3
and close
10 material weaknesses
Human resources
6 material weaknesses
2
Disclosures 1 and payroll
Tax 1
Order to cash 1
Procure to pay 1
Inventory/manufacturing 1
Order to cash 1
Financial reporting
1 Others 2
and close
2016 (n=57) 2022 (n=153)
Companies, out of the 57 surveyed in 2016, reported six Companies, out of the 153 surveyed in 2022, reported 10
4 MWs. The above graph is a representation of these MWs,
by business process
8 MWs. The above graph is a representation of these MWs,
by business process
43
18% of companies surveyed in 2022 reported Significant
Deficiencies (SDs) in 2022. In 2016, 40% of companies
surveyed reported SDs
Q. How many significant deficiencies, by process, did you have in your SOX program? (2016 Vs 2022)
IT general controls 14 IT general controls 14

Tax 8 Financial reporting and close 7
53 significant deficiencies
49 significant deficiencies
Financial reporting and close 7 Tax 4
Order to cash 3 Inventory/manufacturing 4
Fixed assets 3 Treasury 3
Procure to pay 2 Order to cash 3
Inventory/manufacturing 2 Acquire to retire 2
Treasury 1 Human resources and payroll 1
Human resources and payroll 1 Entity level controls 1
Others 12 Others 10
2016 (n=57) 2022 (n=153)
Companies, out of the 57 surveyed in 2016, reported Companies, out of the 153 surveyed in 2022, reported
23 53 SDs. The above graph is a representation of these SDs,
by business process
28 49 SDs. The above graph is a representation of these SDs,
by business process
44
Average number of Control Deficiencies (CDs) per company
decreased by 10% in 2022 Maximum CDs were reported in the IT
General Controls (ITGCs)
Q. How many Control Deficiencies by process did you have in your SOX program? (2016 Vs 2022)
IT general controls 185 IT general controls 405

Financial reporting and close 80 Order to cash 174
Order to cash 60 Financial reporting and close 170
Procure to pay 50 Inventory/manufacturing 98
Human resources and payroll 41 Procure to pay 95
Inventory/manufacturing 39 Human resources and payroll 52
Fixed assets 31 Treasury 41
Treasury 21 Tax 23
Tax 13 Acquire to retire 23
Derivative/hedge management 4 Entity level controls 19
Others 51 Others 239
2016 (n=57) 2022 (n=153)
10 Average control deficiencies per company in 2016

9 Average control deficiencies per company in 2022
45
‘Improvement in the quality of control evidence’ was reported
as the greatest focus area
Q. What were the areas of the SOX program with the greatest focus for improvement in 2022? (n=153)
Improve the quality of control evidence 39%

Communications with External Auditors 32%
Enhance risk and control descriptions 29%
Increase External Auditor reliance 29%
Reduce in-scope control count 28%
Increase control automation through existing systems 28%
Improve the quality of control performance 26%
Communication with control performers 26%
Project management enhancements 25%
Reduce control testing cost/effort 25%
Increase use of data and analytics to test controls 23%
Improve the SOX risk assessment process 20%
Note:
• Participants could select more than one option.
• Included responses only that are more than equal to 20% in the above chart. Other SOX program focus areas that are mentioned in the survey responses are Communication with audit committee, senior management,
control owners, etc (17%), Communication with management (16%), Communication with senior leadership (14%), Reduce control performer efforts (14%), Increase the use of data and analytics to perform controls (14%),
Increase use of RPA to perform controls (8%), Other (5%), and Increase use of RPA to test controls (3%)
46
07
Technologies
and Tools
Key observations: Technologies and tools
• 69% of companies • Companies have • Participants • 50% of • >90% of

utilized a GRC also started reported use of a participants companies
technology for incorporating GRC tool primarily reported the surveyed were
their SOX other technologies for tasks related to External Auditor either fully or
program such as Archer control testing, had access to somewhat
• AuditBoard and and TeamMate in workflow their GRC satisfied with their
Workiva’s Wdesk their SOX management and technology current GRC
were the most programs status reporting technology
utilized • Ability to
technologies customize and
amongst the simplified user
participants using interface were
GRC technology reported as
required
enhancements in
GRC technologies
48
Compared to 41% in 2016, 69% of the companies surveyed in
2022 reported use of a GRC tool for their SOX program.
AuditBoard and Workiva’s Wdesk were the most used tools
Q. Did the organization use a GRC technology for its SOX program
(2016 Vs 2022) Q. What technologies were utilized in the SOX program (2022)?
AuditBoard 32%
69%
Workiva 30%
59%
MS Excel 22%
41% SharePoint 15%
31% RSA Archer (EMC) 12%

ServiceNow 8%
Custom in-house build 8%
Other 18%
2016 (n=59) 2022 (n=153) • Only the participants who selected “yes” for use of GRC technologies could
answer this question.
• Other technologies include TeamMate (6%), Riskonnect (5%), OpenPages
Yes No IBM (4%), Oracle (6%), Paisley (1%), etc.
n=153 • Respondents could select more than one option n=106
49
Compared with 2016, satisfaction level with GRC technologies
increased from 22% to 54%
Q. Based on your experience, what is the organization's Reasons indicated for ‘not satisfied’ and ‘disappointed’
satisfaction level with the current technology? responses(n=9)
54%
1
48%
Limited scope for customization
38%
2
22% 22%
Lack of control testing documentation functionalities such as enabling
mark-ups and addition of review comments within the GRC tool
8%
6%
3%
3
Satisfied Somewhat Not satisfied Disappointed Need a more user-friendly interface that simplifies sharing of
satisfied documentation with External Auditor/other stakeholders
2016 (n=23) 2022 (n=106)
50
Of the companies that use GRC technologies, >70% reported
usage in control testing, controls review workflow, and
reporting and status tracking
Q. Which SOX program tasks did you utilize technologies for?
81%
74% 72%
65%
59%
55% 55%
44%
6%
Controls Controls Reporting Documentation Documentation Documentation Control Workflow Others

testing review and status updates (control requests receipts deficiency to External
workflow tracking matrices, process analysis Auditor
flows, etc.)
Only those participants who confirmed use of a GRC technology for their SOX program could answer this question.
Participants could select more than one option. n=106
51
08
Survey
demographics
The survey registered maximum responses from the
technology, energy, and manufacturing industries.
77% of the participants were from publicly listed companies
Q. What is your primary industry? Q. Select your organization structure?
Technology & software 15%

Energy and natural resources
Industrial manufacturing 8%
11%
77% Public companies
Financial services 8%
Banking and capital markets 7%
Retail or consumer goods 7%
Insurance 6% 18% Private equity & non- equity owned
companies
Building, and real estate 5%
Consumer goods manufacturing 5%
Healthcare provider (profit) 4%
Media and telecom
Life sciences
4%
4%
5% Others (non-profit, governmental,
and EGC)
Others 16%
Other industries - Asset Management, Alternative Investments, Automotive, Agriculture, Human Capital, Healthcare Provider Non-Profit, Engineering, Public Investment Management, Federal, State and Local,
Semiconductor, Higher Education, Research and Other Not-for-Profits, Medical Devices, Mining, InsurTech, Data/Information, Power and Utilities, Waste management, EdTech, and Logistics n=153
53
Participation across varying company sizes, by revenue and
assets’ worth. Majority of the participants were from
companies with revenue/assets’ worth below $10B
Q. What was your organization’s total revenue for the most recent Q. What were your organization’s total assets worth for the most
fiscal year-end? recent fiscal year-end?
57%
71%
28%
17% 12%
12%
3%
Small-size Mid-size Large-size Small-size Mid-size Large-size Don't know

organizations organizations organizations organizations organizations organizations
(less than $10B) ($10B -$19.9B) ($20B+) (less than $10B) ($10B -$19.9B) ($20B+)
n=153 n=153
54
68% of participants reported that their company required to
be SOX 404b compliant. ~80% of these companies have had
the requirements for >5 years
Q. Was your organization required to be SOX 404a or 404b Q. How many years has your organization been required to be SOX
compliant in 2022? 404b compliant?
68% 78%
32%
16%
6%
404a 404b 1-2 years 3-5 years More than 5 years
Participants who have selected “404b” only responded to this question.

n=130 Hence the varying sample size n=89
55
09
Appendix
Percentage split of key and non-key controls across company
sizes and industries
Q. What was the total number of SOX key and non-key controls (business process and IT) in 2022? (By revenue size and industry)
Building, construction and real estate 100%

Large-size organizations 13% Industrial manufacturing 87% 13%
87%
($20B+)
Financial services 85% 15%
(n=10)
Consumer goods manufacturing 82% 18%
Retail or consumer goods 81% 19%
Mid-size organizations Banking and capital markets 80% 20%
94% 6%
($10B-$19.9B)
Energy, natural resources and chemicals 74% 26%
(n=7)
Technology & software 69% 31%
Insurance 67% 33%
Small-size organizations 26% Media and telecommunications 66% 34%
74%
(less than $10B)
(n=66) Life sciences 42% 58%
Others 79% 21%
Key controls Non-key controls
Other industries - Asset Management, Alternative Investments, Automotive, Agriculture, Human Capital, Healthcare Provider Non-Profit, Engineering, Public Investment
Management, Federal, State and Local, Semiconductor, Higher Education, Research and Other Not-for-Profits, Medical Devices, Mining, InsurTech, Data/Information,
Power and Utilities, Waste management, EdTech, and Logistics n=83
57
Average hours spent, by control type, to test the operating
effectiveness of the control
Q. How many hours did you spend per control, on average, testing the operating effectiveness for the following control types for
the fiscal year?
n
n
Transactional control with 20+
5% 34% 27% 19% 7% 9% 148
samples
Daily control with 10+ samples 18% 32% 32% 8% 7% 3% 142
Monthly/quarterly control with 2-5

34% 31% 25% 5% 4% 1% 149
samples
Management review control 30% 34% 21% 10% 3% 3% 145
Entity-level/organization level 145

60% 20% 11% 5% 3% 1%
control
IT general control 20% 34% 27% 7% 5% 6% 148
IT application control 27% 38% 21% 8% 5% 1% 148
1-5 hours 6-10 hours 11-15 hours 16- 20 hours 21-25 hours >25 hours
58
40% of participants reported testing of Q4 samples for high-
risk controls
Q. To what extent did you perform controls testing over Q4 samples?
40%
25%
19%
8% 8%
Based on risk level control Minimal Siginificant portion Every control Others
(e.g. only high-risk level
controls)
n=153
59
Controls testing over Q4 samples –By Industry
Based on risk level of control Significant Every
Industry (e.g., only high-risk level controls) Minimal portion control Others
Banking and capital markets 46% 36% 9% 9% 0%
Building, construction and real estate 25% 37% 13% 0% 25%
Consumer goods manufacturing 29% 43% 14% 0% 14%
Energy, natural resources and chemicals 35% 35% 24% 6% 0%
Financial services 34% 25% 25% 8% 8%
Industrial manufacturing 62% 15% 15% 8% 0%
Insurance 22% 22% 22% 12% 22%
Life sciences 17% 17% 32% 17% 17%
Retail or consumer goods 50% 30% 10% 0% 10%
Technology & software 35% 17% 26% 13% 9%
Others 51% 19% 16% 8% 6%
Highlighted cells represents the highest share in the respective industry

60
45% of the companies reported lack of appropriate trainings
for control/process owners (or control performers)
Q. How frequently were trainings for control/process owners (or control performers) conducted?
35%
34%
11%
10%
8%
2%
Ad-hoc Annually Quarterly Training Others (annual Monthly

not conducted + ad-hoc + customised
as per control/
process owners)
n=153
61
Average number of SOC1 and SOC2 reports, across companies,
in scope were 14 and 7 respectively
Q. What was the total number of SOC1 reports your organization received as part of the in-scope processes for 2022?
20
Average number of SOC1 reports 12
14 organization received as part of
the in-scope processes
6
Bottom Quartile Median Top Quartile
n=153
Q. What was the total number of SOC2 reports your organization received as part of the in-scope processes for 2022?
10
Average number of SOC2 reports 5
7 organization received as part of
the in-scope processes
2
Bottom Quartile Median Top Quartile
Excluded survey responses (66) that are marked as “0” in SOC report 2 section n=153
62
Key focus areas for companies with <$10B revenue
Q. What were the areas of the SOX program with the greatest focus for improvement in 2022– By revenue size (n=109)
Increase External Auditor reliance 33%

Note:
1. Participants could select more than one option. Hence the total will not add up to 100%
2. Other SOX program focus areas that are mentioned in the survey responses are increased use of data and analytics to test controls (17%), Communication with audit committee, senior management, control owners etc.
(15%), Improve the SOX risk assessment process (15%), Communication with senior leadership (14%), Increase the use of data and analytics to perform controls (12%), Reduce control performer efforts (12%),
Communication w/management (11%), Increase use of RPA to perform controls (9%), Increase use of RPA to test controls (5%), and others(5%)
63
Key focus areas for companies with revenue between $10B
to $19.9B
Q. What were the areas of the SOX program with the greatest focus for improvement in 2022 – By revenue size (n=18)

Communication with audit committee, senior
44%
management, control owners etc.

Note:
2. Other SOX program focus areas that are mentioned in the survey responses are Communication with senior leadership (28%), Increase control automation through existing systems (28%), Increase the use of data and
analytics to perform controls (28%), Improve the quality of control performance (28%), Reduce control performer efforts (28%), Increase External Auditor reliance (22%), Communication with management (17%), Reduce in-
scope control count (17%), and Increase use of RPA to perform controls (6%)
64
Key focus areas for companies with >$20B revenue
Q. What were the areas of the SOX program with the greatest focus for improvement in 2022 – By revenue size (n=26)

Communication with management 35%
Note:
2. Other SOX program focus areas that are mentioned in the survey responses are Communications with External Auditor (19%), Increase External Auditor reliance (15%), Reduce control performer efforts (15%), Increase the
use of data and analytics to perform controls (12%), Other (12%), Communication with audit committee, senior management, control owners etc. (8%), Communication with senior leadership (8%), and Increase use of RPA
to perform controls (8%)
65
88% of participants believed that their company’s culture and
leadership support the SOX Program
Q. Please indicate your level of agreement with the following statements?
n
n
Management believe SOX program provides
objective and relevant assurance and improves the 6% 7% 46% 41% 150
management of risk to acceptable levels
3%
Organization's culture and tone at the top support to
6% 3% 45% 43% 149
SOX program
Confident that in-scope controls would be effective

3% 19% 19% 50% 9% 151
even without testing them
Organization considers SOX when planning 18%

5% 10% 50% 17% 151
significant business initiatives
Often add Key controls based on External Auditor 30%

5% 16% 42% 7% 152
requests
Strongly disagree Disagree Neutral Agree Strongly agree
66
01 C&A Completeness and Accuracy
02 CD Control Deficiencies
03 EA External Auditor
04 ELC Entity Level Controls
05 GRC Governance, Risk, and Compliance
06 HIPAA Health Insurance Portability and Accountability Act
07 IA Internal Audit
08 ICOFR Internal control over financial reporting
09 IPE Information Provided by Entity
Glossary 10
11
ITGC
MRC
Information Technology General Control
Management Review Controls
12 MW Material Weakness
13 PCAOB Public Company Accounting Oversight Board
14 RACM Risk and Control Matrix
15 RPA Robotic Process Automation
16 SD Significant Deficiencies
17 SOC Service Organizational Control
18 ToD
Test of Design 67
19 ToE Test of Effectiveness

Contact
King, Sue
Partner, Advisory, SOX Solution Leader
susanking@kpmg.com
+1 213 955 8399
Some or all the services described herein may not be permissible for
KPMG audit clients and their affiliates or related entities.
kpmg.com/social media
The information contained herein is of a general nature and is not intended to address the circumstances of any
particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the
future. No one should act upon such information without appropriate professional advice after a thorough
examination of the particular situation.
© 2023 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of
independent member firms affiliated with KPMG International Limited, a private English company limited by
guarantee. All rights reserved. NDP416595-1A
The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG
global organization.

2023 Sox Survey

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2023 Sox Survey

Uploaded by

Copyright:

Available Formats

2023 KPMG

Based on a 2022 external survey of SOX teams and their

Table of 04 Risk assessment 24

contents 05 Control environment 29

07 Technologies and tools 47

• 90% of the • 88% of • 89% of the • Despite high • A fifth of the

Source – ‘2022 SOX Survey Analysis', KPMG LLP (US), 2022.

Maturing – improved business processes (such as shared services)

Evolving – improved risk assessment and scoping, and rationalized

Developing – still identifying the correct key controls 10%

Source – ‘2022 SOX Survey Analysis', KPMG LLP (US), 2022.

Q. What were the organization's objectives for its SOX program?

19% Companies considered the SOX

Respondents could select more than one option. n=153

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Yes No 0-20% 21-60% >60%

2016 (n=59) 2022 (n=144) 2016 (n=57) 2022 (n=128)

Respondents could select more than one option. n=153

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

0-20% 21-40% 41-60% >60%

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Drivers for the increase in the SOX program cost (2022):

40% • Implementation of new systems

Drivers for the decrease in the SOX program cost (2022)

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Companies average $2.0

Bottom quartile Median Top quartile

Figures are in $M n=83

Bottom quartile Median Top quartile

Figures are in hours n=83

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Technology & software $2.5

Figures are in $M n=83

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Financial Services $4,271

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Transactional control with 20+ samples 16

Daily control with 10+ samples 13

IT application control Average testing hours per

Entity-level/organization level control 9

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

30% 13% 20%

Small-size Mid-size Large-size

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

New system New or A majority of 46% of participants Maximum

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

System Acquisitions, Regulatory changes New New or Significant Other

Respondents could select more than one option. n=153

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

2022 (n=153) 50% 2022 (n=153)

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

SOX strategy 49% 42% 9%

SOX risk assessment 44% 46% 10%

Controls documentation creation and/or updates 56% 34% 10%

Test of design 26% 54% 20%

Test of Effectiveness 20% 56% 24%

Remediation coordination 42% 45% 12%

Reporting 41% 51% 8%

Coordination with External Auditor 44% 45% 11%

Source – ‘2022 SOX Survey Analysis’, KPMG LLP (US), 2022.

• On average, • Non-key controls • ~80% of total • In large-size • 65% of