Sarbanes-Oxley compliance (SOX) cannot be implemented by one function alone. To build out a fully functional SOX program, you need to consider perspectives from other department leaders, including Finance, Accounting, Legal, and IT. As the Director of Internal Audit and Enterprise Risk Management at Procore, I implemented a SOX program from conception through an IPO, and am now planning the first year of compliance. One of the most essential steps when starting a SOX program is to set up an effective SOX Steering Committee. I collected key steps, best practices, and a sample presentation deck to help you start your committee on the right track.
What Is a SOX Steering Committee?
The SOX Steering Committee (“Committee”) typically includes the highest level leaders who are responsible for Internal Controls over Financial Reporting (ICFR). This would include the heads of the departments responsible for financial statement line items above your materiality threshold and all the systems used to operate those controls. The Committee would include, at a minimum, your CIO, CFO, Controller, and Legal (even if they do not own controls).
Benefits of the SOX Steering Committee:
- Ensures your internal audit team is included in conversations early enough to address controls before a process/system goes live.
- Reviews key entity-level controls.
- Adds authority to the recommendations that will inevitably come along with SOX testing.
- Can make decisions on ownership of controls where there is misalignment.
Let’s Get to the Five Steps
Based on my experience, here are five steps to implement a successful SOX Steering Committee.
1. Develop Your Entity Level Controls
We started with seven entity-level controls (ELCs) that will be reviewed by the Committee.
- Internal Controls over Financial Reporting (ICFR/SOX) assessment
- SOX risk assessment and scoping
- IT SOX risk assessment and scoping
- Fraud Risk Assessment
- SOX deficiency assessment and tracking
- Assessment of key system reports
- Quarterly certifications
2. Select Your Attendees and Meeting Frequency/Length
At a minimum, the Committee should include the CFO, Controller, CIO (or leader responsible for in-scope SOX systems), CLO (or other legal leader responsible for securities law compliance), and someone to take notes and document action items. Optional attendees can attend when discussing specific topics (e.g., People, Revenue, Product). The frequency for the full executive Committee should be quarterly with an upstream monthly committee at the manager/director level to ensure there are no surprises on new issues and SOX scoping changes. Keep the meetings to 30 minutes and ensure everyone has the pre-reading one week in advance. Since SOX generally operates every quarter, the meetings can focus on the theme of SOX compliance, like walkthroughs, testing, roll-forward, or remediation.
3. Set Clear Expectations
Agree on expectations for the SOX Steering Committee before the first meeting. Hold 1:1 conversations with each attendee via slack, email, or a face-to-face meeting, depending on your relationship with each stakeholder. The key requirement is to “tick the box” for ELCs that may not have been formalized with documentation in the past.
4. Hold the First Meeting
Before the first meeting, create and distribute the slide deck (see the sample deck below) so the attendees come prepared. Also invite someone to the meeting to help you capture minutes and action items. As you begin the conversation, use the slide deck to reinforce the main points. A good format includes the meeting agenda with the ELCs listed for discussion and a status update for each ELC.
5. Implement Actions
After the meeting, send out the minutes and add action items. My team uses SOXHUB as our SOX management solution. We created a category for “Action Items” as an issue type to ensure critical actions from the SOX Steering Committee or the Audit Committee are tracked appropriately. The action items from this meeting are likely to have a larger impact across the organization, so these should be a high priority.
Whether you are starting a SOX compliance program from the ground up or working in an established department, SOX work can be daunting. SOX control owners need to take on more work and maintain additional documentation, and they may not understand the value. By going into the conversation with confidence and knowing you have the support of your Audit Committee and your SOX Steering Committee, you can sell the value of a strong control environment and inspire the team to embrace their part of SOX compliance.
Maggie O’Keeffe, CIA, MBA, is the Director, Internal Audit and Enterprise Risk Management at Procore; previously with PwC US, PwC Australia, and Boeing. She is a SOX enthusiast and is always up for benchmarking, especially with other leaders of IA in SaaS. Connect with Maggie on LinkedIn.