EN ES
Request a consultation

Practice area

SOX compliance.

Scoping, walkthroughs, and remediation for first-time and seasoned filers. It passes external audit without bloating cycle over cycle.

The practice

SOX done the way the PCAOB actually reads it.

First-time filers scope SOX too narrowly. The PCAOB has noticed.

Section 404(a) is a management assertion. Section 404(b) is the auditor's opinion on that assertion. The gap between the two is where most SOX programs go wrong — usually because the scoping was done in a vacuum, the IPE inventory was an afterthought, and the controls that matter to the auditor were not the ones the institution invested in testing.

We have run SOX programs for first-time S-1 filers, seasoned accelerated filers, and institutions emerging from material weakness remediation. The work is the same shape — scoping, walkthroughs, design and operating effectiveness testing, deficiency aggregation, reporting — but the calibration is different in each case.

The discipline is in what you leave out. A good SOX program does not test every control; it tests the ones that, if they failed, would matter. Our scoping starts with the financial statement assertions and works backward to the controls. Less work, more coverage, fewer surprises in October.

The work

The work in this practice, named.

  1. Scoping Materiality, account/disclosure analysis, process mapping, control identification calibrated to the audit firm's approach.
  2. Walkthroughs One full transaction per significant process; flowcharts updated; IPE inventoried and validated.
  3. Design & operating effectiveness Test plans, sample sizes that match the auditor's expectations, exception evaluation, remediation cycles.
  4. IT general controls ITGCs across change, access, operations; tied explicitly to the application controls they support.
  5. Deficiency aggregation Deficiencies, significant deficiencies, material weaknesses — and the math that distinguishes them.
  6. Quarterly & year-end reporting Disclosure controls (302), ICFR conclusion (404), and the conversations with the audit committee around each.
A typical engagement

A first SOX year, from scoping to first filing.

Phase Timing Deliverable
Scoping Month 1 Materiality set, processes mapped, controls inventoried, IPE catalogued.
Design testing Months 2–4 Walkthroughs, design assessment, gaps identified, remediation plans drafted.
Operating testing Months 5–9 Sample-based testing across the year; exceptions tracked, evaluated, communicated.
Reporting Months 10–12 Deficiency aggregation, ICFR conclusion, audit committee briefing, 10-K disclosures.
Related practice areas