On this page
SOX failures are rarely about missing controls. They are about programs scoped to the wrong risks, controls that depend on systems and reports nobody validated, and deficiencies evaluated too generously until an auditor evaluates them differently. The mechanics below are where the judgment lives.
We design, document, test, and remediate ICFR for public companies and companies on the way there, sized so a lean finance team can actually operate the program. Each section states the requirement, then the fix.
Issue 01
Scoping: a top-down risk assessment, not a control inventoryRisk Assessment
Over-scoped programs collapse under their own weight; under-scoped programs miss the account where the misstatement lives. Both start the same way: scoping by listing controls instead of by assessing where a material misstatement could actually occur.
The treatmentScope top-down every year: set materiality, identify significant accounts and disclosures using both quantitative size and qualitative risk (estimation, complexity, fraud susceptibility, change), map them to the processes and locations that generate them, and only then identify the key controls that address each risk of material misstatement, including the entity-level controls that operate above the transaction cycles. Multi-location businesses allocate coverage by where the risk sits, not evenly. The scoping memo is refreshed for the year’s changes, acquisitions (which get their own transition decisions), new systems, new revenue streams, because last year’s scope applied to this year’s business is how programs drift into irrelevance. A right-sized program for most mid-cap filers is dozens of key controls, not hundreds; every control past the risk-mapped set is cost without assurance.
What we do: We run the top-down risk assessment and deliver the scoping memo and right-sized key control set, refreshed each year.
Issue 02
IT general controls: the layer everything else stands onITGC
Every automated control, every system-generated report, and every calculated balance inherits its reliability from IT general controls. When ITGCs fail, access, change management, operations, the failure cascades into every control that touched the system, which is why ITGC findings multiply.
The treatmentCover the three families over every financially relevant system, including the ones outside the ERP (billing, payroll, equity, consolidation tools): access, provisioning and deprovisioning tied to HR events, periodic user access reviews with evidence of action taken, privileged access restricted and monitored, and segregation-of-duties conflicts identified with mitigations documented; change management, changes authorized, tested, and approved before production, with developer access to production either prevented or monitored; operations, job scheduling, interfaces, and backup monitoring for the processes financial data rides on. SOC 1 reports cover the service-organization side, but only if someone reads them: map the CUECs to your own controls and clear the exceptions. When an ITGC fails, the evaluation extends to every dependent application control and report, so the cheapest control in the program to keep healthy is this layer.
What we do: We document and test access, change, and operations controls across every financially relevant system, and map the SOC 1 CUECs to your controls.
Issue 03
Information produced by the entity: the reports your controls trustIPE / Key Reports
A review control is only as good as the report being reviewed. Auditors now test whether the queries, parameters, and spreadsheets behind key reports are complete and accurate, and IPE has become one of the most common sources of findings in mature programs.
The treatmentInventory the reports and spreadsheets that key controls rely on, then establish completeness and accuracy for each: for system reports, validate the source, the logic or query, and the parameters, either through a baseline validation plus ITGC reliance for unchanged reports, or through control-owner procedures each time (tie totals to the ledger, verify the parameter set); for end-user spreadsheets, add version control, access restriction, input tie-outs, and formula protection proportional to their role. The control description should say what the owner does to validate the IPE, and the evidence should show it happened, a screenshot of parameters, a tie-out initialed. Programs that treat IPE as part of the control, rather than an audit afterthought, stop donating findings in this category.
What we do: We inventory the key reports and spreadsheets and build the completeness and accuracy procedures into the controls that use them.
Facing a deadline, a deficiency, or a program that is not working? Talk to us before year-end testing starts.
Talk to an Expert
Issue 04
Deficiency evaluation: severity is about could, not didDeficiency → SD → MW
The most contested judgment in SOX: is this exception a deficiency, a significant deficiency, or a material weakness? Teams evaluate what did happen; the framework requires evaluating what could have, and the gap between those two is where auditor disagreements live.
The treatmentEvaluate severity on magnitude and likelihood of potential misstatement, not the actual error found: the exposure is the population the control covers, considering volume, the amounts that could flow through, and whether compensating controls would catch a misstatement at the same precision. A material weakness exists when there is a reasonable possibility a material misstatement would not be prevented or detected timely; a significant deficiency is less severe but merits attention; and the indicators, restatement, fraud by senior management, an auditor-identified material misstatement, weigh heavily toward MW. Then aggregate: individually minor deficiencies clustering in one account, process, or COSO component can combine into something severe. Write the evaluation memo per deficiency with the exposure math shown, and calibrate conclusions with the auditors before year-end, because a Q4 severity dispute is a disclosure event, not a discussion.
What we do: We write the severity evaluation per deficiency with the exposure math shown, and calibrate conclusions with your auditors before year-end.
From our engagements: the fact pattern we see most after reverse mergers and SPAC combinations is a first-year program discovering that exceptions dismissed as one-offs aggregate into a material weakness. The evaluation discipline, exposure math per deficiency, is what keeps that conclusion in management's hands instead of the auditor's.
Issue 05
Remediation timing: when a material weakness actually closesRemediation
Companies announce remediation plans quickly and then discover the hard rule: a material weakness is not remediated when the fix is designed, or even implemented. It closes when the new control has operated effectively long enough to test, and the calendar math surprises boards every year.
The treatmentWork backward from the operating-effectiveness requirement: the redesigned control must operate for a sufficient period to conclude on effectiveness, which for a monthly control means multiple months of instances and for a quarterly control can mean most of a year, so a fix implemented in Q3 frequently cannot support closure that fiscal year. Sequence accordingly: root cause first (a people failure, a design gap, and a missing report each get different fixes), implement early in the year to bank operating instances, retest with evidence, and keep the disclosure honest in the interim: the MW persists in each 10-K and 10-Q until closure, with remediation status described. Management concludes on remediation with its own testing; where 404(b) applies, the auditors reach their own conclusion. The pattern that works is boring: fix early, test twice, disclose plainly.
What we do: We sequence remediation to bank operating instances early, retest with evidence, and keep the disclosure current until closure.
Issue 06
First-year 404: the timeline nobody budgets correctly404(a) / 404(b)
Newly public companies, IPOs, de-SPACs, direct listings, hit the SOX sequence on a schedule set by their filings, not their readiness. The certifications start immediately; the assessments follow; and the build takes longer than the window unless it started before listing.
The treatmentMap the actual sequence to your dates: Section 302 certifications begin with the first periodic report after listing, which means disclosure controls and the sub-certification process must exist in the first quarter, not the first year. Management’s 404(a) assessment is generally first required in the second annual report, using the newly-public-company transition relief for the first one. Auditor attestation under 404(b) depends on filer status, with emerging growth companies exempt for up to five years and smaller reporting companies below the accelerated-filer thresholds exempt as well, a status worth confirming annually rather than assuming. De-SPAC combinations inherit the operating company’s control environment on day one with none of the buildup a traditional IPO forces, which is why the documented-from-scratch timeline of twelve to eighteen months should start at signing. We sequence the build to the filing calendar: certifications-critical controls first, then cycles, then the testing program.
What we do: We map the 302, 404(a), and 404(b) dates to your filings and build the program in that order.