A sharper focus on internal controls

Similar documents
Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

ISACA Cincinnati Chapter March Meeting

January 25, Digital Governments. From KPMG s Harvey Nash survey to a future of opportunities

Cyber Security. It s not just about technology. May 2017

Turning Risk into Advantage

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

IT Audit Auditing IT General Controls

GDPR: A QUICK OVERVIEW

Auditing IT General Controls

Achieving effective risk management and continuous compliance with Deloitte and SAP

How to avoid storms in the cloud. The Australian experience and global trends

Trough a cyber security lens

SOC for cybersecurity

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

COBIT 5 With COSO 2013

The GDPR Are you ready?

IT Attestation in the Cloud Era

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Clarity on Cyber Security. Media conference 29 May 2018

Predictive Insight, Automation and Expertise Drive Added Value for Managed Services

Global Security Consulting Services, compliancy and risk asessment services

Article II - Standards Section V - Continuing Education Requirements

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

SAS70 Type II Reports Use and Interpretation for SOX

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

HIPAA Privacy, Security and Breach Notification

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.ca

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

SAP Security Remediation: Three Steps for Success Using SAP GRC

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

POSITION DESCRIPTION

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

Symantec Data Center Transformation

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

Cognizant Cloud Security Solution

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

COSO Enterprise Risk Management

Securing Your Digital Transformation

ACCOUNTING (ACCT) Kent State University Catalog

Singapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Effective COBIT Learning Solutions Information package Corporate customers

Accountancy (ACCTCY) Accountancy (ACCTCY) 1

EY s data privacy service offering

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Survey - Governance, Risk and Compliance

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security

Achieving third-party reporting proficiency with SOC 2+

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Avanade s Approach to Client Data Protection

Professional Services for Cloud Management Solutions

HEALTH CARE AND CYBER SECURITY:

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

OVERVIEW BROCHURE GRC. When you have to be right

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Why Enterprises Need to Optimize Their Data Centers

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

ACCA Diploma in. Starting this January! International Financial Reporting (DipIFR)

Security and Privacy Governance Program Guidelines

Modern Database Architectures Demand Modern Data Security Measures

Seize the Future. Date: June 28, Georgia Society of CPA s- Annual Convention. Paul V. Stahlin, CPA Chairman, AICPA

COSO Enterprise Risk Management

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

SAP Security Remediation: Three Steps for Success Using SAP GRC

M&A Cyber Security Due Diligence

The Network Integrator Journey

SAP: Speeding GRC Control Testing by 90% with SAP Solutions for GRC

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

RISK MANAGEMENT Education and Certification

CFOs in a new global environment Sandy Cockrell, Deloitte

Building a BC/DR Control Library and Regulatory Response Program

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Big data privacy in Australia

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

What Directors and C-Suite professionals need to know kpmg.ca/insuranceconference2017

Cyber security and awareness for non-financial services. 24/25 May 2017

TAN Jenny Partner PwC Singapore

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

The value of visibility. Cybersecurity risk management examination

HCL GRC IT AUDIT & ASSURANCE SERVICES

Implementing ITIL v3 Service Lifecycle

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Symantec Business Continuity Solutions for Operational Risk Management

Audit Considerations Relating to an Entity Using a Service Organization

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

12 Approval of a New PRESTO Agreement Between York Region and Metrolinx

Transcription:

A sharper focus on internal controls A benchmark study of technology companies kpmg.com

Contents 1 Introduction 4 Detailed findings 20 Controls by business processes 30 Respondent demographics 33 About the authors

Introduction Heightened regulatory attention and significant changes in accounting standards are increasing the importance and challenge of creating and maintaining effective internal controls over financial reporting. As the internal controls landscape evolves, KPMG LLP (KPMG) is pleased to present the findings from our latest internal controls study of technology companies. Our study provides a process-level look at the Sarbanes-Oxley 404 (SOX 404) internal controls programs implemented by technology companies of all sizes. Our report presents summary findings and key measures from the survey data and is designed to help benchmark a company s SOX 404 program against industry peers and to help companies maximize value from their internal controls investment. Growing scrutiny Broader shifts in the regulatory landscape, growing scrutiny from regulators, including the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB), and revisions to key accounting standards particularly those dealing with revenue recognition and lease accounting provide an opportunity to update and enhance SOX 404 internal controls. One of the key factors increasing attention on SOX 404 internal controls is the growing public discussion around internal control over financial reporting (ICFR) by officials from the SEC and PCAOB in public speeches and inspection findings. As recent as an April 2016 inspection brief previewing observations from 2015 Inspections of Auditors of Issuers, the PCAOB said, although its findings improved from the previous year, the most common audit deficiencies continue to fall in key areas related to auditing ICFR, along with assessing and responding to risks of material misstatement, and auditing accounting estimates, including fair value. 1 Another effort driving organizations to examine their SOX 404 internal controls environment is the 2013 revision to the Internal Control Integrated Framework released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO 2013 framework was designed to help organizations enhance their controls environment, broaden the application of internal controls to support operational and reporting objectives, and clarify the ability of organizations to determine whether an internal control is effective. ICFR was also cited as a leading challenge by respondents to a survey at KPMG s 25th Annual Accounting and Financial Reporting Symposium in late 2015. According to respondents, ICFR was cited by nearly a third (31 percent) as their leading challenge, followed by data infiltration and information technology (IT) security (26 percent), tax compliance (20 percent), and the potential for additional regulation (17 percent). 2 review controls As part of a sharper focus on SOX 404 internal controls, organizations are interested in optimizing specific areas such as management review controls (MRCs). MRCs are the reviews conducted by management of estimates and other kinds of financial information for reasonableness. They require significant judgment, knowledge, and experience. Designing and maintaining effective MRCs depend, to a large degree, on evaluating the accuracy of the controls design and operation. Organizations want assurance that their controls are operating at a sufficient level of precision to support the organization s risk management objectives. In response to this challenge, many organizations are increasing their control-related documentation and testing efforts. This is to determine whether controls are operating as designed and that they can document the design and implementation decisions to internal and external stakeholders. 1 PCAOB Staff Inspection Brief, Vol. 2016/1: Preview of Observations from 2015 Inspections of Auditors of Issuers (April 2016) 2 Attendee survey, KPMG 25th Annual Accounting and Financial Reporting Symposium, December 2015 A sharper focus on internal controls 1

Introduction (continued) Emerging issues Major revisions to accounting standards, including revenue recognition 3 and lease accounting, 4 are adding to the challenge of maintaining effective SOX 404 internal controls. Both updates represent significant changes to the standards they are replacing and will require corresponding efforts to implement new controls or at least to redesign existing controls to meet the new standards requirements. As companies prepare to become compliant with these standards, most are currently in an assessment stage, evaluating the requirements and financial reporting implications. Identifying potential effects on the number or types of required changes to their controls environment remains, largely, preliminary. Growing cyber security risks are also prompting an examination of organizational internal controls. Organizations are reviewing their controls to determine whether: They have a thorough understanding of their cyber exposures. A cyber breach could have implications for their ICFR. Cyber security challenges could indicate a potential deficiency in their ICFR. The increasing use of data analytics offers considerable promise for organizations and their ability to apply data-driven insights to improve their financial and operational results. In connection with this expanding adoption, reliance on system-generated data requires strong controls around the accuracy and completeness of the information feeding key reports used in the execution of key SOX controls. Ongoing communication An effective SOX 404 internal controls environment requires an ongoing, collaborative effort among control owners, company management, internal audit, and other stakeholders. It is important for all participants to understand and optimize the organization s business processes to develop an effective plan to design, implement, and monitor the organization s SOX 404 internal controls. As market conditions, regulatory changes, and technology developments prompt operational changes, it is critical for the organization s SOX 404 internal controls environment to adapt to help it meet its requirements and address risk as effectively as possible. 3 SOX 404 Accounting Standards Update 2014-09, Revenue from Contracts with Customers, issued in 2014 by the Financial Accounting Standards Board (FASB), and IFRS 15 Revenue from Contracts with Customers, issued by the International Accounting Standards Board (IASB) 4 Accounting Standards Update 2016-02, Leases, issued in February 2016 by the FASB, and IFRS 16, Leases, issued by IASB in January 2016

Key findings The following are some key findings from the survey: The average number of key controls was 238. The average number of key controls in the software and services industry was 253. The average number of key controls in the electronics industry was 275. The average number of key controls for internet/online businesses was 161. Among companies that have completed an IPO in the last 36 months, the average number of key controls was 202. Average number of key controls by company size: Less than $1 billion: 166 $1 billion $5 billion: 244 More than $5 billion: 417 Objectives and methodology The results were derived from a Web-based survey that was conducted in late 2015 and early 2016, and the data has been broken out by industry and company size. The survey included companies from the electronics (e.g., hardware, semiconductors, etc.), software and services, and internet/online business industries. Surveys were completed by a combination of company controllers, compliance managers, and chief audit executives. A total of 25 companies (10 in the software and services industry, 9 in the electronics industry, and 6 internet/online businesses) participated in the survey. The findings offer useful direction and provide a basis for comparison and further analysis. Readers should consider multiple benchmarks (e.g., mean, median, etc.) for comparison and should draw their own conclusions regarding their individual company s SOX 404 program relative to their appropriate peer group to realize additional value from their respective compliance programs. Respondent industry by company size (defined by annual revenue) 100 83% 80 60 50% 44% 40 20 30% 20% 22% 33% 17% 0 Software & Services (n=10) Electronics (n=9) 0% Internet/Online Business (n=6) < $1 billion $1 billion $5 billion Over $5 billion May not equal 100% due to rounding A sharper focus on internal controls 3

Detailed findings Key controls Average number of key controls by industry All processes Includes IT general controls (ITGCs) and entity-level controls n Software & Services 23% 77% 253 9 Electronics 18% 82% 275 9 Internet/Online Business 19% 81% 161 6 0 100 200 300 Key Controls Identified as Automated Key Controls Identified as Manual Average number of key controls by company size All processes Includes ITGCs and entity-level controls Less than $1B 21% 79% 166 13 n $1B $5B Over $5B 17% 83% 21% 79% 244 6 417 5 0 100 200 300 400 500 Key Controls Identified as Automated Key Controls Identified as Manual

Key controls Average number of key controls All processes Includes ITGCs and entity-level controls Average Key Controls (n=24) 20% 80% 238 0 100 200 300 Key Controls Identified as Automated Key Controls Identified as Manual A sharper focus on internal controls 5

Detailed findings (continued) Financial controls Average number of financial process key controls by industry All financial processes Excludes ITGCs and entity-level controls n Software & Services 24% 76% 175 9 Electronics 21% 79% 183 9 Internet/Online Business 17% 83% 117 6 0 50 100 150 200 Key Controls Identified as Automated Key Controls Identified as Manual Average number of financial process key controls by company size All financial processes Excludes ITGCs and entity-level controls n Less than $1B 20% 80% 120 13 $1B $5B 21% 79% 167 6 Over $5B 24% 76% 271 5 0 50 100 150 200 250 300 Key Controls Identified as Automated Key Controls Identified as Manual

Financial controls Average number of financial process key controls All financial processes Excludes ITGCs and entity-level controls Average Financial Process Key Controls (n=24) 21% 79% 163 0 50 100 150 200 Key Controls Identified as Automated Key Controls Identified as Manual Average number of key controls among financial processes Order-to-Cash 32% 68% 53 n 24 Financial Close and Reporting 14% 86% 28 25 Inventory 20% 80% 14 13 Procure-to-Pay 43% 57% 14 24 Human Resources & Payroll 10% 90% 13 24 Tax 9% 91% 12 24 Treasury and Cash 11% 89% 11 23 Stock Administration and Equity Accounting 6% 94% 10 24 Fixed Assets 17%83% 6 23 Mergers & Acquisitions 1% 99% 6 13 Budgeting/ Planning/ Forecasting 100% 4 5 Other 20% 80% 16 10 0 5 10 15 20 25 30 35 40 45 50 55 Key Controls Identified as Automated Key Controls Identified as Manual A sharper focus on internal controls 7

Detailed findings (continued) IT general controls Average number of ITGCs by industry All ITGCs Software & Services 27% 73% 51 n 9 Electronics 15% 85% 71 9 Internet/Online Business 48% 52% 23 6 0 10 20 30 40 50 60 70 80 Key Controls Identified as Automated Key Controls Identified as Manual Average number of ITGCs by company size All ITGCs n Less than $1B 40% 60% 27 13 $1B $5B 10% 90% 54 6 Over $5B 20% 80% 112 5 0 30 60 90 120 Key Controls Identified as Automated Key Controls Identified as Manual

IT general controls Average number of ITGCs All ITGCs Average IT General Controls (n=24) 23% 77% 0 10 20 30 40 50 60 Key Controls Identified as Automated Key Controls Identified as Manual 51 Number of IT applications in scope for SOX 404 compliance 100 Mean Number of On-premise applications: 8.0 Number of SAAS systems : 5.6 Total number of IT applications in scope: 13.5 80 60 40 20 0 16% 8% 4% 72% 64% 44% 32% 20% 12% 8% 12% 8% 0% 0% 0% 0% 0% 0 1 10 11 20 21 30 31 40 41 50 >50 (n=25) Number of On-premise applications Number of SAAS systems Total number of IT applications in scope A sharper focus on internal controls 9

Detailed findings (continued) Entity-level controls Average number of entity-level controls by industry All entity-level controls n Software & Services 7% 93% 27 9 Electronics 2% 98% 24 8 Internet/Online Business 100% 21 6 0 5 10 15 20 25 30 Key Controls Identified as Automated Key Controls Identified as Manual Average number of entity-level controls by company size All entity-level controls n Less than $1B 8% 92% 21 12 $1B $5B 100% 23 6 Over $5B 1% 99% 34 5 0 5 10 15 20 25 30 35 Key Controls Identified as Automated Key Controls Identified as Manual

Entity-level controls Average number of entity-level controls All entity-level controls Average Entity-Level Controls (n=23) 4% 96% 24 0 5 10 15 20 25 30 Key Controls Identified as Automated Key Controls Identified as Manual A sharper focus on internal controls 11

Detailed findings (continued) SOC 1 5 Total number of SSAE 6 16 SOC 1 reports that are in scope 100 Mean: 8.3 80 60 40 20 0 28% 28% 24% 4% 8% 8% 0 1 2 3 4 5 7 8 10 >10 (n=25) Party responsible for reviewing SOC 1 reports or Business Process Owner/IT 56% Internal Audit/SOX 4% Combination of Both 40% 0 20 40 60 80 100 (n=25) 5 Service Organization Controls Report 6 Statement on Standards for Attestation Engagements

COSO 2013 Adoption of COSO 2013 100 96% 80 60 40 20 0 (n=25) Yes 4% No Level of COSO 2013 mapping Among those who have adopted COSO 2013 Points of Focus 79% Principles 21% 0 20 40 60 80 100 (n=24) A sharper focus on internal controls 13

Detailed findings (continued) Program information Incremental goals for internal controls program in the next year Increase the control awareness throughout the organization 76% Use it to drive operational effectiveness and/or efficiency 64% Significantly streamline and/or reduce cost of compliance (i.e., >25% reduction) Better integrate with a broader internal audit effort within the company Better integrate with a broader Enterprise Risk 24% program within the company 0 20 40 60 80 100 (n=25) 32% 44% Multiple responses allowed What does your company do with respect to non-financial controls (i.e., operational, etc.) within the company? Practice some degree of documentation and testing standards as for ICFR, but not to the same degree 40% Apply a similar level of documentation and testing rigor as is done for ICFR 12% The company does not have an organized effort around documenting and testing non-financial controls 48% 0 20 40 60 80 100 (n=25)

Key reports Average number of key reports used in the direct execution of the control by industry All processes Includes ITGCs and entity-level controls Software & Services 98 n 9 Electronics 100 9 Internet/Online Business 58 6 0 25 50 75 100 Average number of key reports used in the direct execution of the control by company size All processes Includes ITGCs and entity-level controls n Less than US$1B 57 13 $1B-US$5B Over US$5B 68 6 194 5 0 50 100 150 200 Average number of key reports used in the direct execution of the control All processes Includes ITGCs and entity-level controls Average Key Reports (n=24) 89 0 25 50 75 100 A sharper focus on internal controls 15

Detailed findings (continued) Key spreadsheets Average number of key spreadsheets by industry All processes Includes ITGCs and entity-level controls Software & Services 45 9 n Electronics Internet/Online Business 28 41% 35 9 6 0 10 20 30 40 50 Average number of key spreadsheets by company size All processes Includes ITGCs and entity-level controls Less than $1B 27 13 n $1B $5B 21 6 Over $5B 78 5 0 20 40 60 80 100 Average number of key spreadsheets All processes Includes ITGCs and entity-level controls Average Key Spreadsheets (n=24) 36 0 10 20 30 40 50

review controls Average number of management review controls among financial processes n Order to Cash 13 24 Financial Close and Reporting 11 25 Tax 7 24 Inventory 6 13 Mergers & Acquisitions Stock Administration and Equity Accounting Human Resources & Payroll Treasury and Cash 3 3 4 4 13 24 24 23 Budgeting/ Planning/ Forecasting Fixed Assets 2 2 5 23 Procure-to-Pay 2 24 Other 8 10 0 5 10 15 A sharper focus on internal controls 17

Detailed findings (continued) Recent IPO company findings KPMG separately broke out ICFR for companies that had undergone an initial public offering (IPO) during the last 36 months ( recent IPOs ). Recent IPO companies are somewhat unique in that they typically have less mature control environments that are still evolving. Like all public companies, however, recent IPOs also deal with emerging issues related to ICFR evaluation, SOX compliance efforts, evolving SEC and PCAOB standards, and external auditor requirements. In this survey, there are seven recent IPO companies. Six of the seven had annual revenues of less than $1 Billion and one between $1 Billion and $5 Billion. For the industry breakdown, there was one recent IPO company in software and services, two in electronics, and four in the internet/online business. In all cases (except for key spreadsheets), recent IPOs have either the same or fewer controls. Average number of key controls for companies with recent IPOs All processes Includes ITGCs and entity-level controls Companies with recent IPOs (n=7) 19% 81% 202 All companies (n=24) 20% 80% 238 0 100 200 300 Key Controls Identified as Automated Key Controls Identified as Manual Average number of financial process key controls for companies with recent IPOs All financial processes Excludes ITGCs and entity-level controls Companies with recent IPOs (n=7) 19% 81% 139 All companies (n=24) 21% 79% 163 0 50 100 150 200 Key Controls Identified as Automated Key Controls Identified as Manual Average number of ITGCs for companies with recent IPOs All ITGCs Companies with recent IPOs (n=7) 25% 75% 47 All companies (n=24) 23% 77% 51 0 10 20 30 40 50 60 Key Controls Identified as Automated Key Controls Identified as Manual

Recent IPO company findings Average number of entity-level controls for companies with recent IPOs All entity-level controls Companies with recent IPOs (n=6) 100% 18 All companies (n=23) 4% 96% 24 0 5 10 15 20 25 30 Key Controls Identified as Automated Key Controls Identified as Manual Average number of key reports used in the direct execution of the control for companies with recent IPOs All processes Includes ITGCs and entity-level controls Companies with recent IPOs (n=7) All companies (n=24) 84 89 0 25 50 75 100 Average number of key spreadsheets for companies with recent IPOs All processes Includes ITGCs and entity-level controls Companies with recent IPOs (n=7) 43 All companies (n=24) 36 0 10 20 30 40 50 A sharper focus on internal controls 19

Controls by business processes Financial processes Total key controls per process All Companies Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 14 2 2 1 8 4 1 2 2 1 2 4 Maximum 291 32 31 18 87 35 31 22 37 12 6 46 Mean 53 14 13 6 28 14 11 10 12 6 4 16 Quartile (25) 26 8 8 4 18 9 6 7 6 3 2 9 Quartile (50)/Median 37 13 11 5 21 12 9 9 9 6 4 10 Quartile (75) 58 19 18 9 27 19 15 11 17 8 4 19 Other Total key controls per process Software & Services Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 21 6 3 3 12 4 1 4 3 1 2 4 Maximum 90 32 24 18 87 20 19 14 37 12 4 46 Mean 54 15 12 7 35 10 11 9 13 6 3 17 Quartile (25) 31 9 8 4 20 5 8 6 5 3 3 7 Quartile (50)/Median 55 12 10 6 24 5 10 8 9 7 3 9 Quartile (75) 78 20 17 7 43 13 17 11 16 8 4 21 Other Total key controls per process Electronics Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 15 7 2 2 17 9 3 2 4 3 2 9 Maximum 291 24 31 11 54 35 31 22 23 10 6 31 Mean 61 14 15 7 26 17 12 11 12 6 4 17 Quartile (25) 27 10 6 5 21 9 7 6 7 5 3 11 Quartile (50)/Median 31 13 8 5 22 16 9 10 9 6 4 12 Quartile (75) 44 15 24 9 27 19 15 12 18 8 5 22 Other

Financial processes Total key controls per process Internet/Online Business Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 14 2 7 1 8 8 4 7 2 1 4 9 Maximum 62 26 17 9 30 8 15 12 23 10 4 11 Mean 38 12 12 6 18 8 7 10 10 5 4 10 Quartile (25) 20 3 10 3 15 8 4 9 6 3 4 10 Quartile (50)/Median 42 10 12 6 16 8 4 9 7 4 4 10 Quartile (75) 52 18 14 9 20 8 9 11 12 7 4 11 Other Total key controls per process Companies with recent IPOs Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 15 2 6 1 15 9 4 7 2 4 9 Maximum 74 26 24 18 25 35 17 20 18 8 11 Mean 44 16 14 7 19 22 8 11 10 6 10 Quartile (25) 33 13 9 4 16 16 4 9 7 5 10 Quartile (50)/Median 38 16 12 7 21 22 7 10 7 6 10 Quartile (75) 58 22 18 9 22 29 9 11 15 7 11 Other A sharper focus on internal controls 21

Controls by business processes (continued) Financial processes Automated key controls per process All Companies Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 3 0 0 0 0 0 0 0 0 0 0 0 Maximum 109 18 9 5 14 8 10 4 9 1 0 14 Mean 17 6 1 1 4 3 1 1 1 0 0 3 Quartile (25) 7 3 0 0 1 2 0 0 0 0 0 0 Quartile (50)/Median 13 5 1 1 3 2 0 0 0 0 0 2 Quartile (75) 20 8 2 1 5 4 1 1 1 0 0 5 Other Automated key controls per process Software & Services Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 4 2 0 0 0 1 0 0 0 0 0 0 Maximum 25 18 9 5 14 8 10 1 8 0 0 14 Mean 14 9 2 2 6 4 2 0 1 0 0 6 Quartile (25) 10 5 1 1 3 2 0 0 0 0 0 2 Quartile (50)/Median 13 6 2 1 5 2 1 0 0 0 0 5 Quartile (75) 20 12 2 2 9 5 2 1 1 0 0 7 Other Automated key controls per process Electronics Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 5 2 0 0 0 0 0 0 0 0 0 0 Maximum 109 13 2 2 6 7 5 4 9 1 0 3 Mean 22 5 1 1 3 3 1 1 2 0 0 1 Quartile (25) 5 3 0 0 2 2 0 0 0 0 0 0 Quartile (50)/Median 10 5 0 1 3 2 0 0 0 0 0 0 Quartile (75) 17 7 2 1 5 4 1 1 2 1 0 2 Other

Financial processes Automated key controls per process Internet/Online Business Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 3 0 0 0 0 1 0 0 0 0 0 0 Maximum 23 8 2 2 4 1 1 2 1 0 0 1 Mean 13 3 1 1 2 1 0 0 0 0 0 1 Quartile (25) 7 0 0 0 0 1 0 0 0 0 0 0 Quartile 14 1 1 1 2 1 0 0 0 0 0 1 (50)/Median Quartile (75) 20 5 1 1 3 1 1 0 0 0 0 1 Other Automated key controls per process Companies with recent IPOs Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 5 0 0 0 0 2 0 0 0 0 0 Maximum 21 13 2 5 5 2 1 3 1 0 1 Mean 14 5 1 1 3 2 0 1 0 0 1 Quartile (25) 11 2 0 1 2 2 0 0 0 0 0 Quartile (50)/Median 16 5 0 1 3 2 0 0 0 0 1 Quartile (75) 19 7 2 2 4 2 1 1 1 0 1 Other A sharper focus on internal controls 23

Controls by business processes (continued) Financial processes Manual key controls per process All Companies Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 10 2 2 0 6 3 1 2 0 1 2 2 Maximum 182 18 31 13 73 33 31 21 37 12 6 41 Mean 36 8 12 5 24 12 9 9 11 6 4 13 Quartile (25) 17 4 7 3 16 7 5 6 5 3 2 6 Quartile (50)/Median 25 7 9 4 19 9 8 8 7 6 4 9 Quartile (75) 38 10 15 8 25 14 13 11 16 8 4 12 Other Manual key controls per process Software & Services Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 11 3 2 2 6 3 1 3 3 1 2 2 Maximum 78 14 24 13 73 12 18 14 37 12 4 41 Mean 40 6 10 5 29 6 9 8 12 6 3 12 Quartile (25) 18 4 5 3 18 3 5 5 5 3 3 4 Quartile (50)/Median 35 5 8 4 23 3 8 8 7 7 3 5 Quartile (75) 53 8 15 6 35 8 9 11 15 8 4 7 Other Manual key controls per process Electronics Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 10 4 2 1 11 7 3 2 0 3 2 9 Maximum 182 16 31 10 51 33 31 21 21 9 6 28 Mean 39 9 14 6 23 14 12 10 10 6 4 16 Quartile (25) 20 6 6 4 17 8 7 6 4 5 3 11 Quartile (50)/Median 22 8 8 4 21 9 9 7 8 6 4 12 Quartile (75) 27 11 22 9 24 16 15 11 17 8 5 20 Other

Financial processes Manual key controls per process Internet/Online Business Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 10 2 7 0 8 7 4 7 2 1 4 9 Maximum 45 18 16 9 29 7 14 12 23 10 4 10 Mean 25 9 11 5 16 7 7 9 9 5 4 10 Quartile (25) 14 3 10 2 13 7 4 8 6 3 4 9 Quartile (50)/Median 25 7 11 5 15 7 4 9 7 4 4 10 Quartile (75) 31 16 12 8 17 7 8 11 11 7 4 10 Other Manual key controls per process Companies with recent IPOs Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 10 2 6 0 13 7 4 7 2 4 9 Maximum 53 18 24 13 24 33 17 20 18 8 10 Mean 29 11 13 6 17 20 7 10 10 6 10 Quartile (25) 22 9 9 3 15 14 4 7 7 5 9 Quartile (50)/Median 23 10 11 6 17 20 7 9 7 6 10 Quartile (75) 39 15 16 9 17 27 8 11 14 7 10 Other review controls per process All Companies Order-to- Cash Procure-to- Pay Human Resources & Payroll Fixed Assets Financial Close and Reporting Inventory Treasury and Cash Stock Administration and Equity Accounting Tax Mergers & Acquisitions Budgeting/ Planning/ Forecasting Minimum 0 0 0 0 0 0 0 0 0 0 1 0 Maximum 35 8 13 8 67 29 18 16 26 12 3 41 Mean 13 2 3 2 11 6 3 4 7 4 2 8 Quartile (25) 3 0 0 0 2 1 0 1 2 1 1 1 Quartile (50)/Median 7 0 1 2 8 2 2 3 4 3 2 3 Quartile (75) 23 3 4 3 14 7 4 4 8 5 2 7 n 24 24 24 23 25 13 23 24 24 13 5 10 Other A sharper focus on internal controls 25

Controls by business processes (continued) IT general controls Total key controls per process All Companies ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 1 1 2 1 Maximum 76 94 70 248 Mean 8 11 11 29 Quartile (25) 3 1 4 8 Quartile (50)/Median 4 4 8 12 Quartile (75) 6 5 11 22 Total key controls per process Software & Services ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 3 1 2 1 Maximum 9 12 70 134 Mean 5 5 15 29 Quartile (25) 4 3 4 11 Quartile (50)/Median 4 4 10 17 Quartile (75) 6 6 13 26 Total key controls per process Electronics ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 1 1 3 4 Maximum 76 94 25 248 Mean 13 18 9 37 Quartile (25) 3 1 4 6 Quartile (50)/Median 4 3 8 11 Quartile (75) 11 4 11 18 Total key controls per process Internet/Online Business ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 2 3 4 6 Maximum 6 6 8 25 Mean 4 5 6 13 Quartile (25) 4 4 5 7 Quartile (50)/Median 4 5 6 9 Quartile (75) 5 5 7 19 Total key controls per process Companies with recent IPOs ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 2 1 5 4 Maximum 6 6 70 134 Mean 4 3 16 30 Quartile (25) 3 1 6 6 Quartile (50)/Median 4 1 7 7 Quartile (75) 5 4 10 21

IT general controls Automated key controls per process All Companies ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 32 6 8 37 Mean 3 1 2 6 Quartile (25) 0 0 0 0 Quartile (50)/Median 1 0 1 2 Quartile (75) 4 0 4 9 Automated key controls per process Software & Services ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 7 1 8 20 Mean 3 0 3 8 Quartile (25) 1 0 0 4 Quartile (50)/Median 3 0 4 8 Quartile (75) 4 0 6 10 Automated key controls per process Electronics ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 32 4 4 37 Mean 4 1 1 5 Quartile (25) 0 0 0 0 Quartile (50)/Median 0 0 0 0 Quartile (75) 1 0 1 1 Automated key controls per process Internet/Online Business ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 5 6 7 25 Mean 3 3 3 6 Quartile (25) 1 2 0 0 Quartile (50)/Median 3 3 2 1 Quartile (75) 4 5 5 2 Automated key controls per process Companies with recent IPOs ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 4 6 7 25 Mean 1 2 3 8 Quartile (25) 1 0 1 0 Quartile (50)/Median 1 0 1 1 Quartile (75) 2 3 5 15 A sharper focus on internal controls 27

Controls by business processes (continued) IT general controls Manual key controls per process All Companies ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 44 90 69 211 Mean 5 10 8 23 Quartile (25) 0 1 3 4 Quartile (50)/Median 3 4 5 9 Quartile (75) 4 4 8 17 Manual key controls per process Software & Services ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 6 12 69 114 Mean 2 5 12 22 Quartile (25) 0 3 2 1 Quartile (50)/Median 2 4 6 13 Quartile (75) 3 6 9 16 Manual key controls per process Electronics ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 1 1 2 2 Maximum 44 90 25 211 Mean 9 17 8 32 Quartile (25) 3 1 4 4 Quartile (50)/Median 4 3 6 9 Quartile (75) 10 4 9 18 Manual key controls per process Internet/Online Business ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 6 3 8 19 Mean 2 2 3 8 Quartile (25) 0 1 1 6 Quartile (50)/Median 1 2 3 6 Quartile (75) 3 2 5 7 Manual key controls per process Companies with recent IPOs ITGC - Computer Operations ITGC - Program Development ITGC - Change ITGC - Systems Security Minimum 0 0 0 0 Maximum 6 1 69 114 Mean 3 1 13 23 Quartile (25) 1 1 3 4 Quartile (50)/Median 3 1 5 6 Quartile (75) 4 1 8 6

Entity-level controls Total key controls All Companies All Companies Software & Services Electronics Internet/Online Business Companies With Recent IPOs Minimum 10 15 10 14 10 Maximum 62 62 36 27 24 Mean 24 27 24 21 18 Quartile (25) 20 20 22 19 15 Quartile (50)/Median 22 23 24 20 19 Quartile (75) 26 24 26 25 21 Automated key controls All Companies All Companies Software & Services Electronics Internet/Online Business Companies With Recent IPOs Minimum 0 0 0 0 0 Maximum 18 18 2 0 0 Mean 1 2 0 0 0 Quartile (25) 0 0 0 0 0 Quartile (50)/Median 0 0 0 0 0 Quartile (75) 0 0 0 0 0 Manual key controls All Companies All Companies Software & Services Electronics Internet/Online Business Companies With Recent IPOs Minimum 0 0 10 14 10 Maximum 62 62 35 27 24 Mean 23 25 23 21 18 Quartile (25) 20 20 22 19 15 Quartile (50)/Median 22 23 23 20 19 Quartile (75) 26 24 26 25 21 A sharper focus on internal controls 29

Respondent demographics Respondent industry 100 80 60 40 40% 36% 24% 20 0 Software & Services Electronics Internet/Online Business (n=25) Respondent company size 100 80 60 56% 40 20 24% 20% 0 (n=25) < $1 billion $1 billion $5 billion Over $5 billion

Respondent company size by industry 100 80 60 40 36% 29% 36% 50% 33% 40% 60% 20 17% 0 < $1 billion (n=14) $1 billion $5 billion (n=6) Over $5 billion (n=5) 0% Software & Services Electronics Internet/Online Business May not equal 100% due to rounding Number of operating business entities 100 Mean: 17.4 80 60 40 20 0 (n=25) 0% 16% 1-25 entities: 72% 20% 28% 8% 24% 0 1 3 4 6 7 12 13 25 26 50 51 75 76 100 >100 0% 4% 0% A sharper focus on internal controls 31

Respondent demographics (continued) Number of shared service centers 100 Mean: 1.4 80 60 40 36% 48% 20 0 (n=25) 12% 0 1 2 3 5 >5 4% Number of business locations selected to be in scope for SOX 404 compliance 100 Mean: 4.1 80 60 40 20 0 (n=25) 44% 24% 16% 16% 0% 0% 0 1 2 3 4 5 7 8 10 >10

About the authors Tom Lamoureux Tom serves as KPMG s Risk Consulting leader for Technology, Media, and Telecommunications. In this role, he guides the delivery of KPMG Advisory services to some of the world s leading technology companies to help them create world-class risk and business management processes. These services include internal audit, SOX 404 projects, IT, and other risk management services. Tom has extensive experience delivering strategic IT consulting services and assisting clients in building effective distributed systems management solutions. He has developed and implemented leading risk assessment and audit planning methodologies, high-quality internal auditing services for domestic and international objectives, and self-assessment methodologies for internal audits. In addition, he spearheads the development of new risk management services in response to evolving client needs. In his industry leadership capacity, Tom has directed original research, white papers, and roundtable forums on emerging topics of vital interest to software and technology firms. Some examples include software license compliance, software asset management, and identity access management. Ron Lopes Ron is a partner in KPMG s Advisory practice and has more than 25 years of experience in the Silicon Valley. He has significant experience guiding the delivery of services to many leading multinational technology companies to help them create high-valueadded risk and business management processes. Ron has worked on a multitude of projects for clients, including internal audits, financial and operational control reviews, risk assessments, third-party compliance audits, process reviews, financial statement audits, process improvement engagements, and SOX 404 compliance efforts. He has developed and implemented high-impact risk assessment and audit planning methodologies, as well as self-assessment methodologies for internal audits. Ron has significant experience in revenue recognition, financial reporting, and benchmarking/leading practices. A significant portion of his career has involved assisting clients with the coordination and execution of large international projects and objectives. Paul Baysa Paul is a director in KPMG s Advisory practice with more than 10 years of experience in financial audit, internal audit, SOX assistance services, and other advisory services. He has a focus on the hightechnology sector and strong background in financial statement reporting and analysis, process evaluation, and risk and control environment evaluation. Contributors We acknowledge the contribution of the following individuals who assisted in the development of this publication: Hasan Dajani Associate Director, Primary Research, KPMG LLP Charles Garbowski Director, Primary Research, KPMG LLP Parth Jhaveri Director, Advisory, KPMG LLP Chad Poplawski Managing Director, Advisory, KPMG LLP Sara Ridgwell Senior Associate, Primary Research, KPMG LLP Robert Rosta Associate Director, Technology Marketing, KPMG LLP A sharper focus on internal controls 33

Contact us For additional information, please contact any of the following: Gary Matuszak Global and U.S. Chair, Technology, Media & Telecommunications T: 408-367-4757 gmatuszak@kpmg.com Richard Hanley U.S. National Advisory Leader, Technology, Media & Telecommunications T: 408-367-7600 rhanley@kpmg.com Ron Lopes Partner, Advisory T: 408-367-7615 rjlopes@kpmg.com Paul Baysa Director, Advisory T: 408-367-7680 pbaysa@kpmg.com Tom Lamoureux Risk Consulting Leader, Technology, Media & Telecommunications T: 206-913-4146 tlamoureux@kpmg.com About KPMG An experienced team. A global network. KPMG s Internal Audit, Risk, and Compliance professionals combine industry knowledge with technical experience to provide insights that help technology leaders take advantage of existing and emerging technology opportunities and proactively manage business challenges. KPMG s Advisory professionals combine technical, market and business skills that allow them to deliver objective advice and guidance that helps the firm s clients grow their businesses, improve their performance, and manage risk more effectively. Our professionals have extensive experience working with global technology companies ranging from FORTUNE 500 companies to pre-ipo start-ups. We go beyond today s challenges to anticipate the potential long- and short-term consequences of shifting business and technology. With a worldwide presence, KPMG continues to build on our member firms successes, thanks to our clear vision, maintained values, and our people in 155 countries. We have the knowledge and experience to navigate the global landscape. kpmg.com/socialmedia The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates. 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 573563

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback