A “How-To” Course on the Fundamentals of SOX compliance
Providing a modern foundation for staff, seniors, and managers to perform their SOX work.
First Class starts April 28, 2025

SOX compliance has long followed a predictable cycle: test controls, document results, respond to external auditor requests, and move on.
But despite years of experience, SOX teams still face the same challenges:
Testing controls mechanically — without a deep understanding of why they matter.
Overwhelmed by repetitive tasks that offered little strategic value.
Failing to gather the right evidence—leading to endless external auditor requests.
Struggling to gain buy-in from control owners who saw SOX as an "Internal Audit problem."
Frustrated by external auditors who seemed to demand more every year, leaving Internal Audit teams scrambling.
Inability to decrease the amount of time on SOX Compliance—missing out on opportunities for more value-added work.
And now, SOX is becoming even more complex. External auditors expect more precision in control performance, stronger support for control effectiveness, with stricter evidence and competency requirements.
Without evolving strategies—such as evaluating control design, refining test procedures, and strengthening key report governance—SOX teams risk more deficiencies, greater scrutiny, and even less time for value-added work.
Introducing SOX Base Camp
SOX Base Camp is a foundational program on SOX compliance, designed with the evolving needs of modern SOX teams in mind.
This course will help SOX practitioners:
With a baseline understanding of the regulatory environment of SOX compliance.
Understand why controls are considered key and non-key.
Appropriately evaluate the design of controls.
Perform and document walkthroughs that help control owners and appease external auditors.
Create control test attributes with more precision.
Improve their approach to dealing with key reports and IPEs.
Improve the use of their controls technology solution.
Decrease time spent on SOX and spend more time on more value-added activities.
What you get:
2025 SOX Basecamp
Practical Training for SOX Professionals Who Want to Lead.
SOX Compliance in 2025
By the end of this session, you will be able to:
Recognize key shifts in SOX compliance and regulatory expectations in 2025.
Understand how modern SOX teams balance efficiency, risk management, and external auditor reliance.
Identify areas where SOX compliance can provide strategic value beyond standard testing.
SOX Compliance in 2025
Description:
SOX compliance is no longer just about checking the box—it’s about adding value while managing evolving expectations from regulators, external auditors, and executive leadership. This session sets the stage for SOX Basecamp, providing a high-level overview of the current SOX compliance landscape, key regulatory updates, and industry trends shaping how leading-edge teams operate today. Topics include:
The state of SOX compliance in 2025 – PCAOB focus areas, SEC regulatory updates, and audit firm inspection trends.
How companies are shifting from reactive compliance to proactive risk management.
Understanding the external auditor’s mindset – What’s driving increased scrutiny in SOX testing?
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
In-Depth — SOX Compliance in 2025
By the end of this session, you will be able to:
Discuss real-world challenges in SOX compliance and how leading teams address them.
Evaluate the impact of recent PCAOB and SEC developments on SOX programs.
Develop an informed perspective on where your SOX program can improve.
Understand key roles and responsibilities under the COSO Framework and the Three Lines of Defense model.
In-Depth — SOX Compliance in 2025
Description:
Building on Session 1, this discussion-based session dives deeper into how organizations are adapting their SOX programs to meet today’s challenges. Participants will engage in roundtable discussions to examine:
The biggest pain points in SOX compliance today – And what leading companies are doing about them.
How external auditors approach SOX testing – Aligning internal efforts for efficiency and reducing friction.
The role of automation in SOX – How technology is shaping risk assessment, testing, and monitoring.
Roles and responsibilities in SOX – What the COSO Framework says about responsibilities and how the Three Lines of Defense model structures risk management.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
The Regulatory Ecosystem of SOX Compliance
By the end of this session, you will be able to:
Understand the key regulatory bodies that influence SOX compliance.
Differentiate between PCAOB, SEC, and company responsibilities under SOX.
Recognize how recent PCAOB enforcement trends impact internal SOX programs.
Identify common areas where SOX teams struggle to align with external auditor expectations.
The Regulatory Ecosystem of SOX Compliance
Description:
Many SOX professionals understand the testing process but lack insight into why they are testing certain controls and how regulatory expectations shape their work. This session provides a foundational understanding of the regulatory ecosystem that governs SOX compliance. Key topics include:
The role of Congress, the SEC, and the PCAOB in SOX compliance.
How PCAOB inspection findings impact external audit firms—and, in turn, internal SOX programs.
How regulatory focus areas influence documentation, scope, and evidence.
Common regulatory misconceptions that lead to inefficiencies in SOX testing
This session will equip participants with the knowledge to better align their SOX programs with regulatory expectations, reducing friction with external auditors and improving overall compliance efficiency.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
In-Depth — The Regulatory Ecosystem of SOX Compliance
By the end of this session, you will be able to:
Discuss the real-world impact of PCAOB oversight on SOX compliance.
Analyze how recent inspection trends influence external auditor expectations.
Identify opportunities to streamline SOX efforts by better aligning with regulations.
In-Depth — The Regulatory Ecosystem of SOX Compliance
Description:
This session takes a deeper dive into how regulatory oversight translates into day-to-day SOX compliance work. Participants will engage in roundtable discussions, sharing experiences and insights on topics such as:
How PCAOB inspection findings affect control testing and documentation expectations.
How SOX teams can preemptively address external auditor concerns to avoid rework.
The increasing regulatory focus on data-driven control validation and automation.
Strategies for balancing risk-based testing with regulatory compliance requirements.
By the end of the session, participants will have a clearer understanding of how to align their SOX programs with external auditor and regulatory expectations.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
Risk Assessment | Key Concepts
By the end of this session, you will be able to:
Understand the fundamental principles of SOX risk assessment and how they impact control design.
Identify the key risks that drive SOX compliance requirements.
Differentiate between entity-level risks, process risks, fraud risks, and control risks.
Recognize common risk assessment mistakes that lead to inefficient and ineffective SOX testing.
Risk Assessment | Key Concepts
Description:
At the core of any effective SOX program is a strong risk assessment process—yet many teams inherit a Risk and Control Matrix (RCM) rather than truly understanding how and why certain risks and controls were included. This session provides a structured approach to understanding:
Why risk assessment matters in SOX compliance.
The difference between inherent risk and control risk.
How to properly classify risks and align them to internal controls.
Common pitfalls in risk assessment—and how to avoid them.
By the end of this session, participants will gain clarity on how risk assessment shapes the SOX program and how to challenge outdated risk assumptions to improve efficiency.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
In-Depth — Risk Assessment | Key Concepts
By the end of this session, you will be able to:
Critically evaluate your organization's SOX risk assessment process.
Identify gaps and inefficiencies in current risk assessment methodologies.
Discuss real-world examples of how risk assessment impacts control effectiveness.
Develop strategies to optimize the risk assessment process for a modern SOX program.
In-Depth — Risk Assessment | Key Concepts
Description:
Building on Session 05, this discussion-based session will allow participants to explore real-world risk assessment challenges and share strategies for improvement. Topics include:
Learning Objectives:
How risk assessment decisions impact control scope and testing procedures.
Elements of a top-down, risk-based approach.
Strategies for updating an outdated RCM to reflect current risks.
How external auditors evaluate risk assessment quality—and what they expect to see.
Participants will leave with actionable insights on how to refine risk assessments, ensuring that their SOX program remains aligned with business risks and regulatory expectations.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
Risk Assessment | Process Understanding
By the end of this session, you will be able to:
Understand how risk assessment connects to process documentation and SOX scoping.
Identify key process risks that drive control design and testing.
Differentiate between manual and automated processes and their risk implications.
Recognize when a process or environment change necessitates an update to the SOX risk assessment.
Risk Assessment | Process Understanding
Description:
Risk assessment is not just a one-time exercise—it should evolve as business processes change. However, many SOX professionals lack visibility into how business processes work at a detailed level, leading to control gaps, misaligned testing procedures, and audit inefficiencies. This session will cover:
How to link business processes to SOX controls effectively.
Identifying process-level risks that require SOX controls.
The role of process owners in ensuring accurate risk identification.
Common process breakdowns that lead to control failures.
By the end of this session, participants will better understand the relationship between risk assessment and process documentation, allowing for stronger SOX programs that evolve with the business.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
Risk Assessment | Process Understanding
By the end of this session, you will be able to:
Assess the effectiveness of process-level risk assessments in your SOX program.
Identify gaps between process documentation and SOX control design.
Discuss challenges in adapting risk assessments to process changes.
Develop strategies to improve cross-functional collaboration with process owners.
In-Depth — Risk Assessment | Process Understanding
Description:
Building on Session 07, this discussion-based session focuses on real-world applications of process risk assessments. Topics include:
Why many SOX programs fail to keep up with process changes.
The disconnect between process documentation and control testing—and how to fix it.
How process complexity affects control reliance and external auditor testing.
Best practices for engaging process owners in risk assessment.
By the end of this session, participants will gain practical insights into strengthening their SOX risk assessment process, ensuring alignment between business operations and compliance requirements.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
Control Design (Includes IPE)
By the end of this session, you will be able to:
Understand the key principles of control design and how controls mitigate risk.
Differentiate between preventive vs. detective controls and when to use each.
Recognize the role of Information Produced by the Entity (IPE) in control effectiveness.
Identify common control design weaknesses that lead to deficiencies.
Control Design (Includes IPE)
Description:
A well-designed control is the foundation of effective SOX compliance. However, many controls lack clarity, are difficult to test, or fail to fully mitigate risk. This session focuses on the fundamentals of strong control design, including:
The components of an effective SOX control.
How to design controls that are precise, well-documented, and testable.
The impact of IPE on control reliability.
Why some controls fail in audits and PCAOB inspections.
By the end of this session, participants will understand what makes a control effective, reducing deficiencies and audit challenges.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
In-Depth — Control Design (Includes IPE)
By the end of this session, you will be able to:
Evaluate your organization’s control design for potential weaknesses.
Identify common documentation and precision issues in SOX controls.
Discuss real-world examples of how IPE affects control reliability.
Develop strategies to enhance control design and reduce issues with your external auditor.
In-Depth — Control Design (Includes IPE)
Description:
Building on Session 09, this discussion-based session focuses on common challenges in control design and how to improve them. Topics include:
Why external auditors challenge SOX controls—and how to address their concerns.
The role of IPE in control design and why it’s a frequent source of deficiencies.
Evaluating whether controls are designed effectively to mitigate risk.
Case studies of control failures—what went wrong and how to fix it.
Participants will leave with practical strategies for improving SOX control design and documentation, ensuring stronger compliance and audit readiness.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
Testing Controls & Evaluating Deficiencies
By the end of this session, you will be able to:
Understand the key phases of control testing and how to document results effectively.
Recognize what constitutes sufficient audit evidence for control effectiveness.
Differentiate between control design deficiencies vs. operating deficiencies.
Apply a structured approach to evaluating control failures and their impact.
Understanding SOC 1 Reports and Third-Party Risks
Description:
Effective control testing is critical to ensuring compliance and reducing audit risk, yet many SOX teams struggle with unclear documentation and inconsistent evaluation of deficiencies. This session will cover:
Types of SOX control testing (walkthroughs, sample-based, full population).
What external auditors expect to see in control testing documentation.
Common mistakes in deficiency evaluation—and how to avoid them.
How to assess whether a deficiency is a significant deficiency or material weakness.
By the end of this session, participants will have a clear framework for executing SOX control testing and evaluating deficiencies, ensuring compliance while reducing unnecessary audit burden.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
In-Depth — Testing Controls & Evaluating Deficiencies
By the end of this session, you will be able to:
Discuss real-world challenges in control testing and evidence collection.
Identify gaps in current testing documentation that could lead to external auditor pushback.
Analyze case studies of control deficiencies to improve evaluation techniques.
Develop strategies to strengthen control testing and reduce audit rework.
In-Depth — Testing Controls & Evaluating Deficiencies
Description:
This session builds on Session 11, providing a collaborative discussion on how to improve SOX control testing and deficiency evaluation. Topics include:
How to properly document test results to meet company and external auditor expectations.
Addressing common testing pitfalls, such as insufficient evidence or unclear conclusions.
Interpreting control failures and their potential impact on financial reporting.
Case study analysis—evaluating real-world control deficiencies and how they were resolved.
By the end of this session, participants will gain a deeper understanding of how to execute and document SOX control testing, leading to a more effective and defensible SOX program.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
Optimizing the Use of Your Purpose-Built GRC Application
By the end of this session, you will be able to:
Understand how Governance, Risk, and Compliance (GRC) tools streamline SOX compliance.
Identify key features and functionalities of purpose-built SOX technology.
Learn how to leverage automation to reduce manual compliance work.
Recognize the common challenges of GRC implementation and adoption.
Optimizing the Use of Your Purpose-Built GRC Application
Description:
Many organizations use GRC tools, but few maximize their potential. This session provides a practical guide to optimizing the use of GRC applications to improve SOX efficiency. Topics include:
How GRC platforms can centralize SOX documentation and testing.
Automation opportunities for control testing and deficiency tracking.
Integrating SOX compliance with enterprise risk management (ERM).
Overcoming implementation challenges and getting buy-in from stakeholders.
Participants will learn how to enhance SOX efficiency through technology, reducing administrative burden and improving audit readiness.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
In-Depth — Optimizing the Use of Your Purpose-Built GRC Application
By the end of this session, you will be able to:
Assess your organization’s GRC usage and identify improvement opportunities.
Discuss common challenges in GRC adoption and how to address them.
Share experiences on leveraging automation to enhance SOX efficiency.
Develop strategies for improving collaboration between SOX teams and IT.
In-Depth — Optimizing the Use of Your Purpose-Built GRC Application
Description:
This session builds on Session 13, providing a practical discussion on how to maximize the value of GRC platforms in SOX compliance. Topics include:
What features of GRC applications are underutilized—and how to leverage them.
Common integration challenges between SOX teams and IT departments.
How automation can streamline testing, documentation, and reporting.
Lessons learned from successful (and unsuccessful) GRC implementations.
By the end of this session, participants will have a clearer understanding of how to optimize GRC usage, improving SOX program efficiency and reducing manual workload.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
The Pillars of a Modern Strategic SOX Program
By the end of this session, you will be able to:
Identify the key components of a modern, risk-based SOX program.
Recognize how leading SOX teams shift from compliance-driven to value-driven approaches.
Develop a strategy to align SOX compliance with broader business objectives.
Understand how to measure the effectiveness of a strategic SOX program.
The Pillars of a Modern Strategic SOX Program
Description:
This session focuses on what sets high-performing SOX teams apart. Instead of simply ensuring compliance, leading SOX teams provide strategic value by integrating SOX with risk management, process improvement, and financial governance. Topics include:
What a modern SOX function looks like—beyond check-the-box compliance.
Aligning SOX compliance with enterprise risk management (ERM).
Metrics for evaluating SOX program effectiveness.
How to communicate the value of SOX compliance to executive leadership.
Participants will leave with actionable insights on evolving their SOX function into a proactive, strategic, and risk-focused program.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
In-Depth — The Pillars of a Modern Strategic SOX Program
By the end of this session, you will be able to:
Evaluate your SOX program’s current maturity level.
Discuss barriers to implementing a strategic SOX approach.
Identify opportunities to elevate SOX compliance from tactical to strategic.
Develop an action plan for transforming SOX into a value-added function.
In-Depth — The Pillars of a Modern Strategic SOX Program
Description:
Building on Session 15, this discussion will explore how organizations can move beyond compliance-driven SOX programs. Topics include:
How to make SOX more than just a compliance function.
Common roadblocks to strategic SOX transformation—and how to overcome them.
Case studies of SOX teams that successfully evolved their programs.
How to gain executive buy-in for a more strategic SOX approach.
By the end of this session, participants will have a roadmap for elevating their SOX program, turning compliance into a strategic advantage.
CPE Credits
1 credit
Field of Study
Specialized knowledge
Instructional Method
Group Internet-based
Prerequisites
None
Advanced Preparation
None
About the Course Instructor

Ryan Godbey
Ryan Godbey is a leading authority on SOX 404 and internal controls, bringing over 25 years of audit and advisory experience—including as a former national office Audit Partner at KPMG. He has worked with organizations across a wide range of industries, transforming financial reporting processes, strengthening internal controls, and ensuring compliance in complex regulatory environments.
At KPMG’s national office, Ryan was instrumental in shaping audit methodology, driving regulatory responses, and standardizing audit approaches to enhance quality and efficiency across engagements. His deep understanding of how regulators and external auditors assess SOX compliance enables him to design practical, risk-based control frameworks that not only withstand scrutiny but also improve financial governance and operational performance.
Ryan partners with CFOs, finance teams, and internal audit leaders to build scalable, technology-enabled control systems that drive efficiency and embed compliance into daily operations—rather than treating it as a standalone obligation. His approach is direct, pragmatic, and focused on creating sustainable value beyond compliance.
A trusted voice in governance and financial oversight, Ryan advises boards and audit committees while leading training and thought leadership that empowers organizations to take full ownership of their risk assessment, control design, and monitoring.
Outside of client work, Ryan enjoys playing tennis and spending time with his family.
How the course works:
Access Method:
Granted through the Internal Audit Collective Community under “Upcoming Events” Participation links will be provided
Who is this Course For?
If you have never been trained on the fundamentals and best practices of SOX compliance, performing walkthroughs, creating testing attributes, and documenting controls.
If your SOX compliance program methodology is not keeping pace with the increasing expectations and needs of your external auditors.
If your company struggles with control deficiencies, working with control owners, or having a silo’d SOX function.
Who is this course not for?
Internal Auditors without SOX responsibilities (Internal Audit Foundations would be more suitable)
Internal Controls Leaders (The SOX Accelerator Program is more suitable for leaders)
You are not respectful, or quickly dismissive of new ideas, practices or concepts.
Register for SOX Base Camp
SOX Base Camp
8 expert Instructor-led
8 facilitated workshops and peer discussions
Syllabus with all shared presentations and templates
BONUS 12 month access to the Internal Audit Collective Community


Frequently Asked Questions
Who is this course for?
If you have never been trained on the fundamentals and best practices of SOX compliance, performing walkthroughs, creating testing attributes, and documenting controls.
If your SOX compliance program methodology is not keeping pace with the increasing expectations and needs of your external auditors.
If your company struggles with control deficiencies, working with control owners, or having a silo’d SOX function.
Who are you? And what is the Internal Audit Collective?
Hi - I’m Tom O’Reilly. I help internal audit and SOX professionals uplevel their programs and careers.
You can read more about my backstory and why I built the Internal Audit Collective here.
Are the CPEs NASBA certified?
We are working towards this.
What if I cannot attend all of the meetings?
You will receive CPE credits for all sessions that you attend.
You will receive a certificate of completion for participating in 80% of the meetings (13 total)
OK - I’m sold. What happens after I pay for the course?
Once you are registered, you will receive a welcome email, which will include the program syllabus with meeting information and materials. You will be asked to choose what breakout sessions you’d like to attend (7 total). You’ll then receive meeting invites.
What do I do if I have any additional questions?
Email me at: Tom@InternalAuditCollective.com - and I’ll get back to you asap.