10 Steps to Position Yourself for SOX Leadership Opportunities
To position yourself as a future SOX program leader, demonstrating strategy and intent is critical. Building a reputation as a SOX expert – both inside and outside of your organization – and developing a track record of SOX compliance wins is the best way to stand out. To create a significant impact in improving the practice of controls management at your organization, leaders must follow a plan that maximizes their experience and opportunities.
If you’re a high-performing SOX manager with aspirations to lead a SOX program, I’ve developed a 10-step action plan to better position yourself for an internal or external SOX leadership opportunity.
SOX Leadership Opportunities – Internal
1. Become the go-to expert on SEC, PCAOB, and external auditor guidance
Recent years have been flooded with new regulatory control and disclosure requirements and expectations: new lease accounting standards, revenue recognition requirements, cyber disclosure requirements, and ESG reporting expectations.
These are opportunities to educate your organization’s Legal, Finance, and IT leaders for them to understand what is required of them, and what changes they may need to make.
Be the person who routinely summarizes and educates your company on SEC Comment Letters and PCAOB inspection findings. Don’t solely rely on vendor thought leadership on how to interpret SEC guidance. Instead, form your own opinion and corroborate it with your external auditor’s guidance.
From there, you can also help your company by creating draft risk and control matrices for new and needed controls, or help educate and document a new process to ensure compliance with the new requirements.
2. Successfully rationalize controls
Well-run SOX departments allocate time to re-perform the SOX risk assessment process at least twice a year to ensure only the necessary controls are tested for SOX compliance. If your team is one of these teams, do whatever you can to be involved and assist with this process.
If your team just rolls over the risk assessment year over year, this is an opportunity to have a significant positive impact. Over the past 5 – 10 years, your business has likely changed pretty significantly. For instance, acquisitions, divestitures, new offerings, and changes in business results across company divisions and locations all impact how many controls are needed.
If you can re-perform the SOX risk assessment and explain why certain controls need to be tested, why others do not need to be tested but should still be maintained, and to support why redundant controls should be eliminated, you will very likely identify a significant number of controls to rationalize – and will have demonstrated a critical skill needed to manage a SOX program.
3. Improve one aspect of the process of SOX compliance
With all of the time spent by Internal Audit on SOX compliance, it’s troubling to see how many opportunities exist to improve the process of SOX compliance.
Here are a few ideas for special projects to carry out to reduce time spent on SOX compliance by the SOX team and control owners:
- Not using a purpose-built controls application? Evaluate a few and make a purchase.
- Already using an application with purpose-built controls? Meet with your vendor and find ways to improve how it is used.
- Transition SOX status reporting from manual updates to visual dashboards.
- Streamline the process to update narratives, certify controls, assess deficiencies, or collaborate with your external auditors.
- Create a process to onboard new control owners, or to determine if new applications should be in-scope for SOX.
4. Position the SOX program to take on a leadership role in your organization’s Connected Risk approach
While Sarbanes-Oxley risks, controls, and assurance are only one piece of our organization’s larger enterprise risk management efforts, they are likely the most formalized and documented.
Regardless of your organization’s maturity to manage risk, the skill sets and knowledge gained through SOX compliance can be of value to other areas of the business. Seeking to identify gaps in risk coverage, whether duplicative controls exist, and ways to eliminate redundant data requests of the same control owners can help improve the practice of risk management and controls compliance in areas outside of Finance, and important to your organization’s success.
SOX Leadership Opportunities – External
5. Create an opportunity to publicly share your SOX knowledge
Can you present on a SOX topic or write a blog about SOX compliance? Many event planners, including those at your local IIA chapter, ISACA chapter, and even AuditBoard are looking for qualified speakers and practitioners to share front-line experiences and how-to knowledge on relevant topics to share on their blog, through a webinar, or at an in-person event.
I’ve found that writing a blog or presentation has two main benefits. First, it will help establish or further cement your brand as an expert in the field. But perhaps more importantly, you will uncover aspects where you need additional understanding. Creating plans to seek out and obtain this knowledge will round out your SOX expertise.
6. Network with other SOX leaders
In the same fashion, networking and meeting with other SOX program leaders one-on-one can provide industry-specific knowledge of key risks, controls, and external auditor focus areas that would be important for your company to be aware of.
Take detailed notes during your conversation. Afterward, you can share these best practices and draft project plans with your SOX leader, Corporate Controller, CAO, or CFO.
To boot, these meetings will also allow you to learn what those individuals did to earn a leadership role in their SOX program.
7. Create a SOX-related thought leadership event
A follow-up to step 7, once you meet with several SOX program leaders, invite all of them to a 90-minute meeting to share the best practices, themes, and trends you learned from each conversation. For the top 3 lessons learned, invite the SOX leader to share more context. This has an additional advantage of enabling you to introduce members of your network to each other, which provides value to the participants beyond the content of the meeting.
SOX Leadership Opportunities – Personal
8. Network with a risk advisory partner in your region
These partners are likely the first to know when a SOX leadership role is open and can be influential to the hiring manager on who to hire. If they help you find a role, you should strongly consider their team to be your co-source provider. Baker Tilly, CrossCountry Consulting, Crowe, Deloitte, EY, Protiviti, and RSM are all AuditBoard Strategic Alliance partners and would be happy to help here.
9. Bolster your LinkedIn recommendations
Aim for at least one recommendation from a former or current manager, someone you are currently managing, a Corporate Controller or Assistant Controller you’ve worked with, a Control Owner, and someone from your external auditor.
To make it easier to receive a great recommendation, write a draft recommendation and ask the individual to endorse it or modify it as they best see fit.
10. Develop your opinions on how to leverage AI for SOX compliance
We are still in the early days of understanding how Generative AI be leveraged to decrease time allocated to SOX compliance and improve internal control performance. Likely, any ideas you do have to leverage AI will be followed with significant scrutiny from your external auditor.
However, having an opinion on how AI can be leveraged – whether you are facilitating the SOX risk assessment, advising on creating testing procedures for new controls, or helping with internal control training – can show your capabilities of longer-term thinking, which is a desired trait for any leadership role.
The benefits of AI for SOX compliance – and how compliance can drive connected risk for your organization – are critical knowledge for any SOX leader.
Investing in Yourself as a SOX Leader
If you can check off each of these to-do’s, the perspectives you can share and stories you can tell hiring managers will be far superior to the others who are interviewing for the role. And even better, the relationships you will have created or cultivated will last for your entire life.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.