When I think about SOX compliance, the first word that comes to mind is "opportunity." Sure, SOX compliance for some can feel like a burdensome, never-ending to-do list of testing controls, repeatedly following up with control owners, and re-teaching external auditors about your internal control environment.

But for SOX leaders willing to lean in and elevate their organization's approach to SOX compliance, there's immense potential to make the program leaner and more impactful.

The biggest opportunity I've seen for SOX programs to improve is reducing their number of key controls. Too many programs are bloated with operational controls, project management controls, and non-material financial reporting controls that shouldn't be in scope for SOX compliance.

Although these controls may play an important role in your organization's risk management efforts, they don't belong in your SOX testing program.

In this article, I'll explore why SOX programs become bloated and share 9 questions your SOX team can use to identify controls that should be removed or reclassified as non-key. This approach will help you build expertise that can transform both your SOX program and your SOX career.

Why SOX Programs Get Bloated

Understanding how SOX bloat occurs is the first step in addressing it. One common cause is when Finance or Accounting owns the SOX risk assessment and prefers maintaining the status quo. Their reasoning is simple—since they're not responsible for testing the controls, why disrupt the existing system?

A lack of experience by the SOX Program Manager can also lead to excessive controls. While some SOX leaders excel at control testing, they may lack the expertise to evaluate what's truly key or question existing controls. Since SOX has evolved over time, those who haven't built a program from scratch or navigated the transition from PCAOB's AS2 to AS5 (now AS2201) might miss clear opportunities to streamline their program.

Finally, the main reason for control bloat is often the failure to conduct a complete and formal SOX risk assessment each year. Even when SOX Program leaders have risk assessment expertise, they might skip this crucial step by arguing there were no material changes to the business or control environment in the past year.

Nine Questions to Sharpen Your In-Scope Controls

How can we address this issue? It starts with asking the right questions and committing to act on what we learn. Here are nine questions that have transformed how my teams and I approach rationalizing SOX controls.

1. Have we actually re-performed a comprehensive SOX risk assessment this year?

Rolling over last year’s risk assessment is tempting, but it is almost always a mistake. Business processes evolve, and technology changes in companies constantly, impacting what should be in scope. A thorough risk assessment ensures you’re not wasting time on controls that no longer matter.

2. Can we align our SOX controls with those deemed key by the external auditor?

Your external auditor's perspective offers valuable guidance. If they don't consider a control key, question why you do. For example, you may be testing password controls for a system that's already protected by an identity management solution. Review such controls carefully to determine if they're truly essential for SOX compliance.

3. Are we mistakenly testing operational or non-financial reporting controls?

Consider a month-end close checklist as an example. While it's an excellent project management tool, it shouldn't be part of a SOX compliance program. Your controls should focus specifically on financial reporting.

4. Are we duplicating controls that address the same financial reporting risk?

Duplicate controls silently drain your SOX program’s efficiency, and risk confusing control owners and the external auditors. A purpose-built controls application can identify these redundancies and help streamline your controls count.

5. Can we standardize controls to reduce testing efforts?

Access control management is a prime example. Rather than maintaining separate controls for each in-scope application, implement a single comprehensive control that covers all applications with samples distributed across them. This streamlined approach saves time while maintaining effectiveness.

6. Are entity-level controls documented at the appropriate level?

We sometimes become overly detailed in our documentation. For example, documenting controls at the COSO principle level instead of each point of focus can streamline your program while maintaining its effectiveness. Discussing this approach with your external auditor can also provide for opportunities to reduce entity-level controls.

7. Can we reduce the number of in-scope applications tested for SOX compliance?

Not every application requires the same rigorous level of documentation and formal testing. Establish a formal methodology to identify which applications truly impact financial reporting and remove those that don't.

8. Can we replace multiple manual downstream controls with a single automated upstream control?

Automation does more than save time—it improves accuracy and reduces risk. Look for opportunities to consolidate controls by implementing automated solutions at the source. For instance, could you replace multiple manual change monitoring controls with automated log management or SIEM monitoring?

9. Can we reassess our external auditor reliance strategy?

We often test controls just to satisfy external auditors, even when management doesn't consider them key. If the testing isn't used for reliance and management sees no organizational benefit, why continue testing it? Reassess your reliance strategy and concentrate on what's truly essential.

The Big Picture

SOX compliance doesn't need to be a burden. By asking the right questions and conducting a thorough review of your program, you can streamline your efforts, focus on what matters most, and deliver greater value to your organization.

For SOX leaders, the ability to rationalize controls serves as a powerful tool—it helps reduce costs, lessens the burden on control owners, and simplifies program management. This capability also enhances your reputation as a leader prepared to tackle more sophisticated risk and control challenges.

For those who are looking for a deeper-level of understanding and instruction on both rationalizing SOX controls, but running a modern and contemporary SOX program, you should consider registering for the next SOX Accelerator Program, starting in March 2025.

Our first cohort just kicked off last week, and we have 75 rising and current SOX program leaders as part of the course.

The Accelerator is a 16-week, cohort-based program helps current and future SOX leaders elevate their their SOX programs and careers through expert-led presentations, peer group discussions, and ongoing community support.

If you’re ready to take your SOX program to the next level, this could be your opportunity to make it happen.