Using a SOX compliance checklist during an audit can help companies mitigate security issues, prevent fraud and streamline the preparation process. Download a copy to begin your SOX readiness efforts today.
What Is Sarbanes-Oxley?
The Sarbanes-Oxley (SOX) Act of 2002 is a federal law administered by the Securities and Exchange Commission (SEC) that requires public companies to meet certain criteria and standards regarding internal controls over financial reporting (ICFR). ICFR is a critical component of a company’s overall system of internal controls, and it is designed to prevent, detect and correct errors or fraud that could impact the company’s financial reporting.
Who Has To Comply With SOX Regulations?
SOX applies to all publicly traded companies, and their subsidiaries, and provides crucial oversight and additional lines of defense to corporations. It allows for internal weaknesses to be identified and corrected before the involvement of external auditors, regulators or various other stakeholders — such as lenders or equity investors.
While SOX regulations do not apply directly to non-profits and governmental entities, they are based on the Committee of Sponsoring Organizations (COSO) framework, which provides guidelines to evaluate interconnected areas of internal controls, risk management, governance and fraud. Given that COSO is the most widely accepted internal control framework in the United States, most organizations, whether public or private, would benefit from incorporating SOX principles to minimize their exposure to financial, operational or fraud risks and to optimize the quality of their financial reporting.
How To Prepare for SOX Compliance Audit
A SOX audit is more than a quick, high-level assessment of your ICFR. It is a thorough and complex process that analyzes multiple facets of the business. Thankfully, reviewing SOX requirements and using a checklist can help streamline your approach.
Review SOX Section 404 Requirements
There are two main types of SOX compliance, 404(a) and 404(b). The requirements for each one will help shape what you should do to prepare for an audit:
- SOX 404(a): This type requires management to report on the effectiveness of internal controls over financial reporting. This SEC requirement applies to every public company listed on a stock exchange in the United States and requires establishment of a system of internal controls. This often entails performing risk assessments, designing controls, testing their effectiveness and issuing management’s attestation regarding the effectiveness of internal controls.
- SOX 404(b): This type requires an external auditor’s attestation regarding the effectiveness of internal controls over financial reporting, in addition to management’s attestation. This applies more to larger or accelerated public companies.
Depending on the type of 404 compliance, you’ll need to complete different tasks in your checklist to ensure your meeting guidelines.
Use a Sarbanes-Oxley Compliance Checklist
Organizations can refer to the following SOX checklist to prepare for a smooth section 404 compliance audit:
| SOX Readiness | SOX 404(a) | SOX 404(b) | |
|
Establish Entity Level Controls & Internal Audit Governance |
Recommended | X | X |
|
Document Enterprise Risk Management Strategy, Including Audit Plan & Internal Audit Charter |
Recommended | X | X |
|
Document IT Tech Map & Disaster Recovery Plans |
Recommended | X | X |
|
Perform Risk Assessments of Business Units & Information Technology |
X | X | X |
|
Establish IT General Controls, Automated Controls & Interface Controls |
X | X | X |
|
Document Key Control Matrix & Rationale for Non-Key Controls |
X | X | X |
|
Implement Key Control Monitoring & Gap Reporting to Leadership |
X | X | X |
|
Establish Segregate of Duties for Manual & High Fraud Risk Controls |
Recommended | X | X |
|
Establish Systemic Segregation of Duties & Related User Access Controls |
Recommended | X | X |
|
Establish Sarbanes-Oxley Training & Competency Assessments |
Recommended | X | X |
|
Document COSO Mapping |
Lower Priority | X | X |
|
Incorporate Testing of SOC Reports for Key SAAS Providers |
Lower Priority | X | X |
|
Collect Audit Evidence in Accordance with IIA Standards to Support External Auditor Reliance & Reduce Costs |
Lower Priority | Recommended | X |
|
Perform Entity-Wide Risk Assessments |
Lower Priority | Recommended | X |
|
Maintain a Key Report Listing & Perform Integrated IUC/IPE Validation |
Lower Priority | Recommended | X |
|
Monitor Key Interface Controls, Key Systems & Applications (Cloud-Hosted SAAS Solutions and All Supporting Infrastructure Components) |
Lower Priority | Recommended | X |
|
Establish Key Controls Around Vendor Management, Vendor Maintenance & Contract Compliance |
Lower Priority | Recommended | X |
|
Perform Periodic Penetration testing To Mitigate Cybersecurity Risks |
Recommended | Recommended | Recommended |
|
Perform Data Privacy & Data Security Specialized Audits |
Recommended | Recommended | Recommended |
|
Consider Emerging Risks to Business & Industry |
Recommended | Recommended | Recommended |
|
Form a Disclosure Committee That Meets Regularly To Assess Emerging Risks, Regulatory Changes & Required SEC Disclosures |
Recommended | Recommended | Recommended |
|
Design & Implement Preventive Controls To Reduce Fraud Risks |
Recommended | Recommended | Recommended |
|
External Auditor Coordination |
Not Applicable | Recommended | Recommended |
|
Establish Quarterly Board &/or Audit Committee Reporting |
Not Applicable | Recommended | Recommended |
|
Prepare Year-End Evaluation & Summary of Aggregated Deficiencies |
Not Applicable | X | X |
Why Is a SOX Compliance Checklist Important?
Using a checklist to help you maintain SOX compliance can provide more benefits outside meeting regulatory guidelines. As mentioned above, SOX guidelines are meant to standardize internal controls for financial reporting. Using a checklist can help ensure your audits are covering all the necessary areas while ensuring consistency. Having a well-define checklist can also help:
- Reduce the Risk of Fraud: Completing frequent SOX audits allows companies to find gaps in their security controls and prevent fraud. Protect your sensitive data by performing a risk assessment during your routine audit.
- Increase Confidence in Financial Statements: Investors and stakeholders can feel more confident when a company routinely ensures their financial reporting meets SOX requirements. Make sure your financial records are accurate by assessing data hygiene.
- Identity Potential Problems Earlier: Audits can also improve a company’s proactive response to possible business disruptions by requiring auditors to review emerging risks.
- Improve Organizational Governance and Company Culture: Meeting SOX requirements helps a company create a culture of accountability and transparency while ensuring security incidents are caught and corrected quickly.
Let Us Guide You Forward
Our SOX Risk Advisors can help you design a comprehensive plan and implement strategies around SOX 404 compliance to protect value, power performance, and build financial and operational resilience. For more information on establishing or enhancing your organization’s SOX program, contact Cherry Bekaert’s Risk & Accounting Advisory Services practice or your Cherry Bekaert advisor.
Related Insights
- Article: Six Steps To Creating Efficiencies and a Well-planned SOX Program
- Case Study: Regulatory, Tax and SOX Compliance for Biopharmaceutical Company Expanding U.S. Presence
- Podcast: Examining the Differences Between SOX 404a and 404b
- Podcast: SOX Offshoring: Benefits and Key Considerations From the Service Provider and Client Perspectives
