LinkedIn and the Internal Audit Collective have been full of questions, advice, and ideas about the big challenges facing SOX teams in 2025. This past year gave SOX teams a lot to reflect on. 

Finding, reviewing, and digesting all of these discussions can be overwhelming. 

To make 2025 SOX planning super-simple for SOX teams, this week’s newsletter is a one-stop shop focused on five of the most widely discussed areas: rationalizing controls, improving IPEs, advancing technology, reevaluating SOX roles and responsibilities, and being an effective SOX leader. 

For each, I’ve provided links to ideas and resources that I’ve found helpful.

Obviously this list isn’t exhaustive. But it’s a solid place to start. Every SOX team can benefit from considering if and how their programs need up-leveling in these five areas.

1. Rationalize Controls

Every SOX program has opportunities to reduce their number of key controls. Take time in 2025 to identify controls that should be removed or reclassified as non-key.

The benefits can be significant. 

A more streamlined and impactful SOX program that’s easier to manage. Time and cost savings. Elimination of redundant controls. Reduced burden on control owners. 

A bump for your reputation, helping you be seen as a strategic leader ready to take on even more challenging risk and control challenges. 

These nine questions can help your team transform its approach to rationalizing SOX controls. You can also check out my two-part AuditBoard series on upleveling your SOX program.

2. Improve IPE Controls

Over the past year, many SOX teams have faced unexpected challenges working with information produced by the entity (IPE). If you haven’t experienced these issues yet, you likely will in 2025.

Some teams struggle to manage increasing external auditor demands to prove out key reports’ completeness and accuracy.

Others have a hard time convincing data analysts to provide IPE documentation and support.

Teams’ most persistent problem, however, is convincing control owners to perform IPEs consistently. Instead, they face frustration, resistance, and a lack of awareness about why IPEs matter.

Fortunately, early planning, control owner training, management support, checklists, templates, and documentation changes can make a big impact. 

For specifics, see my posts on why companies struggled with IPEs and improving IPE performance. I also recommend IAC instructor Ryan Godbey’s post on redefining IPEs to change the conversation. 

3. Advance Your Use of Technology

We keep saying, hearing, and reading it: SOX and Internal Audit teams have to get more work done with the same (or fewer) resources. 

It starts with a solid foundation. 

If your SOX team doesn’t already use a purpose-built GRC technology solution, do not pass go. Do not collect $200. Get one in place ASAP — before you focus on implementing AI, analytics, or other advanced technologies.

If you’re already using a GRC solution, great. But the next step is identifying ways to use it better.

You’ve probably heard the stat: 80% of SaaS users use only 20% of available features and functionality. The same is typically true for users of GRC applications.

Most users are missing out on key opportunities. GRC applications can make it easy to improve control owners’ ownership of key responsibilities, perform real-time control testing, streamline workflows, and so much more. This post offers ideas and considerations. 

When your SOX team has invested time in improving how it uses its GRC application, NOW you can pass go. Now you can collect your $200 — in the form of moving your focus to AI, analytics, and other innovation opportunities. For inspiration and how-to, learn how ZoomInfo’s Casey Atwater makes innovation, AI, and analytics core to ZoomInfo’s SOX program.

4. Reevaluate 2nd and 3rd Line Roles/Responsibilities

If we’ve learned anything in the past few years, it’s that SOX is only becoming more resource-intensive in many organizations. 

More deficiencies are cropping up due to changes in the business (e.g., leadership turnover, M&A, tech sprawl). Changes in reporting are receiving increased scrutiny from external auditors. IPE work keeps mounting. At the same time, management is requesting more assurance and advisory work.

Forward-thinking SOX leaders are reevaluating how SOX responsibilities are delegated in their organizations. You may have opportunities to reallocate roles and responsibilities across the second and third lines, delegate controls testing to the first line, or outsource key testing activities. 

Check out these key considerations for reassessing your organization’s SOX roles and responsibilities. 

5. Uplevel Yourself: Are You a SOX Manager or a SOX Leader?

My role brings me into frequent contact with Internal Audit and SOX managers and leaders. We often end up talking about ways to enhance SOX controls.

Interestingly, managers’ and leaders’ questions and concerns tend to run along different tracks. 

Managers often focus on tactical SOX program management and challenges. Leaders, however, tend to focus on SOX and Internal Audit strategies that can impact the entire organization. 

Which one are you? If you’re a manager, how can you become a leader? 

This post shares more manager vs. leader considerations and some worthwhile discussion. 

What Are Your Ideas?

At the risk of sounding like an inspirational slogan on your mother-in-law’s wall, I’ll say it: We are better together. So I hope these ideas start even more conversations between SOX professionals. Please consider sharing your ideas for upleveling 2025 SOX programs on the Internal Audit Collective.

Want more perspective on SOX planning for 2025? Register NOW for our free April 9 webinar. Our amazing panelists will share practical tactics for rationalizing controls, minimizing control deficiencies, and other ways to uplevel your SOX program in 2025. (View all upcoming events and webinars.)

Can’t make the webinar? Join the Internal Audit Collective! All past webinar recordings are available for on-demand viewing for members.