Roadmap for External Reliance on Internal SOX Testing

Roadmap for External Reliance on Internal SOX Testing

The Sarbanes-Oxley Act (SOX) has been around for 20 years, but many companies still operate their financial reporting controls like they did when first implementing the program. As budgets tighten and companies focus on cost savings, increasing external reliance often becomes a high priority. To reach that goal, your company will likely need to make improvements to the SOX program before others can rely on your testing, including:

  1. Documentation requirements
  2. Automation
  3. Technology
  4. Leadership buy-in
  5. Independence and objectivity
  6. Negotiating changes. 

This article provides a roadmap for SOX teams seeking external reliance on internal testing, and the first step is an honest and complete assessment of your current SOX program that focuses on six key milestones outlined below.

Milestone 1: Documentation Requirements

Typically, a SOX team will maintain specific documentation for each process/application that is in scope for SOX. Many SOX teams focused on narratives, flowcharts, RCMs, and testing when they first implemented the program, but other documents will move the SOX process forward. Performing a risk assessment can help reduce testing on low-risk areas while allowing you to focus on the more complex, high-risk processes. Control Certification surveys will warn you that a set of controls may need revisions. Standard operating procedures are great for sharing knowledge with new team members and, eventually, with your external auditors. 

Milestone 2: Focus on Automation

The next milestone is to review your controls for the possibility of automation. Automated controls take less effort to operate and test since these are more consistent. One approach is to group your controls by type and decide if there are automation options for the entire group. For example, implementing an identity management system could automate all user access controls to ensure these are performed the same way and within a near real-time environment. 

Milestone 3: Implement SOX Technology

SOX management technology is a game-changer. If you try to manage your SOX program with Word, Excel, and email, you spend too much time on low-value tasks. SOX software ties everything together, maintains evidence of review, facilitates meaningful reporting, increases team efficiency, and increases cost savings. You can also use the technology to share information with third parties when they need to review your work.  

Milestone 4: Obtain Leadership Buy-in

The first three milestones are all about your SOX program and are all within your control. By maturing your SOX program, you will have a stronger SOX environment, more efficient operation and testing, and more effective controls. Now you have to start selling your vision. For most, this means presenting the idea of external reliance to the Audit Committee. Internal auditors do not perform all SOX testing. In other companies, the test work is done by a dedicated SOX team or even part of a risk and compliance group. Be prepared to explain the concept of external reliance and the steps you have taken to mature the program.  

The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates

Milestone 5: Ensure Independence and Objectivity

As just mentioned, not all SOX testing is performed by internal auditors. Internal Audit as a department is designed as an independent function, so if another team does your testing, you may need to take steps to ensure the team is completing the testing objectively and is free from undue influence from the people they are testing. Keep in mind this could mean the group needs to go through a reorganization to ensure this.   

Milestone 6: Negotiate Changes With the External Auditors

Finally, you will need to present your program and expectations for reliance to your external auditors. Usually, this involves the head of your SOX team (e.g., Chief Audit Executive or Chief Compliance Officer, etc.) working with the audit engagement partner over your account. They may first agree to rely on a small percentage of low-risk controls to get them comfortable with the work you produce. As their confidence in your ability to reach the same conclusions as their auditors increases, so will their ability to rely on your work. Generally, they will also share their internal testing template with you at this point so that your end product looks just like the testing they create. The key to increasing the scope of their reliance is having a solid documentation package ready for them for every control. Then the negotiations will become part of your annual planning discussions.

Cost Reduction Is Just Part of the Goal

Many auditors start on the path toward external reliance to reduce the fees from external audit. In reality, improving and maturing the SOX program along the way has more benefits than cost savings. A mature SOX program runs more efficiently, requiring less effort from control owners with reduced audit fatigue for all those involved in your SOX program. Often, the improvements lead to stronger controls with fewer issues, and the SOX controls act as a model for non-SOX processes. With so many companies focusing on expense reduction and cost savings, now is the perfect time to evaluate your SOX program and commit to creating a more effective and efficient control environment that can lead to external reliance.


Jamie Weisberger is a Manager of Implementation at AuditBoard. Jamie joined AuditBoard from KPMG, where she provided external audit services over SOX compliance and SOC reporting across the Technology and Financial industries. Connect with Jamie on LinkedIn.


Husein Nurbhai is a Manager of Implementation at AuditBoard with over 10 years of audit and accounting experience. Prior to joining AuditBoard, Husein started his audit career in the public accounting space at PwC focused on financial audits, and continued his audit journey performing internal audits for a media and entertainment company. Connect with Husein on LinkedIn.