Preparing to Choose Your SOX Operating Model: Three Key Steps

Preparing to Choose Your SOX Operating Model: Three Key Steps

Your organization’s SOX operating model is the core of your SOX program. Accordingly, your choice of operating model has a massive impact on your ability to plan and execute an efficient, effective, high-quality SOX program. What steps should you take when choosing your operating model? And how can you validate whether your selected operating model continues to be the appropriate fit for your organization as it matures? 

AuditBoard and Deloitte’s new guide, The Road to SOX Readiness: A Practical Guide to Choosing an Operating Model for Your Organization, explores these important questions. Download the full guide here, and read on below for three preparatory steps to take before selecting the right SOX operating model for your organization.

1. Revisit the Big Picture

Before exploring the pros, cons, and considerations of the different operating models, revisit the big-picture objectives that any SOX program should be designed to achieve. Your SOX program should encompass not only ongoing controls testing, but also defining, setting up, and regularly refreshing and maintaining controls. The operating model you choose should be designed to support all of these activities for your organization. For more guidance:

  • Deloitte’s A Practical Approach to SOX Readiness offers a pragmatic look at the people, process, and technology aspects of the road to SOX compliance, including pitfalls to avoid.
  • AuditBoard’s The SOX Management Playbook outlines a risk-first approach to SOX compliance, offering tips and best practices throughout the life cycle.

2. Understand the Four SOX Operating Models

Your SOX operating model will likely need to evolve over time to meet the changing needs, risks, and goals of your business. The model you choose when first setting up your SOX program may not be the appropriate fit further on in your compliance life cycle. The following are the four main SOX operating models. 

  1. Fully Internal SOX Operating Model: Your internal team oversees and executes all SOX activities 100% in-house including readiness, maintenance, and testing.
  2. Co-sourcing SOX Operating Model: Efforts are shared between internal and external resources. This highly flexible model can take whatever form works best for your business.
  3. Staff Augmentation SOX Operating Model: IYour internal team owns all planning and oversight, but external resources help to execute.
  4. Outsourced SOX Operating Model: An external team oversees and executes all efforts. Again, fully outsourced SOX models are rare, primarily due to the lack of internal SOX compliance process ownership, visibility, and control.

SOX Operating Models

3. Familiarize Yourself With SOX-Enabling Technologies

Technology can provide significant benefits to an organization’s SOX program. The question isn’t whether to integrate technology in your operating model — rather, it’s which technologies to choose, when, and in what areas. A growing number of teams are opting for cloud-based audit management technology. The size of the opportunity for process improvement is huge, and a number of SOX processes can be automated with audit management software.

Example SOX Enabling Technologies

Key opportunities include integrating an Audit Management System (AMS) into your audit function and adopting technologies that link together your various IT systems, services, and software so that they are able to work together. Additional enabling technologies are:

  • Collaboration and business tools
  • Connected risk platforms
  • Source systems
  • Issue management tools
  • Audit project management platforms 
  • Analytics, RPA, and continuous monitoring tools 

Once you have prepared, it is time to dig deep and explore which SOX model is appropriate for your business. To learn the best SOX readiness questions to ask your business when vetting the right SOX program model and enabling technologies, download the full guide The Road to SOX Readiness: A Practical Guide to Choosing an Operating Model for Your Organization


Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.


Kim Pham, CIA, is a Market Advisor, SOX & Compliance at AuditBoard, with 10 years of experience in external and internal audit. She started her career in at Deloitte & Touche LLP., and continued to grow her experience in internal audit focusing on SOX compliance and operational audits at Quiksilver, the California State University Chancellor’s Office, and CKE Restaurants.