How to Prepare For a SOX Audit

SOX audits are required for all publicly traded companies in the United States. As a financial professional, it is important to be aware of the requirements of a SOX audit and put into place the necessary measures to ensure a smooth and successful audit. This article will provide an overview of the key steps that need to be taken to prepare for a SOX audit.

What is a SOX Audit?

A SOX audit, or a Sarbanes-Oxley audit, is an annual audit conducted in accordance with the Sarbanes-Oxley Act of 2002. Congress passed the Sarbanes-Oxley Act in response to several major accounting scandals, including those at Enron, Tyco, and WorldCom—major corporate fraud cases that impacted the market and investors by causing a lack of trust in publicly traded companies. The bill was sponsored by Senator Paul Sarbanes of Maryland and Representative Mike Oxley from Ohio. The purpose of the Sarbanes-Oxley Act is to improve corporate governance and financial reporting practices.

The requirements of a SOX audit stem from Sections 302, 404, and 409 of the Sarbanes-Oxley Act. This section requires publicly traded companies to establish and maintain effective internal controls over financial reporting. To do this, companies must implement a system of governance and procedures for financial reporting. They must also ensure that their corporate financial statements are accurate and reliable. 

What is the purpose of a SOX audit?

The purpose of a SOX audit is to ensure that the financial statements of public companies are accurate and reliable.

To reach that assurance, companies must hire independent accounting firms to perform a yearly assessment of how well the company manages its internal controls and make that internal control report readily available to stakeholders.

While SOX compliance is primarily thought of as a requirement for public companies, aspects of it also apply to:

  • Publicly traded foreign companies conducting business in the US
  • Private companies that want to have an initial public offering (IPO)
  • Accounting firms that offer services to these entities

Even if your company is a private company or nonprofit and is not required to comply with SOX, maintaining an adequate internal control structure to protect your annual financial reports is just good business practice.

Who can perform a SOX audit?

A SOX compliance audit must be performed by an external auditor who is independent of the organization. Auditor independence is crucial, as it ensures the auditor has no conflicts of interest that might impair their judgment and prevent them from performing their tasks in an objective manner. The external auditor is responsible for conducting the audit and issuing the audit report. 

The company’s internal audit team may also conduct internal audits to ensure the company’s controls are functioning and the organization is prepared to undergo an external audit.

Management, including the CEO and CFO, is responsible for implementing and maintaining the system of financial controls, and the independent auditor reviews the company’s internal controls and procedures to ensure they’re functioning as intended.

Although the focus of a SOX audit is internal controls over financial reporting, accounting firms are increasingly required to gain an understanding of the company’s technology because internal controls involve IT security, data backup, and access controls.

The Public Company Accounting Oversight Board (PCAOB) routinely conducts inspections of accounting firms that perform SOX audits of public companies to ensure they adhere to audit standards.

What documents are needed?

To prepare for a SOX audit, companies need to provide certain documents to their auditor. The most important document is the company’s financial statement. This document provides an overview of the company’s financial position and performance. Other documents typically supplied to the auditor include management’s discussion and analysis, documentation of internal controls, and the results of any internal controls testing.

The financial statement is the most important document because it provides the basis for assessing the company’s financial controls. However, the other documents are also important because they provide insight into how the company is performing financially and how it is managed.

SOX audit preparation process

Several steps need to be taken to prepare a public company for a SOX audit. 

Establish an internal control structure

The most crucial step is establishing a system of controls over financial information. This system should include procedures for financial reporting and guidelines for management accountability. 

The Sarbanes-Oxley Act doesn’t provide a specific list of internal controls to follow, however, there are several internal control frameworks that can serve as a guide. Two well-established risk management frameworks include the Committee of Sponsoring Organizations (COSO), which is recommended for general accounting processes, and Control Objectives for Information and related Technology (COBIT), which has guidelines for developing policies and practices for IT controls.

Support from your IT department is crucial to comply with SOX, as the technology you use for financial reporting can help with electronic controls, data protection, and preventing a data breach.

Document relevant policies, procedures, and processes

Maintain documentation for all policies, procedures, and processes impacting financial reports and disclosures. Document any changes to those policies and procedures that occur throughout the year. By documenting these changes, you help to create a culture of accountability and show the importance placed on internal controls—ultimately avoiding potential weaknesses during your external audit.

Train and educate staff on SOX controls 

Your employees should understand the basics of SOX compliance inside and out. The less they know about what is and isn’t SOX compliant, the more likely they are to unknowingly engage in fraudulent activities and take other financial reporting risks. 

Map organizational responsibilities

One way to protect your organization is by segregating duties. 

Segregation of duties is the practice of separating different types of tasks or responsibilities among different people to reduce the risk of fraud. This can include separating the responsibilities for authorizing and recording transactions, verifying information, custody of assets, and preparing financial statements. 

For example, you might put different employees in charge of maintaining the general ledger, approving purchase orders, or cutting checks to pay invoices. This way, no one individual has all the power to commit fraud or make changes that could go undetected. Another example relating to IT controls is not allowing one individual to both make a change to the development database and move the change to the production database. This change management control is designed to prevent fraudulent changes to the systems that impact financial records.

As part of a SOX compliance audit, your external auditors may interview staff to ensure that their job duties match the documented internal controls and they’re appropriately educated and trained on how to maintain SOX compliance standards.

Maintain an audit trail

An audit trail is necessary to safeguard financial data and ensure accurate financial reporting. You should have a detailed record of every financial transaction, journal entry, and approval.

Meet with your external auditors

Once you’ve engaged your independent auditors, schedule a meeting to introduce your team members and discuss your SOX compliance requirements. Your auditors should also provide a preliminary SOX compliance checklist and a list of documents they’ll need to begin the risk assessment and SOX control testing process.

A SOX compliance audit is a critical way to ensure that companies are complying with financial regulations. To prepare for a SOX audit, it is crucial to establish a system of internal controls for financial reporting and document all relevant policies, procedures, and processes. By taking these steps, you can help ensure a successful SOX audit.

Stefan van Duyvendijk

Stefan van Duyvendijk is FloQast's first Accounting Operations Evangelist. Stefan is a tenured controller who has consistently nurtured finance professionals and improved accounting processes throughout his career. Previously he was Corporate Controller for Kodiak Cakes where he led a 10-member finance team through a pre-IPO initiative. Before that, he was U.S. Controller for Skullcandy and senior associate at KPMG.