Sarbanes-Oxley (SOX) Compliance Checklist

Calculate planning materiality (typically 5% of pre-tax income or 0.5–1% of revenue) and document the rationale. Use the result to identify significant accounts and disclosures using a quantitative + qualitative filter consistent with PCAOB AS 2105 / 2201.

Tie each significant account (revenue, AR, inventory, fixed assets, debt, equity) to its originating process — order-to-cash, procure-to-pay, payroll, financial close. The mapping drives where walkthroughs and key controls live.

Update the COSO 2013-aligned fraud risk register. Common refresh triggers: new revenue stream, M&A activity, ERP migration, segregation-of-duty conflicts surfaced in prior testing, or anomalous management override risk.

Lock the close calendar with controller, FP&A, and external audit. Note SEC filing deadlines (10-Q within 40/45 days, 10-K within 60/75/90 days depending on filer status) and back-schedule certification deliverables from there.

Refresh narratives in AuditBoard / Workiva / Diligent for any process where ownership, system, or controls changed since last cycle. Capture inputs, outputs, IT systems touched, and control points referenced by control ID.

Tag each key control to the relevant COSO 2013 principle and to the financial statement assertion it addresses (existence, completeness, valuation, cutoff, presentation). Gaps where no key control covers a relevant assertion are design deficiencies waiting to be discovered.

Trace one transaction end-to-end through each in-scope process to confirm the documented control actually operates as described. Capture evidence (screenshots, signed approvals, system reports) — auditors will inspect this work directly.

For each key control, capture: owner, frequency (transactional / daily / weekly / monthly / quarterly), preventive vs. detective, manual vs. automated, and the precision threshold for review controls (a manager review with no defined threshold fails AS 2201 precision tests).

List ERP (NetSuite, SAP, Oracle, Workday Financials), consolidation tool (OneStream, Hyperion, BlackLine), reporting layer, and any spreadsheet end-user computing tools that feed the financials. ITGCs are tested against this inventory.

Run access reviews for privileged accounts, terminated users, and SoD conflicts (post-AP / approve-AP, post-JE / approve-JE). Stale terminated-user access in the ERP is one of the most common ITGC findings auditors cite.

Sample production changes from the period and confirm each has a ticket, tested approval, separation between developer and deployer, and post-implementation evidence. Emergency changes need the same trail with retroactive approval documented.

Confirm a backup restoration test occurred during the period and that the incident response plan was tabletop-exercised. Auditors will ask for the test artifacts, not just the policy document.

Pull samples per AICPA attribute sampling guidance — typically 25 for daily controls, 5 for monthly, 2 for quarterly. Document the population, selection method, and tester independence from the control owner.

For each exception, capture: which attribute failed, sample identifier, root cause category (design vs. operating, isolated vs. systemic), and management response. Do not pre-conclude on severity here — that classification is the next step.

Apply PCAOB AS 2201 framework: control deficiency, significant deficiency, or material weakness based on likelihood and magnitude of misstatement. Significant deficiencies and material weaknesses must be communicated to the audit committee in writing.

For each exception, document the corrective action, named owner, target completion date, and how the fix will be evidenced. Track in AuditBoard or equivalent so audit committee reporting can show open vs. closed counts.

Pull a fresh sample post-remediation and test the control under the corrected design. A control needs sufficient operating history (typically 2–3 cycles) before it can be relied upon for the period — a one-time pass after remediation does not extinguish a material weakness.

A failed retest typically elevates the deficiency to significant deficiency or material weakness for disclosure purposes. Brief the disclosure committee, legal, and external auditor before the 302 cert is signed — late-breaking material weaknesses surfacing after filing are the worst case.

Pull the period's hotline reports from NAVEX EthicsPoint / Convercent / Syntrio. Tie any financial-reporting-related allegations to investigation status and confirm the audit committee has been informed per its charter (Section 301 requirement).

Pre-read distributed 5 business days before the meeting. Cover: scope changes, deficiency dashboard, remediation status, external auditor independence confirmation, and any matters required by the audit committee charter.

Obtain the auditor's annual independence letter under PCAOB Rule 3526 and pre-approve any non-audit services through the audit committee. Tax services and HR-search services are common areas where pre-approval gets missed.

Route the sub-certification package up from process owners to the CEO and CFO. The principal officers must personally attest to ICFR effectiveness and disclose any material weakness in the 10-Q / 10-K. Section 906 criminal certification accompanies the filing.

Include management's assessment of ICFR effectiveness, the framework used (COSO 2013), and identified material weaknesses. For accelerated and large accelerated filers, the auditor's attestation on ICFR is also filed; non-accelerated filers are exempt under Dodd-Frank Section 989G.