Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Regulation Best Practice > The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice

Regulation Best Practice

The Effect of SOX on Internal Control, Risk Management, and Corporate Governance Best Practice

by David A. Doney

Case Study

SIRVA, Inc.—Implementing a Top-down Risk Assessment

SIRVA, Inc., is a decentralized global moving and relocation services company with revenues of $4 billion in 2007. Under new internal audit leadership in 2007, the company implemented a top-down risk assessment, new SOX compliance software, and brought the effort substantially in-house. This resulted in annual savings of over $3 million and brought costs into line with benchmark companies.

First, management completed a risk-ranking of each balance sheet account (and certain sub-accounts) to assess the risk of material misstatement. The ranking was also used to identify key process/location combinations (“processes”). For example, revenue and receivables might be significant (i.e. in-scope) for one location but not another.

Second, processes were risk-ranked. Higher-risk processes or topics included entity-level controls, period-end reporting, revenue, and key accounting estimates and judgments. Other transactional processes such as accounts payable, payroll, tax, and treasury were lower risk and received less assessment effort. Nearly 200 material misstatement risks (MMR) were documented by systematically considering key accounting policies and financial statement assertions for each process or account. Risks represented “what could go wrong” in relation to the account or assertion.

Third, the number of key controls tested was reduced from the prior year by 50% (from nearly 1,000 to 500) by including only those entity-level and transaction-level controls needed to address the MMR. In other words, specific risks determined which controls mattered, as opposed to merely large dollar balances, locations, or systems. Management assigned each control a risk-ranking of high, medium, or low. This ranking was based on a combination of account-specific and control-specific factors in the SOX guidance. Sample sizes used in testing were based on the ranking and the frequency of control operation.

Fourth, SOX compliance software was implemented to document the risks, controls, and tests. Comprehensive status and quality reporting was developed and discussed in weekly meetings with the global audit team and management.

Finally, multiple domestic general ledger systems were consolidated into one system. Further, two major operating platforms were consolidated into one, removing an entire financial process.


SOX has resulted in dramatic changes in internal control, risk management, and corporate governance. Management and audit committees are more focused on financial reporting. The internal control and risk management best practices discussed above continue to evolve in practice. Companies continue to focus and reduce costs in their SOX 404 efforts through top-down risk assessment and compliance software, which have broader applications to other risk management efforts.

Making It Happen

SOX regulations and implementation have provided a series of best practices to help companies improve risk, control, and governance, even if technically they are not required to comply.

  • Identify and remove conflicts of interest that affect your business. These can involve auditors, management, the board, vendors, outside consultants, etc.

  • Ensure that your external auditors and internal auditors are independent by having their continuing employment, performance rating, and compensation determined by the audit committee or board.

  • Help to ensure that financial disclosures are transparent and fairly describe the organization’s performance by using a disclosure committee and management representation letters.

  • Insist on a robust top-down risk assessment of financial reporting processes. The extent of testing to perform (the primary cost-driver) can then be determined appropriately.

  • Capture risk and control information in compliance database software. User-friendly software that can be customized and administered by non-IT personnel is available at very reasonable prices.

  • Establish risk committees at the senior management and board level. These committees can direct risk management efforts and help the audit committee to focus on financial reporting matters.

  • Develop reporting of operating metrics that are predictive of financial results and share it with the audit committee and board.

  • Communicate periodically to the audit committee any significant deficiencies identified (financial or otherwise) and management’s progress towards remediating them.

  • Use the financial reporting effort and framework to initiate or improve an ERM program.


1 Office of the Press Secretary, The White House. “President Bush signs corporate corruption bill” (Sarbanes–Oxley Act 2002):

2 Lucas, Nance. “An interview with United States Senator Paul S. Sarbanes.” Journal of Leadership & Organizational Studies (June 22, 2004).

3 Levitt, Arthur. “The numbers game.” Speech dated September 28, 1998.

4 Financial Executives International (FEI). News release “FEI survey: Average 2007 SOX compliance cost $1.7 million.”

5 Ibid. A complete cross-referenced index of SEC filers, audit firms, offices, CPAs, services, fees, compliance/enforcement actions and other critical disclosure information can be found at:

Back to Table of contents

Further reading


  • Farrell, Greg. America Robbed Blind. How Corporate Crooks Fleeced American Shareholders (and How Congress Failed to Stop Them). Buda, TX: Wizard Academy Press, 2005.


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share