10 Step SOX Compliance Checklist — and 5 Tips to Refocus

When it comes to SOX, it can be hard to see the forest for the trees. There are real-time changes in internal controls to manage; preparation for the SOX compliance audit by an external auditor; open to risks to mitigate; other types of disclosures to manage; and far-reaching security incidents to worry about — today’s audit and risk professionals have a lot on their plates. With SOX, or the Sarbanes-Oxley Act in particular, it’s important to get back to the core of the regulation and why it was passed in the first place: to combat financial reporting misstatements and fraud, and to hold senior management accountable when they perpetrate and perpetuate fraud.

With other priorities on the brain, like ESG reporting and SOC compliance, it can be tempting to roll forward last year’s SOX game plan without any further review or a close look at the organization’s internal control structure. For a gut check to make sure your program is meeting SOX compliance requirements and aligned with the goals of your organization, follow our 10 steps to assess your SOX program and 5 steps to get your program back on track.

How Do You Assess the Effectiveness of a SOX Program?

The assessment of your SOX program can start with one simple question: “Can my SOX team answer: ‘What’s the point of SOX?'” You may be surprised by your team’s answers, which can be a clear sign it is time to revamp your SOX program. At its core, the SOX Act is a requirement for public companies to maintain internal controls that mitigate risks of material misstatement related to the organization’s financial statements. Senior Management is responsible for monitoring the control environment and producing accurate financial reporting. All of this means maintaining accurate financial data, protecting sensitive data, establishing access controls, maintaining security controls, and undergoing an annual audit by independent auditors.

Assessing the effectiveness of an organization’s SOX program involves looking at the company’s macro environment, its past SOX audits and reporting, and meeting with key stakeholders and senior management to understand how they view SOX compliance and non-compliance. Since the Sarbanes-Oxley Act explicitly requires the CEO and CFO of each publicly traded company to be accountable for the company’s financial records, these are two key leaders who must be on board with the organization’s SOX approach and ultimately sign off on management’s assessment of internal controls. Criminal penalties can follow for senior officers who knowingly flaunt the Sarbanes-Oxley Act.

Some indicators that your organization may need to revamp or revisit its SOX program are:

• Organizational Growth: Organizational growth increases the complexity of maintaining SOX compliance, especially if proper change management controls are not in place.
• Increased Prevalence of Automation: As more companies employ technological and automated solutions for enforcing and even executing internal controls, SOX teams may need to look at their methods of testing these controls and devise new testing strategies.
• Changes in Senior Management and Leadership: The tone at the top has a significant role in an organization’s attitudes towards financial disclosures and compliance; major changes to leadership may mean a shift in SOX strategy.
• Major Systems Implementation or Migration: Organizations that are implementing or migrating to new systems that are key to SOX financial information or contribute to financial reporting may need additional cybersecurity controls to protect the system from security breaches, data loss, and tampering.
• Mergers and Acquisitions: M&A activities can add new SOX-relevant systems to your program overnight. Some mergers or acquisitions occur with private companies that do not have SOX-compliant IT security or business processes, requiring the implementation of SOX controls.

Regardless of how long your SOX program has been in place, taking a holistic view of your SOX compliance effort allows your organization to realign and tackle any gaps. The checklist below will help guide you through many aspects of what to review during your SOX assessment and covers the ten most common SOX areas that lose focus over time.

What Are the SOX Compliance Requirements?

There are two key provisions that outline the responsibilities of publicly traded companies and their CEO and CFO in the Sarbanes-Oxley Act. Section 302 calls for Corporate Responsibility for Financial Reports, which means that CEOs and CFOs are accountable for the accuracy of their company’s financial reports, and must sign off on annual reports. Section 404 calls for oversight of Management’s Assessment of Internal Controls, which requires companies to include an “Internal Control” report in their financial statements and that companies undergo a third-party audit over their assertions.

Companies can base their internal controls frameworks on existing frameworks, such as COSO’s Internal Control-Integrated Framework (ICIF) or COBIT for an IT-specific approach.

SOX also has other clauses that hold senior management accountable for corporate fraud, and prevent retaliation against whistleblowers.

In addition to the requirements for publicly-traded companies, SOX directly created the Public Company Accounting Oversight Board or the “PCAOB,” which as some external auditors say, “audits the auditors.” The PCAOB regularly reviews companies’ financial disclosures and audit reports issued by accounting firms for quality, integrity, and compliance with PCAOB standards. PCAOB reviews, speaking from personal experience, are rigorous and thorough, and the PCAOB is overseen by the Securities and Exchange Commission (SEC).

While only publicly traded companies are required to comply with SOX, companies that are pursuing their Initial Public Offering or IPO may benefit from demonstrating a level of compliance with SOX ahead of time.

What Are the 10 Steps in the SOX Compliance Checklist?

A strong internal controls environment leads to a quality SOX program, but has many other benefits including improved data security, controlled business processes, and clear policies and procedures for control execution. These ten steps to gut-check your SOX program may not be exhaustive, but they will give you a good handle on your SOX compliance posture and what you need to do to optimize your SOX program.

1. Review key documentation for accuracy.

This might seem like a no-brainer going into any audit or reviewing any compliance program, but it’s important to review your key documentation and evidence for accuracy, completeness, and timeliness. Since SOX audits only cover the last fiscal year, reviews, updates, and approvals need to be timely.

Some documents to pay special attention to include:

• Organization charts
• Risk and Control Matrices
• Scoping and application inventories, along with the description of each asset’s impact on financial reporting
• Process walkthroughs and narratives
• Policy documentation
• Risk Assessment(s)
• Financial records and reports

In addition to reviewing key documents, take this opportunity to organize them as well, especially if you know they will be requested by external auditors.

2. Challenge your SOX risk assessment for accurate financial materiality and other SOX scoping considerations.

Businesses, business lines, and business practices change — and change quickly. A unit of the business or service line might have been material in previous years, but a change in vendors or a change in strategy could affect that. Challenging existing risk assessments and materiality evaluations could make a significant impact on your SOX testing program, and even streamline the testing that needs to be completed.

3. Review your SOX scoping risk assessment by business unit to ensure the correct processes are scoped in for SOX.

Each business unit may have one or more controls or processes scoped in for SOX. These processes need to be included in the SOX scope and validated to make sure they haven’t changed recently. Changes to processes that aren’t approved can result in findings during an audit. Maintaining a good relationship with business stakeholders can play a big part in making SOX compliance go smoothly.

4. Determine the scope of coordinated testing efforts with other lines of defense.

Testing SOX controls that are performed by business units will always require some level of coordination and teamwork. By working with process and control owners on the business side, organizations can define the depth and breadth of SOX testing that will be required to align expectations. At this stage, it may also be helpful to understand external auditors’ expectations on what they will rely on internal audit testing for.

5. Conduct interviews with key personnel about SOX.

Sometimes a conversation can reveal process and control changes in a way that testing or risk assessments may not. Directly interviewing process and control owners about the SOX controls under their purview may give an organization deeper insights into the process, unveil gaps, or reveal opportunities to improve the process. Plus, building relationships across the organization is always helpful.

Consider asking questions about user permissions and any problems stakeholders may have run into during each process.

6. Conduct a controls rationalization analysis to identify common, missing, and/or redundant controls.

As SOX teams and programs grow in complexity, the number of controls in an organization tends to balloon. Many times this increase in controls is necessary, but sometimes there are control redundancies that arise. Conducting a controls rationalization analysis or review involves reviewing existing controls for any gaps, redundancies, or commonalities between controls. Gaps can then be remediated, redundancies eliminated, and commonalities used to streamline testing around common processes.

7. Look for automation opportunities within the business to leverage as SOX controls.

Automation can be the secret sauce of a high-quality, optimized compliance program, whether it’s SOX-centric or otherwise. Automating control execution takes away any manual need to trigger or execute a control and removes much of the user risk associated with conducting controls. Automation also usually results in better productivity for teams, since an information system is less likely to cause an error than a user. When automating controls, companies should keep data protection and data security top of mind.

8. Look for automation opportunities within your SOX testing program, including implementing technology solutions to create an efficient and effective program.

As with business process automation, teams can gain considerable efficiencies by using technology to automate or supplement SOX testing. Using the right technology and seeking opportunities for automation can save teams time and money when performing testing.

9. Identify the strongest controls in each process and challenge the mix of preventative, detective, and automated controls.

With the risk landscape changing the way that it is, from cybersecurity to geopolitical threats, it’s a good practice to closely examine the controls in place at your organization and ask if they will truly mitigate the desired risk as expected, or if there are additional tweaks that need to be made. Your organization may also want to consider revisiting the risk score of each identified risk — data breaches are now so costly that they may invite a higher risk score, for example. Remember that this exercise is not designed to throw a wrench into the works, but rather to improve the organization’s overall risk posture and protect it from potential exposure.

10. Challenge “key” control designation to streamline SOX testing.

Formerly “key” controls can be made redundant or become “non-key” controls. Re-evaluating key controls periodically can streamline SOX testing by eliminating redundant controls from testing, or providing insight into more efficient ways to test said controls.

How Do You Remedy An Inadequate SOX Program?

After you have reviewed the ten items listed above, it is time to develop an action plan. Like an audit,  you have identified issues, and you need to address these with remediation plans. We can complete our remediation plan in 5 steps:

1. Develop a summary report of observations, recommendations, and remediation plans. 
2. Rank your observations, recommendations, and remediation plans to identify what needs immediate attention versus items that can wait.
3. Create a realistic timeline for implementing corrective actions.
4. Share the SOX program review results, action plans, and timeline with control owners and key SOX stakeholders.
5. Monitor progress made to address the issues and update action plans accordingly if necessary.

Consider your timing when you go about this exercise. Ideally, the revised SOX program should kick off at the start of a new fiscal year. If you manage hundreds of controls, the review may take several months to complete. If you feel the program needs recalibration, start the review as soon as possible. Employing the right technology solutions and tools can make SOX readiness and SOX compliance a much smoother journey, allowing you to collaborate more effectively with stakeholders, stay updated on remediation efforts, and coordinate testing.

Frequently Asked Questions About SOX Compliance

What are the SOX compliance requirements?

SOX requires publicly-traded companies to have their CEO and CFOs sign off on their financial statements and internal controls reporting, and undergo an external audit by an accounting firm.

What Are the 10 steps in the SOX compliance checklist?

The ten steps outlined in the SOX compliance checklist are:

• Review key documentation for accuracy.
• Challenge your SOX risk assessment for accurate financial materiality and other SOX scoping considerations.
• Review your SOX scoping risk assessment by business unit to ensure the correct processes are scoped-in for SOX.
• Determine the scope of coordinated testing efforts with other lines of defense.
• Conduct interviews with key personnel about SOX.
• Conduct a controls rationalization analysis to identify common, missing, and/or redundant controls.
• Look for automation opportunities within the business to leverage as SOX controls.
• Look for automation opportunities within your SOX testing program, including implementing technology solutions to create an efficient and effective program.
• Identify the strongest controls in each process and challenge the mix of preventative, detective, and automated controls.
• Challenge “key” control designation to streamline SOX testing.

How do you remedy an inadequate SOX program?

To remedy an inadequate SOX program,

• Develop a summary report of observations, recommendations, and remediation plans.
• Rank your observations, recommendations, and remediation plans to identify what needs immediate attention versus items that can wait.
• Create a realistic timeline for implementing corrective actions.
• Share the SOX program review results, action plans, and timeline with control owners and key SOX stakeholders.
• Monitor progress made to address the issues and update action plans accordingly if necessary.