SOX Compliance Checklist

The SOX team sets overall materiality and performance materiality used to scope significant accounts. Document the rule of thumb (typically 5% of pre-tax income or 0.5% of revenue) and the qualitative overlays. This number drives every downstream scoping decision — get external auditor alignment before locking it.

Apply the materiality threshold to the trial balance and identify accounts above scoping. Include qualitative scoping for revenue, taxes, and judgmental estimates regardless of size. Document the in-scope vs. out-of-scope rationale for each account.

Tie each significant account to the business processes that feed it (order-to-cash, procure-to-pay, payroll, financial close, treasury) and the financial statement assertions (existence, completeness, accuracy, valuation, cutoff, presentation).

Identify financially relevant systems (ERP, consolidation tool, EDI, sub-ledgers) and scope ITGCs across access management, change management, and computer operations. Coordinate with IT audit on SOC 1 reports for outsourced systems like the payroll provider.

Update each in-scope process narrative and risk-control matrix to reflect the current year's system, personnel, and process changes. Stale narratives are the most common PCAOB inspection finding cited against issuers.

Walk one transaction end-to-end with each control owner. Confirm the control is performed as documented, by whom, with what evidence, and at what frequency. Capture screenshots of system-based controls in the workpaper.

Review the key control population with the external auditor. Over-keying inflates testing hours; under-keying creates audit findings. Aim for a tight key control set that covers each significant assertion at each significant account.

Map ERP roles to incompatible duty pairs (vendor master vs. AP payment, journal entry vs. journal approval, system admin vs. financial user). Document any compensating controls where SoD conflicts exist due to thin staffing.

Pull samples per the AICPA / PCAOB guidance — typically 25 for daily controls, 5 for weekly, 2 for monthly, 1 for quarterly. Document the population, sample selection method, and tester. Re-perform the control rather than just inspecting evidence.

Capture every test result in the workpaper with cross-references to evidence. Note any exceptions with the specific failure mode — missing approval, late performance, wrong reviewer, evidence not retained.

For each exception, evaluate severity per AS 2201: control deficiency, significant deficiency, or material weakness. Use both quantitative (potential misstatement vs. materiality) and qualitative factors. Material weaknesses must be disclosed in the 10-K.

Document the root cause, remediation owner, target date, and validation approach for each deficiency. Coordinate with external auditors so the planned remediation will satisfy them — agreeing on the fix after the fact wastes a cycle.

After the remediation goes live, allow enough time for an adequate sample population, then re-test. To rely on the remediation for year-end, the operating period typically needs to be at least 60-90 days depending on control frequency.

Verify each audit committee member meets NYSE / Nasdaq independence standards and that at least one member qualifies as an audit committee financial expert per Item 407(d)(5) of Regulation S-K. Re-confirm annually as part of D&O questionnaire.

Pre-approve all audit and permitted non-audit services. Pull the latest PCAOB inspection report on the firm and review independence representations under Rule 3526. Document the audit committee's independence assessment.

Provide the auditor's IA / SOX team access to workpapers, RCMs, and deficiency log so they can plan reliance on management's work per AS 2605. The earlier they see exceptions, the lower the chance of late-cycle scope expansion.

Walk the committee through testing status, open deficiencies, remediation progress, and any scope changes. Capture minutes and the executive session with the external auditor without management present.

Distribute sub-certifications to process owners and segment leaders covering disclosure controls, ICFR changes, and any known fraud or misstatement. The CEO/CFO 302 certs cascade up from these.

Identify any change during the quarter that materially affected, or is reasonably likely to materially affect, ICFR — system implementations, M&A integration, process owner turnover, remediated material weaknesses. Document the assessment supporting the 10-Q Item 4 disclosure.

Route the Section 302 certifications to the CEO and CFO with the supporting sub-cert package. Confirm wording matches Item 601(b)(31) exactly — non-conforming certifications are a recurring SEC comment letter topic.

For the Form 10-K only, issue management's annual assessment of ICFR effectiveness as of fiscal year-end. Disclose any material weaknesses and reconcile with the external auditor's 404(b) opinion. Non-accelerated filers are exempt from 404(b) but still owe 404(a).

Identify fraud risks across the three categories — fraudulent financial reporting, misappropriation of assets, and management override. Document anti-fraud controls including the journal entry review control mandated by AS 2401.

Required by Section 406. Track completion for the CEO, CFO, controller, principal accounting officer, and anyone performing similar functions. Any waiver granted to a senior officer requires Form 8-K disclosure within four business days.

The audit committee reviews all hotline submissions per Section 301. Track resolution status and confirm no retaliation. Anonymous accounting and auditing complaints must be channeled directly to the audit committee, not filtered through management.

Pull updated D&O questionnaires and reconcile against the related-party master list. Each transaction over the Item 404 threshold needs proxy disclosure and audit committee approval per the listing standard.