Choosing a SOX program for your organization

Your guide to SOX compliance and implementation

A recent wave of IPOs and SPAC transactions has left many new public companies in need of assistance with achieving SOX compliance. Your SOX operating model lies at the core of your SOX program. And with competition rising for finite resources, it’s important that the model you choose will help you execute SOX implementation efficiently and effectively.

Why choosing a SOX program is important

Two decades on, the Sarbanes-Oxley Act (SOX) of 2002 has become a longstanding fixture in public companies’ compliance landscape. Achieving SOX compliance nonetheless remains a time- and attention-consuming process for most organizations. Increasingly complex regulatory requirements accelerated digital transformation, and evolving market, workforce, and workplace dynamics have made stable SOX processes a moving target. Companies’ control environments and processes are evolving as they strive to adapt their business models and technology usage to address their challenges and meet changing conditions.

Your organization’s SOX operating model is the core of your SOX program. Accordingly, your choice of operating model has a massive impact on your ability to plan and execute an efficient, effective, high-quality SOX program.

Find an appropriate SOX operating model for your organization

Your practical guide for choosing a SOX operating model for your organization

What steps should you take when choosing your operating model? And how can you validate whether your selected operating model continues to be the appropriate fit for your organization as it matures? Our practical guide to choosing a SOX operating model helps you understand the differences, pros and cons, and considerations of each, helping you make appropriate choices for your organization both now and in the future.

Starting your SOX compliance journey

Choosing a SOX program operating model for your business is not a decision you’ll make only once. Businesses mature, circumstances change, and needs ebb and flow. That’s why, over time, most businesses will employ a range of SOX operating models.

For example, a company might begin with a cosourced model with heavy external involvement. Then, they might move toward using external resources to assist with more highly specialized areas. At the same time, in less complex areas, their internal audit team might lead efforts, using external resources only to supply needed bandwidth (staff augmentation). Later, they might move toward a primarily internal program, which better suits their needs at that time.

Whatever your balance of these variables—and whatever SOX operating model you choose—the most critical consideration is that you have the appropriate resources in place, and that those resources have the appropriate skill sets to help you develop and maintain a robust system of internal controls. By making thoughtful choices about your SOX operating model and committing to evolving it over time, you unlock the potential to:

  • Improve the productivity, efficiency, quality, and cost-effectiveness of your SOX work.
  • More effectively manage risk across the organization.
  • Elevate the role and value of the internal audit function.

SOX compliance is a journey. Download the full SOX readiness guide to ensure that your organization is on a path that will get you where you want to go.

Get in touch


Lindsay Rosenfeld
Audit & Assurance
Deloitte & Touche LLP


Patricia Salkin
Managing Director,
Risk and Financial Advisory
Deloitte & Touche LLP


Theresa Koursaris
Senior Manager,
Audit & Assurance
Deloitte & Touche LLP


Sandra Teixeira
Managing Director,
Risk and Financial Advisory
Deloitte & Touche LLP

Contact us

  Yes         No

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.