Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​​​How to Improve Your SOX Compliance Program

Comments Views

If you have been following either of my blogs (hopefully both, here and at, you know that I frequently call out so-called expert guidance that is anything but expert.

Recently, a software vendor teamed up with a mid-size accounting firm to publish a white paper, with guidance for companies on optimizing their Sarbanes-Oxley program that should never have seen the light of day. Frankly, I am not going to waste time and space criticizing it.

Instead, I will share some suggestions of my own:

  1. Make sure you are focused on financial reporting risk! The scope should include controls required to provide reasonable assurance that material errors or omissions will be either prevented or detected. That means that the likelihood is more than a reasonable possibility. That means more than simply a theoretical possibility, and the error or omission has to be material to the consolidated financial statements.
  2. Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.
  3. Apply the risk-based, top-down approach to the whole program, including IT general controls (ITGC) and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are present and functioning (as defined by COSO, a defect would not be a major deficiency).
  4. Be experts not only in the U.S. Public Company Accounting Oversight Board (PCAOB) standards (including AS10 and so on) but also in the U.S. Securities and Exchange Commission's (SEC's) Interpretive Guidance and SEC/PCAOB staff guidance.
  5. Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.
  6. Read The IIA's updated guidance (my book): Management's Guide to Sarbanes-Oxley Section 404, 4th Edition. (FYI, I receive no income from sales of this book: It all goes to the Internal Audit Foundation.)

I welcome your thoughts.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3