SOX Audit: 8 Steps to a Successful Audit
Nick Sorenson
August 18, 2021

What Is a SOX Audit?

To comply with the Sarbanes-Oxley Act of 2002 (SOX), organizations are required to conduct a yearly audit of financial statements. 

A SOX compliance audit is intended to verify the financial statements of the company, and the processes involved in creating them. During the audit, the financial statements and management of internal controls are analyzed and assessed by an external auditor. The audit report must be made available to relevant parties.

A SOX compliance auditor must be an impartial party. During the audit, they compare past statements with those of the current year, and analyze the information. Additionally, the auditor interviews people from the compliance department, and possibly members of other departments, to ensure that compliance measures are sufficient to meet SOX standards.

What Does a SOX Audit Involve?

A SOX audit involves a review of internal controls and procedures. If the organization uses a control framework, such as COBIT, auditors will typically follow the structure of the control framework during the audit. They also analyze monitoring and logging systems, checking these systems for access and activity related to sensitive business information.

The review of internal controls typically takes up the majority of the audit, because internal controls cover all IT assets, including computers, network hardware, and all electronic devices that handle financial information. The audit covers many aspects, including IT security, data backup, change management, and access controls.

What Types of Organizations Need SOX Auditing?

SOX compliance helps protect investors, staff, clients, accounting firms, and any relevant party. To do this, SOX asks a wide range of companies to comply with its standards, including:

  • Publicly traded companies based in the US, including wholly-owned subsidiaries
  • Publicly traded non-US companies conducting business in the US
  • Private companies preparing for an initial public offering (IPO)
  • Accounting firms and third-party companies that offer services to any of the above companies

When Should a Private Company Perform a SOX Audit?

SOX was created primarily to keep public companies and their accounting firms in check. However, during certain scenarios, SOX also applies to private companies as well as nonprofits. Here are several scenarios during which a private company might need to perform a SOX audit:

  • A third-party’s insistence—some business partners might require private companies to undergo a SOX audit. Lenders, for example, may ask companies to provide an independent audit when requesting a loan. Insurance companies may also ask for financial statement certifications before they approve Directors & Officers (D&O) liability insurance.
  • Due diligence for prospective investors and buyers—potential buyers and investors might ask to see audited financials as well as assurances regarding the internal controls of the company. They request this information so they could make an informed decision on acquisitions, loans, and coverage to mitigate risk.
  • State requirements—certain state security regulators might extend SOX compliance requirements to include certain private companies.

Additionally, companies with a large external shareholder base may be asked to conduct a SOX audit, as well as companies with registered debt securities.

An 8-Step SOX Audit Process

1. Risk Assessment 

You can use a risk assessment approach to define the scope of a SOX audit, in line with the recommendations of the PCAOB accounting standard. This part of the audit process should assist the auditor in identifying risks and potential business impact—it shouldn’t produce a list of compliance procedures. This involves assessing the organization’s internal controls to ensure they offer reasonable protection against errors and omissions.

2. Materiality Analysis

This step involves determining which items are material to the balance sheet and profit and loss statement. Materiality means the items can influence the users’ financial decisions. Auditors usually calculate a portion of financial statement accounts to determine materiality. 

This part of the audit process also involves determining the locations of material account balances, identifying the transactions associated with material accounts, and identifying the financial reporting risks for these accounts. This involves an analysis of the financials across business locations to detect account balances that exceed what is deemed material. Then, the transactions responsible for the increase in the statements should be examined. Finally, you need to determine the cause of the risk event, or why a transaction was not recorded correctly. 

3. SOX Controls

In the materiality analysis stage, the auditor identifies and documents the SOX controls that can prevent and detect incorrect recording of transactions. This involves identifying the procedures in place to ensure account balances are correctly calculated. Material accounts may warrant multiple controls to avoid inaccurate statements. Each control must be analyzed to determine its efficacy and appropriateness.

4. Fraud Risk Assessment

This involves assessing potentially fraudulent activity to ensure early detection and prevention of fraud. Internal controls can help reduce the opportunities for committing fraud and mitigate the material impact in the event of fraud.

5. Process and SOX Control Documentation

The control narrative and documentation should include details of how key controls operate (including frequency, testing and associated risks). Documentation of risks and controls can be difficult to do manually. 

6. Testing of Key Controls

SOX control testing involves verifying the effectiveness of testing methods, ensuring the control is operated by the appropriate process owner, and checking whether the control is successful in protecting against material misstatements. 

Testing methods for the actual SOX control tests include continuous evaluation and observation, communication with process owners, walkthroughs of transactions, and documentation inspections.

Learn more in our detailed guide to SOX testing (coming soon)

7. SOX Deficiency Assessment

An effective SOX program should reduce the time spent on manual testing and management, with a predictable and acceptable level of deficiencies. The auditor will sometimes identify gaps in the SOX control testing process, which need to be remediated. The assessment should determine whether the issue resulted from a design or operating failure, and whether it constitutes a material weakness (a higher-risk percentage of variance). 

8. SOX Control Report 

The final stage of SOX control testing involves management producing a report on controls and delivering it to the audit committee. The report should include a summary of the results and management’s opinion; a review of the framework used and the evidence collected; the results from each test; identification of gaps and failures and their root causes; and the assessment of a third-party auditor.

Automating SOX Controls Auditing with Pathlock

Preparing for a SOX audit can be a stressful, expensive, and time consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to proving compliance with your internal controls for SOX. Continuous controls monitoring can ensure that you are always tracking your compliance, so there are no major surprises when the audit season comes around. 

In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. By connecting directly into your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls, and pinpoint and quantify the financial impact of any risks.  Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.

Financial Impact Prioritization

Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions

Comprehensive Rulebook

Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks. 

Real-time Access Mitigation

Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time

Out-of-the-Box Integrations

Pathlock’s out of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more

Lateral SOD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications

Continuous Control Monitoring

Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation

Learn more about PathLock SOX compliance automation