SOX Compliance

What Are SOX Controls?

The Sarbanes-Oxley Act of 2002, commonly known as SOX, is a federal law created in the wake of major accounting scandals of the early 2000s, including Enron and WorldCom. It requires publicly traded companies in the U.S. to put controls in place to protect shareholders from fraudulent financial reporting. While the act can be cumbersome for businesses, it is an essential tool in the fight against corporate fraud.

What are SOX controls?

SOX controls primarily come from Section 404 of the Act, which requires that organizations implement internal controls to ensure accurate financial reporting. These controls help prevent and detect errors and safeguard activities within a financial reporting cycle, making it difficult for companies to conceal wrongdoing.

SOX doesn’t prescribe a list of specific internal controls. Instead, it requires companies to define their own controls that meet the SOX compliance objectives.

Internal auditors must regularly conduct compliance audits to verify that the company has appropriate controls in place and that those controls are functioning correctly.

External auditors must review controls, policies, and procedures as part of an annual SOX compliance audit. Before the Sarbanes-Oxley Act, the audit profession was largely self-regulated. However, because the accounting scandals leading up to SOX sparked questions about external auditor performance and independence, SOX also created the Public Company Accounting Oversight Board (PCAOB) to provide oversight over the accounting firms that audit publicly traded companies.

How many SOX controls are there?

The number of internal controls a company has varies from organization to organization because different risks and environments require unique internal controls.

However, the following different control types can be used to mitigate risk to the organization and ensure reliable financial reporting.

Preventive vs. detection controls

Preventative controls try to stop an undesired outcome from happening. For example, preventive control methods include using passwords, approval systems, and enforcing policies and procedures. Detection controls aim to find errors or irregularities that have already occurred. For example, common detection control techniques include reconciling expenses against budgets, forecasts, and prior period results.

Hard vs. soft controls

Hard controls are systems that organizations put in place to manage risk. They include organizational structures and segregation of duties. Soft controls are the principles and values that guide an organization’s behavior, including tone at the top, ethical climate, trust, and competence.

Manual vs. automated controls

Manual controls rely on an individual to input the financial data, whether manual or IT-dependent. Companies typically use system-generated reports to test these controls. Automated controls do not require human interaction because the computer system can perform them independently.

Key vs. secondary controls

SOX internal controls are broadly classified into two categories: primary controls and secondary controls.

Primary controls (also known as SOX key controls) must operate effectively to reduce risk to an acceptable level. In contrast, secondary controls help the process run smoothly but aren’t essential.

The controls cover a variety of activities, from financial statement preparation to disclosure and auditing. To know which controls you need to implement, you must understand which risks are present. 

The COSO framework

The Committee of Sponsoring Organizations (COSO) Framework is used by publicly traded companies and SOX auditors to help put internal controls in place to formalize how companies perform key business processes.

It provides organizations with a structure for designing, implementing, assessing, and monitoring internal controls. The framework is widely accepted and has been adopted by the PCAOB as the standard for auditing internal controls.

There are five components of the COSO framework:

1. Control environment. The control environment is the foundation for all internal controls and includes the organization’s culture, values, and operating procedures. The control environment sets the tone at the top and influences the ethical climate within the organization. 
2. Risk assessment and management. Risk assessment is identifying, measuring, and managing risks in an organization. It is essential to understand the different types of risks that can impact a company so you can put appropriate controls in place. The first step is identifying the financial and non-financial risks that could affect the organization. The second step is to measure the severity and likelihood of each risk. This helps prioritize the risks and determines which ones need the most attention. The third step is to develop a plan to manage the risks, including implementing controls to mitigate the risk and ensuring that those controls are effective. 
3. Control activities. One of the critical components of the COSO framework is control activities. Control activities are those organizations put in place to ensure that financial data is accurate and reliable. They help protect an organization’s assets, reduce risk exposure, and improve efficiency. 
4. Information and communications. Information and communications are essential components of the internal control environment. They help ensure that employees are aware of the company’s policies and procedures, that they understand the risks that the company faces, and that they can report any concerns they have. Organizations should have a written policy for information and communication.
5. Monitoring. Organizations need to have a system for monitoring the effectiveness of their internal controls. This includes reviewing the performance of the controls and identifying any areas that need improvement. 

SOX controls examples

Following are some examples of commonly performed SOX control activities:

• Segregation of duties. Dividing duties among multiple people (‘segregating’ them) so that one person does not have complete control over any financial transaction. This reduces the likelihood of errors or improper conduct. For example, someone who prepares financial statements should not also be responsible for recording transactions. 
• Authorizations and approvals. Authorized transactions have been approved by a person with the appropriate level of authority, and these approvals confirm that the transaction is consistent with policies. For example, a company might require that all journal entries be approved by the company’s Controller. 
• Reviews and reconciliations. Reviewing and reconciling financial records regularly, preferably by someone other than the person who prepared them, to confirm that transactions have been processed correctly.
• Safeguarding of assets. Physically secure equipment, inventories, cash, and other property, count them periodically, and compare the counts with control records.
• Training and supervision. Employees need knowledge to do their jobs well, direction and supervision to know what is expected of them, and channels for reporting any wrongdoing.

How does SOX help prevent fraud?

SOX compliance helps prevent fraud in public companies by requiring organizations to implement various controls to safeguard financial information. These controls help to detect errors and irregularities, making it difficult for companies to conceal fraud and misconduct.

The Act also requires CEOs and CFOs to certify the accuracy of the company’s financial statements, which helps to ensure that information is not falsified or manipulated. Additionally, SOX prohibits insider trading and restricts loans to executives, which can help prevent them from using their positions for personal gain. Overall, SOX helps to create a more transparent and accountable corporate environment, which makes it more difficult for fraud to occur.

What’s the difference between SOX and non-SOX controls?

SOX controls are specifically designed to prevent financial statement fraud and errors. Companies can implement non-SOX controls to protect against other types of fraud or misconduct, improve operational efficiency, or ensure compliance with regulatory requirements.

While SOX and non-SOX controls both play a role in preventing fraud, they differ in their focus and scope. SOX controls are narrower in scope, targeting financial reporting specifically. Non-SOX controls are more comprehensive, covering a variety of areas such as financial and operations security, data integrity, and compliance. Additionally, SOX controls are mandated by law, while non-SOX controls are not.

Overall, SOX and non-SOX controls both have a role in preventing fraud and safeguarding businesses from misconduct. However, SOX controls are more specific in their focus and are mandated by law, making them a critical part of any anti-fraud strategy.

Stefan van Duyvendijk

Stefan van Duyvendijk is the Accounting Operations Evangelist at FloQast. Previously, Stefan served as the Corporate Controller for Kodiak Cakes, a private equity owned, leading consumer packaged food company, and as a Controller for Skullcandy, a multinational headphone CPG. These positions followed his five years at KPMG. His experience includes ASC 606 implementation, reduction of financial close timelines, accounting operational improvements, business combinations, financial statement audits, SOX audits and implementation, management reporting, debt, treasury, and systems integrations/implementation.