6 steps to achieving SOX compliance

ARTICLE | June 14, 2023

Authored by RSM US LLP


Not all companies need to go public, but for some it opens a new level of funding and stature. It’s a huge step that requires a great deal of planning and work. Operating as a public company in the U.S. demands a very stringent level of compliance that can require building out additional processes, controls and technology that weren’t necessary as a private company but are essential to planning and executing an initial public offering (IPO).

You need to develop a Sarbanes-Oxley (SOX) compliance strategy—a framework that will help you reduce time, save money and minimize risk, including personal liability of the CEO and CFO, who must certify compliance. Even if you are already a public company, you will need to periodically reassess and possibly update your SOX compliance processes and strategies.

What is involved?

Developing a SOX compliance program is a complex, time-consuming process that requires coordination, specific skills and scrupulous documentation. But as with any huge business task, the key is to tackle it in an incremental fashion. The typical approach contains six distinct stages, each of which results in a set of deliverables to drive the next step in the process. Success requires deep preparation, though, and some of your earliest goals will be to conduct a top-down risk assessment and to calculate materiality—at what dollar level might an error in an account balance materially impact the economic decisions made by the company?

How long will it take?

You should expect to spend 18 months or more readying your organization for SOX compliance. If you are preparing for an IPO, leading practice is to start this process no later than six months prior to your offering, as you have one year from the date of your IPO to document and assess internal controls and provide an independent auditor’s attestation report.

1. Plan and scope (months 1–3)

  • Calculate materiality: At what dollar level might an error or omission in an account balance materially affect the economic decisions made by users of the company’s financial statements, such as company management or investors? Materiality will vary from company to company. While $1 million may be material to one company, $10 million may be material to another.
  • Perform a top-down risk assessment and define program scope, considering both qualitative and quantitative factors.
  • Map the financial statements to the core business processes to determine the accounts to be in scope and identify the relevant financial statement assertions for each material account.
  • Review scoping with project sponsor before defining project approach, milestones and timeline.


  • Risk assessment, scoping document, and project plan

2. Document critical processes (months 2–4)

  • Conduct process walkthrough meetings to identify and document entity-level controls, IT general controls and key internal controls over financial reporting for all significant accounts and processes.
  • Prepare risk and control matrices (RCM), process flowcharts and/or process narratives for each significant process.


  • RCM, process narratives, and process flowcharts

3. Evaluate design effectiveness (months 3–8)

  • Evaluate internal controls using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. This widely accepted framework is designed to provide reasonable assurance that the organization is operating in accordance with established standards.
  • Perform a gap analysis on the current internal control structure. Identify any missing control points.
  • Perform a design assessment on existing internal controls. Identify any controls not designed to effectively prevent or detect material misstatement.
  • Design and implement process improvements while documenting all changes.
  • Identify opportunities for process automation and enhancements based on leading practices.


  • Gap analysis and proposed remediation plans

4. Evaluate operating effectiveness (months 6–12)

  • Generate document request list and select samples to assess whether controls are operating as designed over time. (SOX requires compliance documentation, which must be provided to auditors upon request, and requires that controls operate at their defined frequencies consistently.)
  • Evaluate the operating effectiveness of internal control over financial reporting and document the results.
  • Review testing results with process owners and project sponsor.


  • Operating effectiveness testing results

5. Remediate control weaknesses (months 10–16)

  • Based on the testing results in step 4, validate any identified control deficiencies, identify deficiency root cause and assist management with developing remediation plans.
  • Re-perform tests of remediated controls as needed to ensure efficacy.


  • Control deficiency list and remediation plans and re-testing results

6. Assess and report (months 15–18)

  • Assist management with the final assessment and reporting of any deficiencies. A thoughtful evaluation is needed to determine the significance of each control deficiency identified. Significant deficiencies are required to be reported to those charged with oversight (generally the audit committee of the board of directors), and material weaknesses are required to be disclosed in the company’s public SEC filings.
  • Sign off on internal control structure design and operating effectiveness.
  • Present results to the audit committee.


  • Deficiency assessment template and audit committee presentation

This article was written by RSM US LLP and originally appeared on 2023-06-14.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

KraftCPAs PLLC is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how the KraftCPAs PLLC can assist you, please call us at (615) 242-7351.

KraftCPAs can help.

Call us at 615-242-7351 or complete the form below to connect with an advisor.

  • Should be Empty:
  • Topic Name:

Search Site

Search Team

Search Articles