A practical approach to SOX readiness

The road to SOX compliance

Focus on people

When developing and maintaining an internal control framework, it’s critical to have resources with the appropriate skillset and level of authority within the accounting and finance areas, but also throughout the organization. Even though SOX is focused on Internal Control over Financial Reporting (ICFR), it’s important to keep in mind that inputs into the financial reports are also from the business, so controls are also needed over relevant business processes, systems, and applications. This means that the responsibility for effective internal controls reaches beyond just finance and accounting and into other areas of an organization, and training is an important component of communicating roles and responsibilities over SOX throughout the organization.

The CEO and CFO should be particularly interested in ensuring that resources with the appropriate skillset and level of authority are involved in the SOX program because the CEO and CFO sign SOX Section 302 and 906 certifications within the company’s quarterly and annual filings, respectively, with the SEC. If the certification submitted is not accurate or the CEO or CFO does not comply with the requirements, regardless of whether it was done mistakenly, the CEO and/or CFO is personally subject to criminal and financial penalties.

Focus on process

One of the requirements of SOX Section 404(a) includes that management is responsible for establishing and maintaining an adequate internal control structure and evaluating that internal control structure, based on certain criteria, or a framework. 

To support the achievement of SOX compliance, entity level controls should be established along with process level controls. Entity level controls include, for example, starting with the tone at the top; performing a risk assessment; attracting, developing, training, and retaining competent individuals; and establishing a monitoring program.

Focus on technology

When standing up a system of internal control for the first time, there will likely be control gaps identified. It’s possible to remediate these gaps by designing manual controls. However, before you do that, consider your technology options.

Technology not only can help you comply with SOX by implementing automated controls to mitigate risks, but can generate organizational efficiencies and improve operations since they are inherently more reliable than manual controls when they are designed appropriately. 

In addition to considering automation at the process level, companies should explore opportunities for automation related to the management of their SOX framework by leveraging a governance, risk, and compliance (GRC) technology platform to help manage workflow around control testing and deficiency remediation, support the ongoing monitoring of their framework overall, and instill accountability and ownership throughout the organization. 

Whether at the process level or managing the internal control framework through the use of a GRC solution, automation can offer the CEO and CFO greater confidence that the certifications they’re signing reflect more accurate, real-time information.

A practical path forward

The Sarbanes-Oxley Act’s most prominent provisions for internal control are Sections 302, 404, and 906. Becoming compliant with these and other provisions is a significant undertaking that includes assigning new roles and responsibilities for risk management, the selection and application of an internal control framework, and consideration of technology solutions for a more accurate, timely picture of the control environment. Breaking the endeavor down into phases can make it more manageable, as can taking an iterative, agile approach that tackles the highest priorities first and allows for continuous learning and improvement.

Get in touch

Lindsay Rosenfeld Partner Audit & Assurance Deloitte & Touche LLP +1 313 396 3167	Theresa Koursaris Senior Manager, Audit & Assurance Deloitte & Touche LLP +1 212 492 3666