green yellow short line circle


A practical approach to SOX readiness

Standing up a system of internal control

Companies that decide to enter the public market have one thing in common—they must comply with the Sarbanes-Oxley Act of 2002 (SOX). But preparing for SOX compliance can be challenging to balance amid the competing priorities of a public offering. A SOX framework focused on people, process, and technology may help keep SOX readiness on track.

The road to SOX compliance

Focus on people

When developing and maintaining an internal control framework, it’s critical to have resources with the appropriate skillset and level of authority within the accounting and finance areas, but also throughout the organization. Even though SOX is focused on Internal Control over Financial Reporting (ICFR), it’s important to keep in mind that inputs into the financial reports are also from the business, so controls are also needed over relevant business processes, systems, and applications. This means that the responsibility for effective internal controls reaches beyond just finance and accounting and into other areas of an organization, and training is an important component of communicating roles and responsibilities over SOX throughout the organization.

The CEO and CFO should be particularly interested in ensuring that resources with the appropriate skillset and level of authority are involved in the SOX program because the CEO and CFO sign SOX Section 302 and 906 certifications within the company’s quarterly and annual filings, respectively, with the SEC. If the certification submitted is not accurate or the CEO or CFO does not comply with the requirements, regardless of whether it was done mistakenly, the CEO and/or CFO is personally subject to criminal and financial penalties.

Focus on process

One of the requirements of SOX Section 404(a) includes that management is responsible for establishing and maintaining an adequate internal control structure and evaluating that internal control structure, based on certain criteria, or a framework. 

To support the achievement of SOX compliance, entity level controls should be established along with process level controls. Entity level controls include, for example, starting with the tone at the top; performing a risk assessment; attracting, developing, training, and retaining competent individuals; and establishing a monitoring program.

Focus on technology

When standing up a system of internal control for the first time, there will likely be control gaps identified. It’s possible to remediate these gaps by designing manual controls. However, before you do that, consider your technology options.

Technology not only can help you comply with SOX by implementing automated controls to mitigate risks, but can generate organizational efficiencies and improve operations since they are inherently more reliable than manual controls when they are designed appropriately. 

In addition to considering automation at the process level, companies should explore opportunities for automation related to the management of their SOX framework by leveraging a governance, risk, and compliance (GRC) technology platform to help manage workflow around control testing and deficiency remediation, support the ongoing monitoring of their framework overall, and instill accountability and ownership throughout the organization. 

Whether at the process level or managing the internal control framework through the use of a GRC solution, automation can offer the CEO and CFO greater confidence that the certifications they’re signing reflect more accurate, real-time information.


A practical path forward

The Sarbanes-Oxley Act’s most prominent provisions for internal control are Sections 302, 404, and 906. Becoming compliant with these and other provisions is a significant undertaking that includes assigning new roles and responsibilities for risk management, the selection and application of an internal control framework, and consideration of technology solutions for a more accurate, timely picture of the control environment. Breaking the endeavor down into phases can make it more manageable, as can taking an iterative, agile approach that tackles the highest priorities first and allows for continuous learning and improvement.


Learn more about our IPO and SPAC services.


Contact us

  Yes         No

Get in touch

Lindsay Rosenfeld
Partner Audit & Assurance
Deloitte & Touche LLP
+1 313 396 3167

Theresa Koursaris
Senior Manager, Audit & Assurance
Deloitte & Touche LLP
+1 212 492 3666


Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Insert Custom CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?