A “How-To” Course on the Fundamentals of SOX compliance

Providing a modern foundation for staff, seniors, and managers to perform their SOX work.

Sarah had been in SOX compliance for five years. She knew the routine well — follow the Risk and Control Matrix (RCM), test the assigned controls, document the results, appease External Auditor requests, and move on.

But year after year, nothing changed.

01

The external auditor still retested everything.

02

The requests for more documentation never stopped.

03

The why behind the controls? She was never really taught that.

04

The walkthroughs? They felt more like a formality than an actual test of process competency.

05

Spending more time on risk-based audit or management work? Unfortunately, not a chance this year.

Like many SOX practitioners today, Sarah had built her skills on repetition—not on true understanding.

The reality is, most SOX professionals never received proper training.

01

They started their careers after Auditing Standard 5 was released—when SOX had already been standardized, but the foundational principles were never formally passed down.

02

They were handed an RCM and told to test, without ever learning why these specific controls were in scope, how they mitigated risk, or how to truly evaluate their effectiveness.

03

They weren’t trained on how to support their testing in a way that external auditors would trust.

04

And they certainly weren’t taught how to perform a walkthrough that not only validated control effectiveness, but also showcased the control owner's competency and built trust with external auditors.

SOX compliance has long followed a predictable cycle: test controls, document results, respond to external auditor requests, and move on.

But despite years of experience, SOX teams still face the same challenges:

IAC favicon featuring three vertical bars, two in gray and one in blue, representing Internal Audit Collective.

Testing controls mechanically — without a deep understanding of why they matter.

IAC favicon featuring three vertical bars, two in gray and one in blue, representing Internal Audit Collective.

Overwhelmed by repetitive tasks that offered little strategic value.

IAC favicon featuring three vertical bars, two in gray and one in blue, representing Internal Audit Collective.

Failing to gather the right evidence—leading to endless external auditor requests.

IAC favicon featuring three vertical bars, two in gray and one in blue, representing Internal Audit Collective.

Struggling to gain buy-in from control owners who saw SOX as an "Internal Audit problem."

IAC favicon featuring three vertical bars, two in gray and one in blue, representing Internal Audit Collective.

Frustrated by external auditors who seemed to demand more every year, leaving Internal Audit teams scrambling.

IAC favicon featuring three vertical bars, two in gray and one in blue, representing Internal Audit Collective.

Inability to decrease the amount of time on SOX Compliance—missing out on opportunities for more value-added work.

And now, SOX is becoming even more complex. External auditors expect more precision in control performance, stronger support for control effectiveness, with stricter evidence and competency requirements.

Without evolving strategies—such as evaluating control design, refining test procedures, and strengthening key report governance—SOX teams risk more deficiencies, greater scrutiny, and even less time for value-added work.

Introducing SOX Base Camp

SOX Base Camp is a foundational program on SOX compliance, designed with the evolving needs of modern SOX teams in mind.

This course will help SOX practitioners:

01

With a baseline understanding of the regulatory environment of SOX compliance.

02

Understand why controls are considered key and non-key.

03

Appropriately evaluate the design of controls.

04

Perform and document walkthroughs that help control owners and appease external auditors.

05

Create control test attributes with more precision.

06

Improve their approach to dealing with key reports and IPEs.

07

Improve the use of their controls technology solution.

08

Decrease time spent on SOX and spend more time on more value-added activities.

What you get:

01

8 instructor-led presentations on the foundational aspects and “how-to” of SOX compliance.

02

8 “in-depth” workshop sessions and peer discussions.

03

One Year’s Membership to the Internal Audit Collective community, where you can network and collaborate with over 300 peers on all topics related to internal audit, SOX, and data analytics.

04

16 CPE credits.

2025 SOX Basecamp

Practical Training for SOX Professionals Who Want to Lead.

Day 01

SOX Compliance in 2025

By the end of this session, you will be able to:

Recognize key shifts in SOX compliance and regulatory expectations in 2025.

Understand how modern SOX teams balance efficiency, risk management, and external auditor reliance.

Identify areas where SOX compliance can provide strategic value beyond standard testing.

More Info
Day 01

SOX Compliance in 2025

Click Here for More CPE Information
01
Day 02

In-Depth — SOX Compliance in 2025

By the end of this session, you will be able to:

Discuss real-world challenges in SOX compliance and how leading teams address them.

Evaluate the impact of recent PCAOB and SEC developments on SOX programs.

Develop an informed perspective on where your SOX program can improve.

Understand key roles and responsibilities under the COSO Framework and the Three Lines of Defense model.

More Info
Day 02

In-Depth — SOX Compliance in 2025

Click Here for More CPE Information
01
Day 03

The Regulatory Ecosystem of SOX Compliance

By the end of this session, you will be able to:

Understand the key regulatory bodies that influence SOX compliance.

Differentiate between PCAOB, SEC, and company responsibilities under SOX.

Recognize how recent PCAOB enforcement trends impact internal SOX programs.

Identify common areas where SOX teams struggle to align with external auditor expectations.

More Info
Day 03

The Regulatory Ecosystem of SOX Compliance

Click Here for More CPE Information
01
Day 04

In-Depth — The Regulatory Ecosystem of SOX Compliance

By the end of this session, you will be able to:

Discuss the real-world impact of PCAOB oversight on SOX compliance.

Analyze how recent inspection trends influence external auditor expectations.

Identify opportunities to streamline SOX efforts by better aligning with regulations.

More Info
Day 04

In-Depth — The Regulatory Ecosystem of SOX Compliance

Click Here for More CPE Information
01
Day 05

Risk Assessment | Key Concepts

By the end of this session, you will be able to:

Understand the fundamental principles of SOX risk assessment and how they impact control design.

Identify the key risks that drive SOX compliance requirements.

Differentiate between entity-level risks, process risks, fraud risks, and control risks.

Recognize common risk assessment mistakes that lead to inefficient and ineffective  SOX testing.

More Info
Day 05

Risk Assessment | Key Concepts

Click Here for More CPE Information
01
Day 06

In-Depth — Risk Assessment | Key Concepts

By the end of this session, you will be able to:

Critically evaluate your organization's SOX risk assessment process.

Identify gaps and inefficiencies in current risk assessment methodologies.

Discuss real-world examples of how risk assessment impacts control effectiveness.

Develop strategies to optimize the risk assessment process for a modern SOX program.

More Info
Day 06

In-Depth — Risk Assessment | Key Concepts

Click Here for More CPE Information
01
Day 07

Risk Assessment | Process Understanding

By the end of this session, you will be able to:

Understand how risk assessment connects to process documentation and SOX scoping.

Identify key process risks that drive control design and testing.

Differentiate between manual and automated processes and their risk implications.

Recognize when a process or environment change necessitates an update to the SOX risk assessment.

More Info
Day 07

Risk Assessment | Process Understanding

Click Here for More CPE Information
01
Day 08

Risk Assessment | Process Understanding

By the end of this session, you will be able to:

Assess the effectiveness of process-level risk assessments in your SOX program.

Identify gaps between process documentation and SOX control design.

Discuss challenges in adapting risk assessments to process changes.

Develop strategies to improve cross-functional collaboration with process owners.

More Info
Day 08

In-Depth — Risk Assessment | Process Understanding

Click Here for More CPE Information
01
Day 09

Control Design (Includes IPE)

By the end of this session, you will be able to:

Understand the key principles of control design and how controls mitigate risk.

Differentiate between preventive vs. detective controls and when to use each.

Recognize the role of Information Produced by the Entity (IPE) in control effectiveness.

Identify common control design weaknesses that lead to deficiencies.

More Info
Day 09

Control Design (Includes IPE)

Click Here for More CPE Information
01
Day 10

In-Depth — Control Design (Includes IPE)

By the end of this session, you will be able to:

Evaluate your organization’s control design for potential weaknesses.

Identify common documentation and precision issues in SOX controls.

Discuss real-world examples of how IPE affects control reliability.

Develop strategies to enhance control design and reduce issues with your external auditor.

More Info
Day 10

In-Depth — Control Design (Includes IPE)

Click Here for More CPE Information
01
Day 11

Testing Controls & Evaluating Deficiencies

By the end of this session, you will be able to:

Understand the key phases of control testing and how to document results effectively.

Recognize what constitutes sufficient audit evidence for control effectiveness.

Differentiate between control design deficiencies vs. operating deficiencies.

Apply a structured approach to evaluating control failures and their impact.

More Info
Day 11

Understanding SOC 1 Reports and Third-Party Risks

Click Here for More CPE Information
01
Day 12

In-Depth — Testing Controls & Evaluating Deficiencies

By the end of this session, you will be able to:

Discuss real-world challenges in control testing and evidence collection.

Identify gaps in current testing documentation that could lead to external auditor pushback.

Analyze case studies of control deficiencies to improve evaluation techniques.

Develop strategies to strengthen control testing and reduce audit rework.

More Info
Day 12

In-Depth — Testing Controls & Evaluating Deficiencies

Click Here for More CPE Information
01
Day 13

Optimizing the Use of Your Purpose-Built GRC Application

By the end of this session, you will be able to:

Understand how Governance, Risk, and Compliance (GRC) tools streamline SOX compliance.

Identify key features and functionalities of purpose-built SOX technology.

Learn how to leverage automation to reduce manual compliance work.

Recognize the common challenges of GRC implementation and adoption.

More Info
Day 13

Optimizing the Use of Your Purpose-Built GRC Application

Click Here for More CPE Information
01
Day 14

In-Depth — Optimizing the Use of Your Purpose-Built GRC Application

By the end of this session, you will be able to:

Assess your organization’s GRC usage and identify improvement opportunities.

Discuss common challenges in GRC adoption and how to address them.

Share experiences on leveraging automation to enhance SOX efficiency.

Develop strategies for improving collaboration between SOX teams and IT.

More Info
Day 14

In-Depth — Optimizing the Use of Your Purpose-Built GRC Application

Click Here for More CPE Information
01
Day 15

The Pillars of a Modern Strategic SOX Program

By the end of this session, you will be able to:

Identify the key components of a modern, risk-based SOX program.

Recognize how leading SOX teams shift from compliance-driven to value-driven approaches.

Develop a strategy to align SOX compliance with broader business objectives.

Understand how to measure the effectiveness of a strategic SOX program.

More Info
Day 15

The Pillars of a Modern Strategic SOX Program

Click Here for More CPE Information
01
Day 16

In-Depth — The Pillars of a Modern Strategic SOX Program

By the end of this session, you will be able to:

Evaluate your SOX program’s current maturity level.

Discuss barriers to implementing a strategic SOX approach.

Identify opportunities to elevate SOX compliance from tactical to strategic.

Develop an action plan for transforming SOX into a value-added function.

More Info
Day 16

In-Depth — The Pillars of a Modern Strategic SOX Program

Click Here for More CPE Information
01

About the Course Instructor

Ryan Godbey

Ryan Godbey is a leading authority on SOX 404 and internal controls, bringing over 25 years of audit and advisory experience—including as a former national office Audit Partner at KPMG. He has worked with organizations across a wide range of industries, transforming financial reporting processes, strengthening internal controls, and ensuring compliance in complex regulatory environments.

At KPMG’s national office, Ryan was instrumental in shaping audit methodology, driving regulatory responses, and standardizing audit approaches to enhance quality and efficiency across engagements. His deep understanding of how regulators and external auditors assess SOX compliance enables him to design practical, risk-based control frameworks that not only withstand scrutiny but also improve financial governance and operational performance.

Ryan partners with CFOs, finance teams, and internal audit leaders to build scalable, technology-enabled control systems that drive efficiency and embed compliance into daily operations—rather than treating it as a standalone obligation. His approach is direct, pragmatic, and focused on creating sustainable value beyond compliance.

A trusted voice in governance and financial oversight, Ryan advises boards and audit committees while leading training and thought leadership that empowers organizations to take full ownership of their risk assessment, control design, and monitoring.

Outside of client work, Ryan enjoys playing tennis and spending time with his family.

Register Now

How the course works:

16-hour course
1-hour per day (Monday to Thursday)
4 weeks

Access Method:
Granted through the Internal Audit Collective Community under “Upcoming Events” Participation links will be provided

Who is this Course For?

01

If you have never been trained on the fundamentals and best practices of SOX compliance, performing walkthroughs, creating testing attributes, and documenting controls.

02

If your SOX compliance program methodology is not keeping pace with the increasing expectations and needs of your external auditors.

03

If your company struggles with control deficiencies, working with control owners, or having a silo’d SOX function.

Who is this course not for?

01

Internal Auditors without SOX responsibilities (Internal Audit Foundations would be more suitable)

02

Internal Controls Leaders (The SOX Accelerator Program is more suitable for leaders)

03

You are not respectful, or quickly dismissive of new ideas, practices or concepts.

Our Testimonials

I've attended Tom’s roundtables throughout the year, and I've been consistently impressed by his ability to find relevant and credible leaders to share their experiences and best practices. He also does a great job of highlighting how these best practices can be implemented in real-world scenarios. I would highly recommend the SOX Accelerator to any current or future SOX leader who is looking to expedite their knowledge and use of SOX strategies and tactics used by the best modern Internal Audit and Controls leaders.

Since 2014, Tom has established a reputation for bringing together credible internal audit and internal control leaders to share best practices, lessons learned, and their vision for Internal Audit's value. As a connector of leaders, Tom's programs accelerate industry-wide best practice execution. While most industry events fall short of action, Tom's drive and vision for actionable outcomes result in guidance and content that represent both industry standards and strategies set forth by the modern leaders he connects.

Based on our shared history and Tom's forward-looking focus, I recommend The SOX Accelerator program to anyone seeking to reduce time spent on SOX compliance. This program ultimately supports the expansion of internal audit's value-added initiatives, helping deliver results that meet or exceed Executive Management and Audit Committee expectations. As an added bonus, it's a great way to make new friends along the journey.

Chris Patrick
Director, ERM

As someone who leads our organization's ERM and SOX Compliance programs, I can confidently say that there are few in our industry who have as good of a pulse on ‘what good looks like’ in SOX compliance as Tom. The SOX Accelerator program is poised for success because it brings together diverse, front-line perspectives from SOX practitioners and leaders in our field. This collective expertise makes it an invaluable resource for anyone looking to heighten their SOX compliance efforts.

When I participated in Tom's Rising Audit Leader forum, I particularly valued two aspects: hearing perspectives from other audit leaders facing similar challenges, and learning strategies to enhance conversations with senior executives. The upcoming SOX Accelerator Program promises to be equally valuable, offering participants the chance to learn from their peers while balancing technical SOX strategies with the soft skills crucial for leading a successful SOX program.

Tom has been an invaluable sounding board as I improve my approach to SOX compliance. His connections with other SOX leaders lend credibility to his strategies and opinions. Drawing from extensive experience with various SOX programs, Tom provides practical recommendations and deep knowledge of SOX processes and technology, which has significantly enhanced our own SOX process. The SOX Accelerator Program will benefit those aiming to elevate their SOX programs by offering perspectives, best practices, and insights from leading SOX experts.

I have attended a number of Tom’s SOX and Internal Audit roundtables and I can attest they will help anyone broaden their network, understand Internal Audit best practices used by their peers, and provide the building blocks to create and manage a contemporary SOX Program. I would recommend The SOX Accelerator program to anyone with any of these goals.

Tom's deep understanding of Internal Audit and his practical approach to SOX Compliance will help all who participate in The SOX Accelerator Program. I recommend his course because I know it will include actual best practices actively being used by SOX leaders, and easy to put into action. No textbook or theoretical lessons, and no fluff.

I’ve participated in training events organized by Tom. I always leave with better perspectives on the topics discussed, what actions I should take to improve, and perhaps most importantly, knowledge of areas where my peers have struggled so I can prevent my team from making the same mistakes. Tom is a great person to have in your network, and I would recommend any events and programs hosted by him.

Register for SOX Base Camp

Secure your spot in our upcoming cohort.

SOX Base Camp

$1,495
$1,295
Early Bird till March 15th

8 expert Instructor-led

8 facilitated workshops and peer discussions

Syllabus with all shared presentations and templates

BONUS 12 month access to the Internal Audit Collective Community

Register Here
Abstract diagonal white and gray lines with subtle shading, used as a background or design element for Internal Audit Collective.

Frequently Asked Questions

Who is this course for?

  1. If you have never been trained on the fundamentals and best practices of SOX compliance, performing walkthroughs, creating testing attributes, and documenting controls.

  2. If your SOX compliance program methodology is not keeping pace with the increasing expectations and needs of your external auditors.

  3. If your company struggles with control deficiencies, working with control owners, or having a silo’d SOX function.

Who are you? And what is the Internal Audit Collective?

Hi - I’m Tom O’Reilly. I help internal audit and SOX professionals uplevel their programs and careers.

You can read more about my backstory and why I built the Internal Audit Collective here.

Are the CPEs NASBA certified?

We are working towards this.

What if I cannot attend all of the meetings?

You will receive CPE credits for all sessions that you attend.

You will receive a certificate of completion for participating in 80% of the meetings (13 total)

OK - I’m sold. What happens after I pay for the course?

Once you are registered, you will receive a welcome email, which will include the program syllabus with meeting information and materials. You will be asked to choose what breakout sessions you’d like to attend (7 total). You’ll then receive meeting invites.

What do I do if I have any additional questions?

Email me at: Tom@InternalAuditCollective.com - and I’ll get back to you asap.

Step beyond routine SOX compliance—become the SOX expert your leader and organization needs.