Optimising financial processes

Posted on:

Trust in Risk Management in Focus as Material Weaknesses Increase


Two reports and a sharp analysis on Internal Controls over Financial Reporting (ICFR) and SOX caught my attention as many of us are approaching the festive audit season ( “a perfect storm” you might say)!

PwC offer a “call to action” on controls automation in their report “Enhancing trust and internal controls to reduce risk amid rising material weaknesses” which shares concerning trends:

  • The sharp increase in material weakness disclosures.
  • How personnel shortages, system changes, segregation of duties conflicts, financial close process, IT general controls, management review controls, and M&A integrations are core issues contributing to material weakness.
  • The need for technology and a digital mindset to help mitigate material weaknesses by automating control operations and testing, increasing precision and frequency and helping with early detection of weaknesses…..

Meanwhile, the venerable Norman Marks, a valuable commentator on the risk management topic, posted an excellent blog summarising observations on the latest Protiviti SOX survey and report, with echo cause for concern. The findings do highlight the fact that many internal audit functions are more focussed on detailed control definition & testing than assurance.

  • Internal audit functions report devoting nearly half of their time to SOX compliance.
    • 67% are involved in testing
    • 58% help with updating controls documentation (why, if it a 3rd line of defence role?)
  • 74% rely on internal audit for controls testing.
  • It takes an average of 5.9 hours to test a control for operating effectiveness, and 5.1 hours to test its design.
  • On average, the external auditors rely on management (internal audit) testing for 29% of the controls in scope. However, only 15% of organizations achieve more than 50% reliance. 
  • In 2022, the average company had 52 entity-level controls in scope, and 718 controls were at the process level. 30% of those process level controls were ITGC controls.
  • Only 30% on average of the controls in scope are automated.
  • On average, 53 business applications are in SOX scope for large companies.
  • 41% are required to disclose cyber breaches.

With only 15% able to get 50% or more reliance on management testing from the external auditors, there is massive scope for increased cost efficiencies and risk management effectiveness. 

Plenty of food for thought here . . .

You can read Norman’s excellent analysis of the Protiviti report here . . 

You can read the source Protiviti report “The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber and ESG Mandates” by as well as the associated brief video here . . .  

You can read the PwC survey and report “Enhancing trust and internal controls to reduce risk amid rising material weaknesses” here . . .  . 

Thanks for reading . . .