Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Regulation Best Practice > The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice

Regulation Best Practice

The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice

by David A. Doney

Executive Summary

  • The effect of the Sarbanes–Oxley Act of 2002 (SOX) has been dramatic and global. SOX enhanced the regulatory framework for investor protection and confidence.

  • SOX has required or encouraged a variety of best practices related to management accountability, auditor independence, audit committees, internal control reporting, risk management, and improvement of financial processes.

  • One of the important contributions of the regulatory guidance is the “top-down risk-based assessment,” a robust framework for identifying and assessing financial reporting risks.

  • Compliance approaches, benefits, and costs continue to evolve as practice and regulatory guidance change.

Back to top


The Sarbanes–Oxley Act of 2002 was passed in the context of a series of high-profile corporate scandals, a brief recession, and the events of 9/11. These factors were cited by President George W. Bush as a threat to investor confidence and the US economy overall. He also declared: “This law says to every dishonest corporate leader: you will be exposed and punished; the era of low standards and false profits is over; no boardroom in America is above or beyond the law.”1

US Senator Paul Sarbanes stated that during the development of the law, a series of Senate hearings with experts from business, government, and academia resulted in a “remarkable consensus on the nature of the problems.”2 These included inadequate oversight of the accounting profession, conflicts of interest involving auditors and stock analysts, weak corporate governance procedures, inadequate disclosure rules, and insufficient funding for the Securities and Exchange Commission (SEC).

The SOX law, corresponding guidance from regulators, and evolving approaches to implementation have resulted in a variety of internal control, risk management, and corporate governance best practices.

Back to top

Hold Management Accountable

The law requires that the CEO and CFO sign certifications quarterly and annually attesting that they have reviewed the financial statements and (to their knowledge) believe them to be fair, accurate, and complete. Penalties for fraudulent certification are severe. This requirement has encouraged such best practices as:

  • Disclosure committees: A cross-functional group of top-level managers that meets to discuss pending public disclosures, including quarterly and annual financial reporting.

  • Representation letters: To support the certification by the CEO and CFO and ensure that material information is made known to them, a variety of senior finance and operations managers sign representation letters regarding financial reporting matters relevant to their areas of responsibility.

  • Improvement of finance organization: Many companies expanded the number and quality of financial personnel, particularly with respect to US Generally Accepted Accounting Principles and SEC reporting requirements.

Back to top

Maintain Auditor Independence

Auditors are the primary watchdogs of the corporation. Prior to SOX, auditors performed significant consulting work for publicly traded companies (“issuers”) that they audited. Further, auditors often moved into senior financial management positions in the client company. These factors created at least a perceived conflict of interest.

SOX prohibits auditors from providing many types of consulting services to issuers they audit.

The law also prohibits auditors from auditing an issuer if the issuer’s CEO or top financial management worked for the audit firm during the past year.

Back to top

Empower the Regulators

Prior to SOX, the audit industry was self-regulated. SOX also established the Public Company Accounting Oversight Board (PCAOB), a nonprofit, nongovernmental entity, to oversee the audit firms. The PCAOB sets standards and publicly discloses the results of its auditor reviews and any disciplinary action taken.

Critics also argued that the SEC, the regulator tasked with investor protection and corporate disclosure standards, was significantly underfunded and understaffed. The SEC budget was nearly doubled in the wake of SOX and remains at that level today.

Back to top

Engage Audit Committees

Prior to SOX, former SEC Chairman Arthur Levitt stated that “qualified, committed, independent and tough-minded audit committees represent the most reliable guardians of the public interest.”3 The many scandals that resulted in SOX indicated that audit committees were not performing their financial oversight responsibilities effectively.

SOX mandated that the audit committee, rather than management, be accountable for the relationship with the auditor, including selection, compensation, retention, and review of independence. Issuers are now required to disclose whether or not the audit committee has a financial expert, which has encouraged additional financial expertise on audit committees. Auditors are now required to provide more robust disclosures to the audit committee regarding alternative accounting policies and their discussions with management. Audit committees must also ensure the availability of an anonymous reporting channel for accounting or auditing matters (i.e. a “whistleblower hotline”). The law also expanded protection for whistleblowers and penalties for retaliation against them.

Back to top

Evaluate Key Financial Controls

The infamous SOX “Section 404” guidance requires both management and the external auditor to provide a report that includes an opinion regarding internal control over financial reporting (ICFR). This is additional to the traditional auditor’s opinion on the accuracy of financial statements. It requires management to document and comprehensively test financial controls necessary to address “material misstatement risks.”

Any controls that are assessed as not effectively designed (i.e. not capable of addressing the related risk, even if executed) or not operating effectively (i.e. not executed consistently) result in “deficiencies.” More serious deficiencies are categorized as “significant deficiencies” or “material weaknesses” and must be reported to the external auditor and audit committee. Material weaknesses require public disclosure during the quarter they are identified and, if not remediated as of year-end, an unfavorable opinion on ICFR in the issuer’s annual report.

The requirement to perform a comprehensive control assessment has resulted in several improvements in the art and science of financial management. For example, controls related to the “tone at the top,” incentives, and conflicts of interest were often not formally assessed prior to SOX. Focus on effective controls has significantly improved. Further, the quality of the SOX assessment (for example, project management, technology use, risk assessment, and quality of presentation materials) is a good proxy for “tone at the top” in the organization and the process management skills of the finance team.

In the aftermath of SOX the focus of internal auditing efforts also shifted significantly to financial controls, as opposed to operational processes. Many issuers expanded the staffing and capabilities of their internal auditing teams to absorb incremental SOX responsibilities. The New York Stock Exchange (NYSE) listing standards now require that all listed companies have an internal audit function. Tracking deficiencies to resolution also establishes good discipline for internal audit follow-up of all issue types, as required by internal auditing standards.

Back to top

Improve Risk Management

Pressure is increasing on businesses to improve risk management practices. This comes from a variety of sources, including regulators, credit rating agencies, and activist shareholders. Further, the subprime mortgage crisis which became apparent in 2007 has (arguably) exposed systemic risk management concerns.

The 2007 guidance from the SEC and PCAOB regarding SOX Section 404 established a comprehensive framework for conducting a “top-down” financial reporting risk assessment. For example, management is required to identify material misstatement risks and related controls, which then must be tested. (See the Case Study for details.)

Techniques used in top-down risk assessment are applicable to other risk categories. Under the COSO Enterprise Risk Management (ERM) framework, risks fall into strategic, operational, legal/regulatory, and financial reporting categories. SOX compliance implies substantial coverage of financial reporting risks. The SOX compliance process also provides a framework that relates processes, risks, and controls, and the network of managers involved, which can be used to help establish an ERM program.

Many companies also use SOX-compliance database software, which may also be useful for retaining risk information to support an ERM program and as an internal audit workflow tool. For example, as internal audits are completed, the amount of risk and control information expands in such a database, across all risk types.

In response to increased expectations around risk, many audit committees have expanded their scope to include overall risk management. With SOX efforts addressing financial reporting risks, they can focus more attention on strategic and operational risks. Some issuers have also created board risk committees to address non-financial reporting matters.

Back to top

Improve Financial Processes

The significant cost of the ICFR assessment required under SOX Section 404 represents a “tax” on inefficiency, providing additional incentives for process improvement. Redundant systems, processes, or locations generally require some type of incremental assessment, increasing the scope and cost of compliance. The Financial Executives International (FEI) survey of SOX 404 compliance costs in 20074 indicated that, for companies with average revenue of $4.7 billion, the costs in decentralized companies averaged $1.9 million, 46% higher than the $1.3 million in centralized companies. The difference is likely to be a fraction of the savings available from addressing the underlying process inefficiency.

In addition, manual control procedures involve substantially higher testing costs. For example, a manual control that operates daily may require a sample size of 30 to be evaluated by an expert. However, the same control if automated requires a sample size of just one and does not have to be evaluated each year if certain criteria are met. Leading companies track the number of manual versus automated controls and seek automation opportunities. Reducing the number of manual journal entries is another means of improving the reliability of financial statements and reducing closing-cycle time, while reducing both compliance and personnel costs.

Section 404 is one of the more contentious elements of SOX, due to the significant cost of compliance. According to a survey by FEI that included issuers with an average revenue of $4.7 billion, compliance costs were $1.7 million during 2007, or 0.36% of revenue. The total cost includes internal and external labor and auditor attestation fees.5

Compliance costs have continued to decline since 2004, when Section 404 became applicable for most issuers. The 2007 SEC and PCAOB guidance has provided management with additional flexibility in addressing risk and determining the timing, nature, and extent of testing procedures, further reducing costs.

Back to top

Case Study

SIRVA, Inc.—Implementing a Top-down Risk Assessment

SIRVA, Inc., is a decentralized global moving and relocation services company with revenues of $4 billion in 2007. Under new internal audit leadership in 2007, the company implemented a top-down risk assessment, new SOX compliance software, and brought the effort substantially in-house. This resulted in annual savings of over $3 million and brought costs into line with benchmark companies.

First, management completed a risk-ranking of each balance sheet account (and certain sub-accounts) to assess the risk of material misstatement. The ranking was also used to identify key process/location combinations (“processes”). For example, revenue and receivables might be significant (i.e. in-scope) for one location but not another.

Second, processes were risk-ranked. Higher-risk processes or topics included entity-level controls, period-end reporting, revenue, and key accounting estimates and judgments. Other transactional processes such as accounts payable, payroll, tax, and treasury were lower risk and received less assessment effort. Nearly 200 material misstatement risks (MMR) were documented by systematically considering key accounting policies and financial statement assertions for each process or account. Risks represented “what could go wrong” in relation to the account or assertion.

Third, the number of key controls tested was reduced from the prior year by 50% (from nearly 1,000 to 500) by including only those entity-level and transaction-level controls needed to address the MMR. In other words, specific risks determined which controls mattered, as opposed to merely large dollar balances, locations, or systems. Management assigned each control a risk-ranking of high, medium, or low. This ranking was based on a combination of account-specific and control-specific factors in the SOX guidance. Sample sizes used in testing were based on the ranking and the frequency of control operation.

Fourth, SOX compliance software was implemented to document the risks, controls, and tests. Comprehensive status and quality reporting was developed and discussed in weekly meetings with the global audit team and management.

Finally, multiple domestic general ledger systems were consolidated into one system. Further, two major operating platforms were consolidated into one, removing an entire financial process.

Back to top


SOX has resulted in dramatic changes in internal control, risk management, and corporate governance. Management and audit committees are more focused on financial reporting. The internal control and risk management best practices discussed above continue to evolve in practice. Companies continue to focus and reduce costs in their SOX 404 efforts through top-down risk assessment and compliance software, which have broader applications to other risk management efforts.

Back to top

Making It Happen

SOX regulations and implementation have provided a series of best practices to help companies improve risk, control, and governance, even if technically they are not required to comply.

  • Identify and remove conflicts of interest that affect your business. These can involve auditors, management, the board, vendors, outside consultants, etc.

  • Ensure that your external auditors and internal auditors are independent by having their continuing employment, performance rating, and compensation determined by the audit committee or board.

  • Help to ensure that financial disclosures are transparent and fairly describe the organization’s performance by using a disclosure committee and management representation letters.

  • Insist on a robust top-down risk assessment of financial reporting processes. The extent of testing to perform (the primary cost-driver) can then be determined appropriately.

  • Capture risk and control information in compliance database software. User-friendly software that can be customized and administered by non-IT personnel is available at very reasonable prices.

  • Establish risk committees at the senior management and board level. These committees can direct risk management efforts and help the audit committee to focus on financial reporting matters.

  • Develop reporting of operating metrics that are predictive of financial results and share it with the audit committee and board.

  • Communicate periodically to the audit committee any significant deficiencies identified (financial or otherwise) and management’s progress towards remediating them.

  • Use the financial reporting effort and framework to initiate or improve an ERM program.

Back to top


1 Office of the Press Secretary, The White House. “President Bush signs corporate corruption bill” (Sarbanes–Oxley Act 2002):

2 Lucas, Nance. “An interview with United States Senator Paul S. Sarbanes.” Journal of Leadership & Organizational Studies (June 22, 2004).

3 Levitt, Arthur. “The numbers game.” Speech dated September 28, 1998.

4 Financial Executives International (FEI). News release “FEI survey: Average 2007 SOX compliance cost $1.7 million.”

5 Ibid. A complete cross-referenced index of SEC filers, audit firms, offices, CPAs, services, fees, compliance/enforcement actions and other critical disclosure information can be found at:

Back to top

Back to Table of contents

Further reading


  • Farrell, Greg. America Robbed Blind. How Corporate Crooks Fleeced American Shareholders (and How Congress Failed to Stop Them). Buda, TX: Wizard Academy Press, 2005.


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share