SOX Compliance Assessments 101: An Essential Guide for Companies

A SOX compliance assessment isn’t just a box to check ― it’s a strategic opportunity to strengthen your company’s financial foundation. By understanding how the process works and how to prepare, you can turn this regulatory requirement into a competitive advantage.

• A SOX compliance assessment evaluates internal controls over financial reporting (ICFR) to prevent misstatements and ensure compliance with the Sarbanes-Oxley Act.
• This process involves your management’s internal review of ICFR, external auditor attestation (if required) and adherence to frameworks like COSO. It also aligns closely with audit readiness, helping ensure that your financial systems and documentation can withstand scrutiny.
• Preparation, early documentation and proactive adjustments to business changes help you ensure a smooth compliance journey.

What Is a SOX Compliance Assessment?

A SOX compliance assessment is an in-depth evaluation of an organization’s internal controls related to financial reporting. It assesses management's internal control structure and control effectiveness to determine how strong the internal control environment is at preventing financial misstatement.

The assessment is intended to ensure your company’s compliance with the Sarbanes-Oxley Act of 2002 (SOX), which was passed after multiple accounting scandals were discovered at large publicly traded organizations in early 2000. SOX imposes strict governance, financial transparency and accountability requirements to protect investors from corporate fraud.

• Companies Required to Have a SOX Compliance Assessment
• Who Conducts the SOX Compliance Assessment
• What SOX Compliance Entails
• A Closer Look at the SOX Compliance Process
• SOX Compliance Assessment Deliverables
• What Happens After Your First SOX Compliance Assessment
• Best Practices to Help Your SOX Compliance Assessment Run More Smoothly

Companies Required to Have a SOX Compliance Assessment

The following organizations must conduct an annual SOX compliance assessment. Their internal control framework must be in place by the end of the fiscal year — in the first year and every year after.

1. Publicly traded companies (U.S. and foreign) listed on exchanges like the NYSE or NASDAQ
2. Companies with a public float (market value of publicly traded shares) over $75 million
3. Companies that register securities with the Securities and Exchange Commission (SEC)

Certain private companies may also be required to conduct a SOX compliance audit. They include:

• Companies preparing for an initial public offering (IPO)
• Private companies that are subsidiaries of a public company
• Private companies with public debt registered with the SEC
• Private entities such as healthcare organizations, nonprofits and other charitable organizations may be required to comply with certain sections of SOX

Who Conducts the SOX Compliance Assessment

Typically, a SOX compliance assessment involves two sets of “eyes.”

Management

SOX Section 404(a) requires that management assess the effectiveness of ICFR as well as the control environment and financial reporting risks.

Due to the complexity of SOX reporting, many companies bring in an advisory firm for expertise to ensure compliance, provide benchmarking and improve control design and preparedness. Depending on their internal capabilities, companies may use a co-sourced arrangement — external SOX audit experts who work alongside your internal team — or a fully outsourced SOX compliance assessment. In either case, management is ultimately responsible for all decisions.

External Auditor

SOX Section 404(b) requires an external auditor’s opinion of management’s ICFR assessment. In other words, the external auditor verifies that your company’s ICFR is effective based on what management reports as part of the annual SOX assessment.

Keep in mind that an external auditor attestation is not always required. There are certain exemptions to the external audit attestation requirement, dependent on the size and reporting requirements of a company.

Emerging Growth Company Exception

If your company goes public and you complete your IPO under emerging growth company (EGC) status — below a certain threshold of revenue or market capitalization — you get a bit of a grace period. Yes, you must conduct the annual management assessment of ICFR, but you’re exempt from the external auditor requirement for up to five years or until the company no longer qualifies as an EGC.

Independence Concerns

Note that you can’t use the same advisory firm for your SOX consulting and external audit. To maintain auditor independence and objectivity, SOX rules prohibit audit firms from providing certain non-audit services, including SOX compliance consulting, to their audit clients.

What a SOX Compliance Assessment Entails

A SOX compliance assessment is a year-long process made up of eight key steps. Steps 1-7 are conducted by management or a SOX auditor hired on behalf of management. Step 8 is completed by an external auditor as part of your financial statement audit if required.

A Closer Look at the SOX Compliance Process

Preparation is critical, especially if this is your first year of SOX compliance. Companies preparing to go public or those with limited internal controls often choose to hire experienced SOX auditors from an advisory firm for guidance. These professionals can streamline the SOX implementation process, helping you establish and evaluate an effective control environment.

SOX auditors typically recommend aligning your controls with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. This widely used standard helps you design, implement and evaluate financial reporting and compliance controls. Once aligned, management reviews and approves the controls, ensuring a solid foundation for compliance.

The SOX compliance process spans the entire fiscal year, with these key steps:

Early in the fiscal year (first 6 months of the year)

• Scoping and risk assessment: Early on, the focus is on identifying processes, systems and risks relevant to your financial reporting. Scoping narrows the internal control environment to target areas based on risk, ensuring efficiency.
• Control design and documentation: During this stage, the SOX compliance team maps out your processes and controls. If existing controls are limited or undocumented, they’ll help establish and document them.
• Walkthroughs and test planning: This phase evaluates the design of your controls to ensure they function properly in practice. Walkthroughs test key controls on a granular level, and a test plan is developed to guide the control testing phase.
• Segregation of duties (SoD): Ensuring that duties are divided appropriately is a key priority. Segregation of duties prevents any one person from having control over every part of critical financial processes, adding an important layer of checks and balances.

Before your fiscal year-end (last 6 months of the year):

• Control testing: The SOX compliance team tests a sample of transactions and supporting documentation to verify that controls are well designed and working as intended. These tests may focus on financial processes (e.g., payroll, journal entry approvals) as well as IT general controls, such as user access and system changes. Governance activities, like risk assessments, may also be evaluated at this stage.
• Remediating deficiencies: If gaps or weaknesses in controls are discovered, corrective actions happen during this phase. SOX auditors or your internal audit team retest the controls after fixes are implemented to confirm their effectiveness before the year-end deadline.
• Final ICFR evaluation: As the fiscal year-end approaches, management performs a final review of ICFR effectiveness. This evaluation is built on the results from testing and remediation efforts.
• Management certification and attestation: At fiscal year-end, the CEO and CFO certify their ICFR report. If an external audit is required, this is when the external auditor conducts an independent review of ICFR and provides an attestation under SOX Section 404(b).

The staggered timing and dual audits (SOX audit + external financial statement audit if required) offer more than compliance. This creates an opportunity for you to proactively spot risks, resolve control gaps and certify that all regulatory requirements occur before your year-end certifications. Done right, the SOX compliance process can set the tone for smoother audits in future years and reinforce trust in your financial reporting processes.

Typical Controls Tested During a SOX Compliance Assessment

• Revenue recognition
• Accounts payable and receivable
• Payroll
• Journal entries (automated and manual)
• Financial close and reporting

• System access and user rights
• Change management
• Data backup and recovery

• Ethics and code of conduct
• Risk assessment and governance
• Whistleblower programs
• Board and audit committee oversight

SOX Compliance Assessment Deliverables

As mentioned in the timeline above, your CEO and CFO sign off on whether your ICFR is effective at year-end in management’s internal control assessment report. If you’re required to have an external financial statement audit, the external auditor will review your internal control assessment and issue one of the following opinions:

• Unqualified opinion: This means the auditor found no material weaknesses in your ICFR. Well done!
• Adverse opinion: This shows that the auditor found a material weakness, and it wasn’t remediated.
• Disclaimer of opinion: This auditor statement means the auditor could not form an opinion on the accuracy, fairness or validity of your ICFR.

The financial statement audit report and SOX compliance report go together as part of your company’s annual 10-K filing. Once the filing is made to the SEC, the auditor's report becomes publicly available.

But what if the external auditor found material weaknesses and is preparing to issue an adverse opinion on your ICFR? You can still remediate the issue before the 10-K is filed — but only if remediation is completed by the end of the fiscal year. Remediation after that date can’t change the audit opinion for that year’s 10-K filing.

What Happens After Your First SOX Compliance Assessment

After year one, the SOX compliance process transitions to regular annual testing. Management is responsible for ongoing controls testing and documenting any changes, such as company acquisitions, new risks (e.g., migrating to cloud-based systems) or adjustments to key business processes (e.g., outsourcing a function like payroll). It’s essential to communicate these updates to your SOX auditor so they can include them in your annual SOX compliance assessment.

The SOX auditor or internal audit team will conduct walk-throughs of new controls and retest existing ones to ensure they are designed effectively and consistently operating as intended. They will also verify that any material weaknesses or significant deficiencies identified in previous audits have been addressed. Finally, your auditor will assess whether changes, such as new systems, processes, M&A activity, reorganizations or other initiatives, have been adequately integrated into your control environment.

Best Practices to Help Your SOX Compliance Assessment Run More Smoothly

A SOX compliance assessment can be a big nut to crack — no argument there. But there’s much you can do to help dodge headaches and make your yearly audit a smooth process:

1. Start early. All too often, companies wait too long to engage with a SOX auditor. We hear, “Well, I'm not public yet,” or “I'm going to be public, and then I can worry about this.” But for process owners, day-to-day documentation is a heavy lift, probably the biggest pain point of going public. So, don’t put process documentation on the back burner. Start this conversation at least six to 12 months in advance to stay ahead.
2. Improve SoD. Without the right infrastructure, proper segregation of duties can be tricky, especially with a small team. It’s difficult to separate the roles of a preparer (who performs a control) from a reviewer (who checks it). Your company’s governance structure, which is the infrastructure behind SoD, often needs improvement.
3. Don’t wait until your window of emerging growth is up. If you’re in an emerging growth phase, you have five years to operate in a less stringent environment (i.e., an external auditor doesn’t need to provide an attestation of the effectiveness of ICFR). Use this window to set up controls and documentation early to avoid extra pressure later.
4. Stay ahead of business shifts. Keep an eye on changes in your business, like new regulations, acquisitions or systems updates, and think about how they might impact your controls. Staying on top of these shifts helps you spot compliance issues before they become problematic.
5. Get comprehensive guidance. If you need outside help to establish and document controls, especially if it’s your first SOX compliance year, look for an advisory firm with a SOX compliance team. They’ll guide you on SOX audits, generally accepted accounting principles (GAAP), PCAOB (Public Company Accounting Oversight Board) standards and the COSO framework to minimize errors and control failures.

Stop Dreading Your SOX Compliance Assessment

Yes, SOX is a lot of work. But with the right support, it doesn’t have to be one big headache. Learn how our SOX compliance consultants can help you uncover and address vulnerabilities, streamline the compliance process and maintain an effective SOX 404 program.