What Are SOX Controls? Best Practices for Defining Your Scope
The Sarbanes-Oxley Act of 2002 (SOX) is a federal law that has been in place for over 20 years, but many people still have difficulty explaining in simple terms what we mean by SOX controls. How do you identify SOX versus non-SOX controls? What about key controls? How should SOX internal controls be applied to cybersecurity and information security matters? Is SOX compliance mandatory? Get answers to these and many more SOX control questions below.
TL;DR SOX controls are essential for ensuring the accuracy and reliability of financial reporting as mandated by the Sarbanes-Oxley Act. This article explains the importance of SOX controls, their key components, and best practices for maintaining compliance.
SOX Compliance Requirements
The SOX requirements for publicly traded companies registered with the Securities and Exchange Commission include internal controls for processes and systems impacting financial reporting. SOX regulations aim to ensure accurate and reliable financial reporting and build trust with investors and the public after a series of fraud scandals rocked the markets, including Enron and WorldCom. The confusion is mostly a matter of scoping — understanding where SOX ends, and regular management internal controls start.
The Sarbanes-Oxley Act of 2002 has eleven titles, with three, in particular, having a major impact on financial reporting and the responsibilities of the CEO and CFO of a company: Section 302, Section 404, and Section 906.
- Section 302 mandates that CEOs and CFOs must certify the financial records of their companies, indicating that 1) Reports are accurate, 2) Reports are fairly presented in all material aspects, 3) Acknowledgment of responsibility for disclosure controls, procedures, and internal controls over financial reporting, and 4) Reports are risk-based. Essentially, this holds CEOs and CFOs accountable for their organization’s financial statements — this may seem like a no-brainer today, but it wasn’t codified until SOX was passed.
- Section 404 requires publicly-traded companies and companies pursuing an IPO to engage accounting firms to independently assess and sign off on management’s assessment of internal controls. Additionally, this section requires external auditors to report on the adequacy of the company’s internal control over financial reporting. It involves annual assessments to ensure controls are effective and reliable.
- Section 902 explicitly opens the way for criminal penalties to be issued in the event of non-compliance.
The Sarbanes-Oxley Act also facilitated the creation of the Public Company Accounting Oversight Board (PCAOB), who watch the watchmen — that is, the PCAOB is responsible for auditing the auditors and accounting firms who sign off on organizations’ financial statements and internal control reports.
Image: Section 302, Section 404, and Section 906 Summary from Deloitte
Source: Deloitte SOX Compliance
SOX Controls Defined
SOX controls are those controls that are relevant to SOX. What does that mean, exactly? The Sarbanes-Oxley Act has a specific jurisdiction — that is, it governs requirements about how internal control structures should support accurate, honest, and trustworthy financial information reporting. So, SOX controls are those controls that address, mitigate, or otherwise manage risks to the accuracy and integrity of financial reporting.
Not all controls in an organization’s environment will be in-scope for SOX, but many will. The best way to determine if a control should be considered relevant for SOX purposes is to ask:
- Does this control relate to or input into the financial information used for financial disclosures?
- Does this control affect financial material accounts or financial statement reporting?
- Does this control affect any systems or processes that feed into financial statement reporting?
If the answer is yes to any of these questions, an organization may want to include that control in the scope of their SOX procedures and internal controls reporting.
Is SOX Compliance Mandatory?
Becoming and remaining SOX compliant is a requirement for publicly traded companies and is in the best interest of companies that may soon be pursuing an IPO. However, SOX compliance is not required for nonprofit organizations and private companies.
Though they may not be subject to SOX, nonprofits and private companies may still want to leverage some of the internal controls frameworks available, such as COSO’s Internal Control – Integrated Framework (ICIF) and COBIT, to apply risk management and internal controls best practices to their organizations.
How Many SOX Controls Are There?
An organization is not required to implement a set number of SOX controls. Taking a risk-based approach to internal controls (recommended) means that each business will have a different palette of risks and controls that address them. The number of SOX controls a company operates can vary greatly and does not directly correlate to the success or effectiveness of a SOX program — a higher number of controls is not always the best risk-mitigation strategy. That said, there are many controls that companies will have in common with SOX. Some of these common controls include access controls, segregation of duties, change management, various business processes, data backup, and even corporate governance controls.
SOX 404 Controls
SOX 404 refers to a section of the SOX Act (Section 404) that spells out the SOX requirement for management to implement internal controls over financial reporting. Specifically, SOX Section 404 mandates:
(Sec. 404) Directs the SEC to require by rule that annual reports include an internal control report which (1) avers management responsibility for maintaining adequate internal control mechanisms for financial reporting and (2) evaluates the efficacy of such mechanisms. It also requires the public accounting firm to attest in their annual audit report on the effectiveness of the issuer’s internal controls over financial reporting (ICFR). Section 404(b) is the section that explicitly requires an independent public accounting to perform an audit on a company’s ICFR. When used as shorthand, SOX 404 controls can refer to those controls that will be audited by a public accounting firm for compliance with the Act.
SOX IT Controls and Cybersecurity
SOX requirements generally include business process controls and SOX IT controls. On the business side, the controls in-scope are those around the accuracy of the data feeding into financial reporting, along with reconciliations, and financial data processing. From the IT perspective, there are IT general controls (ITGCs) and application controls. SOX IT controls aim to ensure the systems are well-controlled, accurate, complete, and free of errors that could potentially impact financial reporting.
The key to defining your SOX scope is understanding which processes and systems impact financial reporting. Where most need clarification is in differentiating between critical IT systems versus SOX IT systems. You may have a system holding all of your customers’ information, an essential component to the success of your organization, but if that system does not capture financial data feeding into your financial reporting, it is not a SOX application. It should still be well-controlled, but it is not within the scope of SOX testing. In contrast, a data center hosting SOX-sensitive (i.e. financial) systems, data, or information would be considered in-scope, and might even require a physical audit.
When it was originally issued, the Sarbanes-Oxley Act did not account for the emerging cybersecurity threat landscape. Still, implementing and maintaining a strong internal controls program typically calls for strong security controls, especially around sensitive data that may impact financial reporting. Controls under SOX that also impact a company’s cybersecurity posture include incident response and remediation, business continuity planning, and data security (in relation to financial data).
SOX controls can help an organization recover from data breaches and security breaches by encouraging a healthy and effective internal control environment. To this end, automation of controls has become increasingly important, especially in information technology, as automated controls reduce the manual, human effort needed to mitigate risks and address the potential for user error when executing controls.
Even though SOX is not explicitly framed to encourage cybersecurity best practices, stakeholders should keep security in mind as cyber threats can now cost companies and organizations massively in dollars and reputation.
Key SOX Controls
Within the SOX controls, we designate the primary controls for mitigating risk as key controls. Considerable reliance is put on the key controls, so these should be monitored and tested more frequently. Organizations may also want to set up compensating controls to support key controls if they fail to operate. Compensating controls can provide additional assurance that financial information is being accurately reported. Since controls identified as “key” can have a massive impact on internal controls related to financial reporting, SOX teams should stay on top of these processes and understand their ins and outs.
Management Review Controls (MRCs) also play a critical part in SOX controls. MRCs are typically used in key controls, such as the monthly close process, budget vs. actual analysis, and quarterly and annual financial reviews: This allows management to conduct a thorough review of its financial statements to ensure accuracy and completeness prior to reporting to investors and users of the financials. MRCs are also used in account reconciliations and the approval process for significant financial transactions to ensure multiple levels of management review before a transaction is executed (i.e. wiring funds). MRCs are essential because they provide an additional layer of oversight and help ensure that financial information is accurate and reliable; thereby, enhancing the overall effectiveness of SOX controls.
SOX Controls Testing
SOX control testing is a function performed by either management or internal audit or both, as well as by external auditors from a public accounting firm. SOX control testing is performed to determine if the controls are working as intended or if there are any gaps in the internal control process.
External auditors will perform tests of controls to vet management’s assertions and validate that controls are operating as designed and intended. An organization’s internal audit teams and their external auditors can test SOX controls by first understanding the control and what risks it is designed to mitigate, then designing a test around the control’s key attributes or gates, and finally obtaining the evidence and reasonable assurance they need to determine if the control is working as intended or if there are any findings.
SOX Reporting
SOX reporting is usually done both internally and externally. Internal SOX reporting includes SOX testing status updates created by management, or the company’s internal audit department, with any issues found and remediation plans to address any control failures or deficiencies.
External SOX reporting is a combination of reports submitted by the company to the SEC and an audit report from the company’s external auditor. The auditor’s report expresses an opinion on the accuracy of the financial statements and the effectiveness of management’s internal controls over financial reporting. Below are some mandatory components of external SOX reporting
- Quarterly and Annual Reports: Under SOX, public companies are required to submit quarterly (10-Q) and annual (10-K) reports to the SEC. These reports must include certified financial statements and disclosures about the company’s financial health and internal controls.
- Internal Control Reports: Section 404 requires management to include an internal control report in the annual 10-K. This report must state management’s responsibility for establishing and maintaining adequate internal control over financial reporting, as well as an assessment of the effectiveness of these controls.
- Material Changes Disclosure: Section 409 requires companies to disclose material changes in their financial condition or operations on a rapid and current basis, usually through an 8-K filing.
- Record Retention Requirements: Section 802 imposes stringent record retention requirements. Companies must retain all audit or review work papers for five years. Destruction, alteration, or falsification of records is subject to severe penalties.
- Enhanced Financial Disclosures: SOX requires enhanced financial disclosures, including off-balance-sheet transactions, pro forma figures, and the use of special purpose entities (SPEs). This ensures greater transparency and accuracy in financial reporting.
Start Testing SOX Controls Today
Due to the scope and complexity of maintaining audit programs to meet SOX requirements, The Institute of Internal Auditors (IIA) recommends that management start testing SOX controls early each year and consider the program an ongoing, year-round internal control testing process.
SOX Compliance Checklist
1) Define the SOX Audit Scope Using a Risk Assessment Approach
PCAOB AS 2201 states, “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts, disclosures, and their relevant assertions.”
This step in a SOX compliance audit process should not result in a list of compliance procedures, but should instead help the auditor identify potential risks and sources, how they might impact the business, and whether the internal controls qualify as SOX controls — i.e. whether they will provide reasonable assurance that a material error will be avoided, prevented, or detected.
2) Determine Materiality in SOX – Accounts, Statements, Locations, Processes, and Major Transactions
- Step 1. Determine what items are considered material to financial statements and financial disclosures reported to investors. Financial statement items and disclosures are considered “material” if they can influence the economic decisions of users. Auditors can typically determine what is material by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts.
- Step 2 – Determine all locations holding material account balances. Analyze the financials for all the locations where you do business. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX testing in the coming year.
- Step 3 – Identify transactions populating material account balances. Meet with your Controller and the specific process owners to determine the transactions (both debits and credits) that cause the financial statement account to increase or decrease. Document how these transactions occur and how they are recorded in a narrative, flowchart, or both.
- Step 4 – Identify financial reporting risks for material accounts. Seek to understand what could prevent the transaction from being correctly recorded, or the specific risk event. Then, document the effect the risk event could have on the account balance being incorrectly recorded, or the breakdown of the financial statement assertion.
3) Identify SOX Controls – Non-Key & Key Controls, ITGCs, and Other Entity-Level Controls
During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will seek to identify the checks and balances in the financial reporting workflow that ensure the transactions are recorded correctly, and account balances are calculated accurately.
Often material accounts need multiple controls in place to prevent a material misstatement from occurring. However, audit teams are cautioned from applying a brute-force approach and creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, contributing to the ever-increasing control count. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts.
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.
Finalizing an Effective System of Internal Controls Plan
Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated SOX IT controls. For the automated controls identified, you should evaluate whether the underlying system is in scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of SOX IT control testing needed.
Once you have defined your scope and identified your SOX controls using these best practices, you will be on track to developing a well-rounded SOX testing program. Learn more about how to build upon this foundation in How to Build a Well-Rounded SOX Testing Program.
Meeting SOX requirements does not need to be overly complicated. Implementing SOX compliance software such as AuditBoard’s SOXHUB can help you eliminate version control issues in your SOX documentation process, centralize SOX control testing, facilitate SOX reporting, and streamline your SOX program from end to end.
Frequently Asked Questions About SOX Controls
What are SOX controls and why are they important?
SOX controls are internal measures established to ensure the accuracy and integrity of a company’s financial reporting. They are crucial for maintaining investor confidence, ensuring regulatory compliance, and preventing fraud by establishing clear procedures and accountability for financial operations.
How often should SOX controls be tested and reviewed?
SOX controls should be tested and reviewed at least annually. However, more frequent testing may be necessary if there are significant changes in processes, systems, or personnel to ensure ongoing compliance and effectiveness.
What are the penalties for non-compliance with SOX controls?
Non-compliance with SOX controls can result in severe penalties, including fines, imprisonment, and reputational damage. Senior executives, particularly the CEO and CFO, can be held personally liable for failing to ensure the accuracy and reliability of financial reports and internal controls.
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.