SOX Internal Controls Compliance Checklist

SEC management guidance and PCAOB AS 2201 both reference COSO 2013 as the baseline. Document your formal adoption, ensure all five components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring) are addressed, and confirm COSO 2013 replaces any use of the legacy 1992 framework.

Scope your Section 404 program by identifying accounts with a reasonable possibility of material misstatement. Use quantitative thresholds (typically 5% of pretax income) and qualitative factors (complexity, susceptibility to fraud). Document your scoping rationale — auditors will challenge any significant account excluded without documented justification.

For each significant process (Order-to-Cash, Procure-to-Pay, Close-to-Report, Payroll, etc.), document process narratives or flowcharts. Identify the key controls that address financial statement assertions — existence, completeness, accuracy, cutoff, and classification. This documentation is the foundation for your control testing plan.

ELCs — including tone at the top, code of conduct, whistleblower programs, and board oversight — can have a pervasive effect on other controls. Assess all 17 COSO principles within each of the five components. Deficiencies at the entity level are often classified as material weaknesses due to their broad impact.

ITGCs cover access management (user provisioning/deprovisioning, segregation of duties), change management (program changes, patches, releases), and computer operations (job scheduling, backup and recovery). Automated application controls depend on reliable ITGCs — a ITGC deficiency can elevate the risk of every automated control that relies on the affected system.

No single individual should have the ability to authorize, execute, and record a transaction. Map user access rights in ERP systems (SAP, Oracle, Workday) to identify SOD conflicts. Where conflicts exist due to business necessity, implement and test compensating controls. Document all compensating controls and review them at least quarterly.

PCAOB AS 2315 governs sample sizes for substantive testing; apply the same rigor to control testing. Manual controls operating monthly typically require 2-5 samples; daily controls require 25+ samples. Document your testing approach, attribute tested, population size, sampling method, and deviation rate threshold before testing begins.

Evidence must be obtained during the period covered by the assessment — you cannot recreate or backdate testing. For each control tested, document: the control owner, test date, sample selected, evidence reviewed, exception noted (if any), and tester conclusion. Retain testing workpapers for at least seven years under SOX Section 802.

Deficiencies are classified as: Control Deficiency (a gap exists), Significant Deficiency (more than remote chance of more than inconsequential misstatement), or Material Weakness (reasonable possibility of material misstatement). Misclassifying a material weakness as a significant deficiency triggers SEC enforcement. Document the basis for each classification with reference to quantitative and qualitative factors.

Every identified deficiency must have an owner, a root cause analysis, a remediation plan with milestone dates, and a validation test confirming the control is operating effectively after remediation. Track all open deficiencies in a centralized log reviewed by the Audit Committee at least quarterly. Unresolved significant deficiencies should be escalated before year-end assessment.

Manual journal entries are a primary vehicle for financial fraud. Require supporting documentation for all manual entries, dual authorization for entries above a defined threshold, and automated routing to a reviewer who did not prepare the entry. Review 100% of manual entries to restricted accounts (revenue, top-side entries) regardless of amount.

CEOs and CFOs certify the accuracy of financial statements under Section 302. Protect that certification by requiring sub-certifications from the individuals who actually control the numbers. Sub-certifications should confirm that internal controls are operating effectively in their area and that no material weaknesses or fraud has occurred.

If a key control relies on a report or data extract from a system, you must validate that the report is complete and accurate. This is the "CAVR" requirement (Completeness, Accuracy, Validity, Restricted access). Many SOX deficiencies trace to unvalidated report outputs being used in management review controls.

Any significant business change — a new ERP module, a major acquisition, an outsourced process — can create new risks not covered by existing controls. Perform a risk assessment for every material change and update your controls inventory within 30 days. New controls must be tested before year-end.

Walkthrough procedures confirm that process documentation reflects what actually happens in practice. PCAOB standards require auditors to perform walkthroughs for all significant processes. Engaging early (before year-end) allows you to identify gaps the auditor will test and remediate before the assessment deadline.

The PEFR process covers financial close activities: consolidation, elimination entries, account reconciliations, financial statement preparation, and management review before filing. SOX auditors give this process heightened scrutiny. Document every step, every review control, the reviewer qualifications, and what evidence is retained.

Disclosures are part of ICFR. Controls over debt covenants, lease obligations, commitments and contingencies, and related-party transactions are frequently under-scoped. Map each significant footnote to a disclosure control and include it in your testing plan.

Privileged access to ERP, financial close, and reporting systems must be reviewed at least quarterly against current employee roles. Departed employees must have access revoked within 24 hours of separation. Maintain logs of provisioning, access reviews, and terminations for audit evidence.

Management must document the framework adopted, the scope of the assessment, testing performed, deficiencies identified, and the overall conclusion about ICFR effectiveness. This documentation must be available for auditor review and retained for at least seven years. Inadequate documentation itself constitutes a control deficiency.

Material weaknesses must be disclosed in the annual report (10-K) in Item 9A. Significant deficiencies must be communicated to the Audit Committee in writing. Do not delay disclosure in hopes of remediation — late disclosure after a material weakness has existed triggers additional SEC scrutiny and potential enforcement action.