SOX Compliance Checklists
Ensure compliance with the Sarbanes-Oxley Act and reinforce internal controls
What is a SOX Compliance Checklist?
A SOX compliance checklist is a tool used to evaluate compliance with the Sarbanes-Oxley Act, or SOX, reinforce information technology and security controls, and uphold legal financial practices. Publicly-traded American companies, international companies with U.S. Securities and Exchange Commission-registered debt or equity, and third-party financial services providers to the aforementioned entities should ensure SOX compliance to protect investors, increase transparency in corporate governance, and build public trust.
This article will briefly discuss:
- when and how did the Sarbanes-Oxley Act come about?;
- the U.S. Securities and Exchange Commission (SEC) final rule related to SOX Section 404;
- most important SOX sections when it comes to regulatory compliance;
- the digital solution to help proactively ensure SOX compliance; and
- free SOX compliance checklists you can download, customize, and use.
The Sarbanes-Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act” in the Senate and the “Corporate and Auditing Accountability and Responsibility Act” in the House of Representatives, was named after its sponsors, Sen. Paul Sarbanes (D-Md) and Rep. Michael Oxley (R-Ohio). The U.S. Congress passed SOX due to the accounting scandals at Enron, WorldCom, and Arthur Andersen, among others.
The U.S. SEC enforces SOX to prevent deceptive business conduct such as keeping huge debts off balance sheets, underreporting line costs by capitalizing rather than expensing, and inflating revenues with fake accounting entries that eventually lead to millions of dollars in fines and criminal conviction.
The SEC’s final rule that would exempt more categories of companies from auditor attestation of management’s financials has been effective since April 27, 2020. Adopting amendments has been decided upon to reduce compliance burdens for companies, especially for the most complicated, contested, and expensive to implement—SOX Section 404: Management Assessment of Internal Controls.
Under SOX Section 404, each annual financial report must include an internal control report, stating that the management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting. Every internal control report should also contain the management’s assessment of the effectiveness of the aforementioned structure and procedures and disclosure of security safeguards, breaches, and failures, attested to, and reported on by registered external auditors.
This change means certain low-revenue companies can file their managements’ effectiveness assessment in the internal control over financial reporting, or ICFR, without any independent auditor attestation. The SEC estimated that 539 companies would be exempted, saving compliance costs, and possibly encouraging more businesses to go public.
However, investors are also likely to price the loss of the internal controls audit attestation in their equity risk premium, making them buy stocks at higher discount rates because of the increased risk of potentially weak internal controls. Ultimately, SOX 404 compliance can be summed up from a previous SEC press release:
“Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.”
All entities subject to SOX should provide IFCR according to Section 404, while some smaller reporting companies’ management effectiveness assessment in the IFCR can be submitted without external auditor attestation according to the SEC’s final rule. Private companies preparing for their initial public offering (IPO) should also comply with the Sarbanes-Oxley Act.
Moreover, the U.S. SEC Division of Corporate Finance undertakes some level of review of each reporting company at least once every three years and reviews a significant number of companies more frequently. Since SOX compliance is crucial to keep your company afloat, here are the other Sarbanes-Oxley sections you should focus more on:
- SOX Section 302: Corporate Responsibility for Financial Reports
A company’s Chief Executive Officer, or CEO, and Chief Financial Officer, or CFO, are directly responsible for the accurate documentation and certification of all financial reports submitted to the SEC. Set up audit committees, compensation committees, and disclosure committees composed of board members and get good legal counsel can help reinforce internal controls and limit corporate liability.
Since SOX Section 302 is intended to safeguard against faulty financial reporting, make sure your verifiable security controls that prevent data tampering, establish timelines, and track data access are operational, periodically-reviewed for effectiveness, and capable of detecting security breaches.
- SOX Section 401: Disclosures in Periodic Reports
All of the company’s financial statements in periodic reports should be made with all material off-balance sheet liabilities, obligations, or transactions, audited by a registered public accounting firm, and published to the public.
- SOX Section 409: Real Time Issuer Disclosures
Any changes in a company’s financial condition or operations should be reported on an almost real-time basis using trend and qualitative information and graphic presentations to protect investors and public interest.
- SOX Section 802: Criminal Penalties for Altering Documents
Penalties of up to 20 years imprisonment await anyone who alters, destroys, mutilates, conceals, covers up, or falsifies any record, document, or tangible object with the intent to influence, obstruct, or impede a legal investigation. For any auditor who fails to maintain review papers for a period of 5 years shall be fined and/or imprisoned not more than 10 years.
- SOX Section 906: Corporate Responsibility for Financial Reports
All of the company’s financial statements in periodic reports should be certified by the CEO and CFO with a written statement, on top of the one required by Section 302, that they fully comply with the requirements and that information contained in them fairly presents the financial condition and results of the company’s operations.
Making sure that you comply with the Sarbanes-Oxley Act can be challenging as the burden of proving compliance lies on the shoulders of your management. Proactively ensure SOX compliance with an inspection and corrective action solution that can be learned in minutes, so you can easily assess your standing, act upon issues at the onset, and have confidence in your internal controls from the get-go. With iAuditor by SafetyCulture, you can take advantage of the following benefits when you sign up for free today:
- Easily convert paper documents into digital forms with smartscan or customize pre-built, industry templates with drag-and-drop editor
- Use SOX compliance checklists anytime, anywhere, and on any mobile device—even when offline
- Take or attach photo evidence of the effectiveness of internal controls structure and procedures for financial reporting and annotate images for improved visual reference
- Assign actions with a priority level and due date to rectify potential SOX noncompliance immediately
- Auto-generate and secure SOX compliance reports in the cloud and share them to key shareholders with a tap of a finger
Featured SOX Compliance Checklists
SOX Compliance Checklist
A SOX compliance checklist is used by the management team of publicly-traded companies to evaluate their compliance with the Sarbanes-Oxley Act and improve areas where potential noncompliance can occur. Use this checklist as a practical application of Section 404: Management Assessment of Internal Controls because it seems to cause the most difficulties for compliance.
SOX Audit Checklist
A SOX audit checklist is a tool used by internal auditors to verify the implementation of security controls, focusing on Section 302: Corporate Responsibility of Financial Records and Section 404. Use this checklist to assess the company’s safeguards to prevent data tampering, track data access, and detect security breaches. This checklist also includes appropriate measures for disclosure to SOX Auditors.
SOX Risk Assessment Checklist
This SOX risk assessment can be used to assess factors that may put the business to high-risk of fraud. Use this checklist to perform an assessment of risks from misstatements arising from fraudulent financial reporting, tackling threats to financial stability or profitability by economic, industry, or entity operating conditions, and excessive pressure from management to meet the requirements of third parties, and misappropriation of assets, highlighting any adverse relationships between the entity and employees with access to cash or other assets susceptible to theft that may motivate those employees.
SOX Risk Assessment Template
This SOX risk assessment template can be used by information technology and data security professionals to conduct security risk and vulnerability assessments across internal IT systems. Use this template to determine the source of or vulnerability for threats such as hardware or software fault, human error, and intentional insider or outsider, specify existing controls, and recommend alternative options for reducing risks.