Choosing a SOX program for your organization

Why choosing a SOX program is important

Two decades on, the Sarbanes-Oxley Act (SOX) of 2002 has become a longstanding fixture in public companies’ compliance landscape. Achieving SOX compliance nonetheless remains a time- and attention-consuming process for most organizations. Increasingly complex regulatory requirements accelerated digital transformation, and evolving market, workforce, and workplace dynamics have made stable SOX processes a moving target. Companies’ control environments and processes are evolving as they strive to adapt their business models and technology usage to address their challenges and meet changing conditions.

Your organization’s SOX operating model is the core of your SOX program. Accordingly, your choice of operating model has a massive impact on your ability to plan and execute an efficient, effective, high-quality SOX program.

Starting your SOX compliance journey

Choosing a SOX program operating model for your business is not a decision you’ll make only once. Businesses mature, circumstances change, and needs ebb and flow. That’s why, over time, most businesses will employ a range of SOX operating models.

For example, a company might begin with a cosourced model with heavy external involvement. Then, they might move toward using external resources to assist with more highly specialized areas. At the same time, in less complex areas, their internal audit team might lead efforts, using external resources only to supply needed bandwidth (staff augmentation). Later, they might move toward a primarily internal program, which better suits their needs at that time.

Whatever your balance of these variables—and whatever SOX operating model you choose—the most critical consideration is that you have the appropriate resources in place, and that those resources have the appropriate skill sets to help you develop and maintain a robust system of internal controls. By making thoughtful choices about your SOX operating model and committing to evolving it over time, you unlock the potential to:

• Improve the productivity, efficiency, quality, and cost-effectiveness of your SOX work.
• More effectively manage risk across the organization.
• Elevate the role and value of the internal audit function.

Get in touch

		Lindsay Rosenfeld Partner, Audit & Assurance Deloitte & Touche LLP			Patricia Salkin Managing Director, Risk and Financial Advisory Deloitte & Touche LLP
		Theresa Koursaris Senior Manager, Audit & Assurance Deloitte & Touche LLP			Sandra Teixeira Managing Director, Risk and Financial Advisory Deloitte & Touche LLP