SOX compliance review

Sarbanes-Oxley (SOX) is a United States federal law enacted on July 30, 2002, that mandated reform to improve corporate accountability and financial disclosures, as well as combat corporate and accounting fraud. Among other things, SOX established the Public Company Accounting Oversight Board (PCAOB), increased penalties for corporate fraud, established certain internal control requirements for management, and established certain requirements that independent auditors confirm management's assessments of the adequacy of internal controls.

Compliance with Sarbanes-Oxley (SOX) requirements is mandatory for publicly traded companies. Organizations struggle to find a balance between controlling costs, managing SOX compliance with ease and confidence, and improving business quality.

When companies decide to go public, either through a traditional initial public offering (IPO) or through a special purpose acquisition company (SPAC), they must comply with the provisions of the Sarbanes-Oxley (SOX) Act.

Company management is responsible for establishing and maintaining an adequate internal control structure and evaluation based on certain criteria or framework. The most commonly used framework is the integrated framework developed by the Committee on the Treadway Commission (COSO). COSO has established five components of an effective system of internal controls, which are defined as follows:

  • CONTROL ENVIRONMENT - "A set of standards, processes, and structures that provide the basis for the implementation of internal controls throughout the organization."
  • RISK ASSESSMENT - "Includes a dynamic and iterative process for identifying and analyzing risks to achieve goals."
  • CONTROL ACTIVITIES - "Actions established through policies and procedures that help ensure that management directives to mitigate risks to achieve objectives are carried out."
  • INFORMATION AND COMMUNICATION - "Information is necessary for the entity to implement internal control of responsibility to support the achievement of its goals." "Communication is a continuous, repetitive process of providing, sharing, and obtaining needed information."
  • MONITORING ACTIVITIES - "On-going evaluations, separate evaluations or some combination of which are used to determine whether each of the five components of internal control is present and functioning."


How can Deloitte help?

  • We help clients improve SOX compliance, limit risk, and achieve lower overall compliance costs while focusing on quality and reliability.
  • We conduct a compliance review through the GAP analysis service, regarding regulatory requirements. After the analysis, we prepare a report on compliance with the requirements of the regulation with recommendations for improvement and harmonization.



Dejan Perić

Dejan Perić

Director, Risk Advisory

Dejan, a BA in business management, is a Director in Deloitte’s Serbian Risk Advisory – IT Risk and Controls practice with more than 17 years of professional experience. He made his career by leading ... More

Borko Mijic

Borko Mijic


Borko is a Manager in Risk Advisory team in Serbia, he is responsible for advising clients on risk advisory matters including IT Regulatory and compliance Audits, IT Assessment, Business IT Support Sy... More