FREE one month of bookkeeping. Click for the discount code.
Corviniti/Services/SOX & Internal Controls

Services / SOX & Internal Controls

SOX & Internal Controls

The five places SOX programs actually fail: scoping, IT general controls, the reports controls rely on, deficiency evaluation, and remediation timing. Each with the fix.

We build and run a SOX program sized to your actual risks, so a lean team can operate it and your auditors can rely on it.

Or email info@corviniti.com · book a 30-minute call

On this page

SOX failures are rarely about missing controls. They are about programs scoped to the wrong risks, controls that depend on systems and reports nobody validated, and deficiencies evaluated too generously until an auditor evaluates them differently. The mechanics below are where the judgment lives.

We design, document, test, and remediate ICFR for public companies and companies on the way there, sized so a lean finance team can actually operate the program. Each section states the requirement, then the fix.

Issue 01

Scoping: a top-down risk assessment, not a control inventoryRisk Assessment

Over-scoped programs collapse under their own weight; under-scoped programs miss the account where the misstatement lives. Both start the same way: scoping by listing controls instead of by assessing where a material misstatement could actually occur.

The treatment

Scope top-down every year: set materiality, identify significant accounts and disclosures using both quantitative size and qualitative risk (estimation, complexity, fraud susceptibility, change), map them to the processes and locations that generate them, and only then identify the key controls that address each risk of material misstatement, including the entity-level controls that operate above the transaction cycles. Multi-location businesses allocate coverage by where the risk sits, not evenly. The scoping memo is refreshed for the year’s changes, acquisitions (which get their own transition decisions), new systems, new revenue streams, because last year’s scope applied to this year’s business is how programs drift into irrelevance. A right-sized program for most mid-cap filers is dozens of key controls, not hundreds; every control past the risk-mapped set is cost without assurance.

What we do: We run the top-down risk assessment and deliver the scoping memo and right-sized key control set, refreshed each year.

Issue 02

IT general controls: the layer everything else stands onITGC

Every automated control, every system-generated report, and every calculated balance inherits its reliability from IT general controls. When ITGCs fail, access, change management, operations, the failure cascades into every control that touched the system, which is why ITGC findings multiply.

The treatment

Cover the three families over every financially relevant system, including the ones outside the ERP (billing, payroll, equity, consolidation tools): access, provisioning and deprovisioning tied to HR events, periodic user access reviews with evidence of action taken, privileged access restricted and monitored, and segregation-of-duties conflicts identified with mitigations documented; change management, changes authorized, tested, and approved before production, with developer access to production either prevented or monitored; operations, job scheduling, interfaces, and backup monitoring for the processes financial data rides on. SOC 1 reports cover the service-organization side, but only if someone reads them: map the CUECs to your own controls and clear the exceptions. When an ITGC fails, the evaluation extends to every dependent application control and report, so the cheapest control in the program to keep healthy is this layer.

What we do: We document and test access, change, and operations controls across every financially relevant system, and map the SOC 1 CUECs to your controls.

Issue 03

Information produced by the entity: the reports your controls trustIPE / Key Reports

A review control is only as good as the report being reviewed. Auditors now test whether the queries, parameters, and spreadsheets behind key reports are complete and accurate, and IPE has become one of the most common sources of findings in mature programs.

The treatment

Inventory the reports and spreadsheets that key controls rely on, then establish completeness and accuracy for each: for system reports, validate the source, the logic or query, and the parameters, either through a baseline validation plus ITGC reliance for unchanged reports, or through control-owner procedures each time (tie totals to the ledger, verify the parameter set); for end-user spreadsheets, add version control, access restriction, input tie-outs, and formula protection proportional to their role. The control description should say what the owner does to validate the IPE, and the evidence should show it happened, a screenshot of parameters, a tie-out initialed. Programs that treat IPE as part of the control, rather than an audit afterthought, stop donating findings in this category.

What we do: We inventory the key reports and spreadsheets and build the completeness and accuracy procedures into the controls that use them.

Facing a deadline, a deficiency, or a program that is not working? Talk to us before year-end testing starts.

Talk to an Expert
Issue 04

Deficiency evaluation: severity is about could, not didDeficiency → SD → MW

The most contested judgment in SOX: is this exception a deficiency, a significant deficiency, or a material weakness? Teams evaluate what did happen; the framework requires evaluating what could have, and the gap between those two is where auditor disagreements live.

The treatment

Evaluate severity on magnitude and likelihood of potential misstatement, not the actual error found: the exposure is the population the control covers, considering volume, the amounts that could flow through, and whether compensating controls would catch a misstatement at the same precision. A material weakness exists when there is a reasonable possibility a material misstatement would not be prevented or detected timely; a significant deficiency is less severe but merits attention; and the indicators, restatement, fraud by senior management, an auditor-identified material misstatement, weigh heavily toward MW. Then aggregate: individually minor deficiencies clustering in one account, process, or COSO component can combine into something severe. Write the evaluation memo per deficiency with the exposure math shown, and calibrate conclusions with the auditors before year-end, because a Q4 severity dispute is a disclosure event, not a discussion.

What we do: We write the severity evaluation per deficiency with the exposure math shown, and calibrate conclusions with your auditors before year-end.

From our engagements: the fact pattern we see most after reverse mergers and SPAC combinations is a first-year program discovering that exceptions dismissed as one-offs aggregate into a material weakness. The evaluation discipline, exposure math per deficiency, is what keeps that conclusion in management's hands instead of the auditor's.
Issue 05

Remediation timing: when a material weakness actually closesRemediation

Companies announce remediation plans quickly and then discover the hard rule: a material weakness is not remediated when the fix is designed, or even implemented. It closes when the new control has operated effectively long enough to test, and the calendar math surprises boards every year.

The treatment

Work backward from the operating-effectiveness requirement: the redesigned control must operate for a sufficient period to conclude on effectiveness, which for a monthly control means multiple months of instances and for a quarterly control can mean most of a year, so a fix implemented in Q3 frequently cannot support closure that fiscal year. Sequence accordingly: root cause first (a people failure, a design gap, and a missing report each get different fixes), implement early in the year to bank operating instances, retest with evidence, and keep the disclosure honest in the interim: the MW persists in each 10-K and 10-Q until closure, with remediation status described. Management concludes on remediation with its own testing; where 404(b) applies, the auditors reach their own conclusion. The pattern that works is boring: fix early, test twice, disclose plainly.

What we do: We sequence remediation to bank operating instances early, retest with evidence, and keep the disclosure current until closure.

Issue 06

First-year 404: the timeline nobody budgets correctly404(a) / 404(b)

Newly public companies, IPOs, de-SPACs, direct listings, hit the SOX sequence on a schedule set by their filings, not their readiness. The certifications start immediately; the assessments follow; and the build takes longer than the window unless it started before listing.

The treatment

Map the actual sequence to your dates: Section 302 certifications begin with the first periodic report after listing, which means disclosure controls and the sub-certification process must exist in the first quarter, not the first year. Management’s 404(a) assessment is generally first required in the second annual report, using the newly-public-company transition relief for the first one. Auditor attestation under 404(b) depends on filer status, with emerging growth companies exempt for up to five years and smaller reporting companies below the accelerated-filer thresholds exempt as well, a status worth confirming annually rather than assuming. De-SPAC combinations inherit the operating company’s control environment on day one with none of the buildup a traditional IPO forces, which is why the documented-from-scratch timeline of twelve to eighteen months should start at signing. We sequence the build to the filing calendar: certifications-critical controls first, then cycles, then the testing program.

What we do: We map the 302, 404(a), and 404(b) dates to your filings and build the program in that order.

How We Help

What we deliver

On a SOX engagement, you get a program your team can run and your auditors can rely on.

Scoping and risk assessmentThe top-down scoping memo and a right-sized key control set, refreshed annually.
Documentation and testingNarratives, matrices, ITGC and IPE procedures, and the management testing program with workpapers.
Deficiency evaluationsSeverity memos with the exposure math shown, calibrated with your auditors before year-end.
Remediation executionRoot-cause fixes sequenced to bank operating instances, retested with evidence to closure.

When companies bring us in

  • You are newly public, or about to be, and the 302, 404(a), and 404(b) dates are approaching.
  • You received a material weakness or significant deficiency and the remediation clock is running.
  • Your program has grown past what your team can operate and needs right-sizing.
  • Your auditors keep finding IPE and ITGC exceptions.

Talk to an Expert

Our Experience

Where we have done this work

Engagement Notes

First-year programs after non-traditional listings

SOX stand-ups for companies that became registrants through reverse mergers and SPAC combinations, including a streaming media fact pattern: scoping from a top-down risk assessment, certifications-critical controls in quarter one, ITGC and IPE foundations, and a 404(a) assessment delivered on the second annual report timeline.

Engagement Notes

Material weakness remediation with the clock running

Remediation programs where the closure date mattered: root-cause analysis, controls redesigned early in the fiscal year to bank operating instances, management retesting with evidence, and severity evaluations with the exposure math documented, so year-end conclusions were calibrated with the auditors instead of contested.

Contact Us

Contact Us to Learn More

Call: (347) 472-1115
Email: info@corviniti.com

The best way to get started is to complete the form below. Tell us a bit about your business and we will advise on how best to get started.

We will get back to you within 24 hours.

Ro Sokhi, CPA
Ro Sokhi, CPA
Founder · Big Four trained · 20+ years

We will get back to you within 24 hours.

Frequently Asked Questions

When does SOX apply to us?

SOX 302 certifications apply from your first periodic report as a public company. Management’s 404(a) assessment typically begins with your second annual report, and auditor attestation under 404(b) depends on your filer status. Emerging growth companies get relief from 404(b) for up to five years.

How long does SOX readiness take?

Building documentation from scratch takes 12 to 18 months for most companies. Starting earlier means the work happens on your schedule instead of the SEC’s.

We received a material weakness. What now?

Root-cause analysis first, then remediation with evidence. A material weakness closes only when the fixed control has operated effectively for a sufficient period, so speed of diagnosis matters.

Can a small finance team really sustain SOX?

Yes, if the framework is right-sized. Over-scoped programs fail because teams cannot operate them. We scope to what is material and design controls that fit how your team already works.

Do you test controls or just document them?

Both. We design, document, and operate management testing programs, and we coordinate directly with external auditors on their testing.