Manufacturing leaders shared their views on SOX compliance and deficiencies in a poll conducted on February 23 – March 15. While the majority reported their external auditor relied on SOX testing performed by Internal Audit, for most, the reliance on testing is below 50%.
Key Findings include:
- Internal Audit does testing of key controls and operation effectiveness of 404 key controls for most companies.
- Less than half integrate SOX compliance with other applications, with one-third currently using an in-house customized application for testing.
- Most companies experienced repeat SOX control deficiencies in FY20, but larger manufacturers seem to be better than their counterparts at avoiding repeat deficiencies.
- Two-thirds of deficiencies are a result of control execution and not control design.
- Compliance deficiencies most often take the form of a lack of evidence of review or approval rather than compliance or access violations.
- Control deficiencies occur far more often in the IT function as compared to other functional areas.