Table of Contents

Introduction................................................................................................................................................. 3

SOX Compliance Environment Today...................................................................................................... 4

The Changing World of Work............................................................................................................... 4

Competition for SOX Resources.......................................................................................................... 4

Navigating Auditor Independence Requirements.............................................................................. 4

SOX Program Operating Models............................................................................................................... 5

Comparative Overview.......................................................................................................................... 5

Fully Internal SOX Operating Model.................................................................................................... 7

Co-sourcing SOX Operating Model..................................................................................................... 8

Staff Augmentation SOX Operating Model......................................................................................... 9

Outsourced SOX Operating Model.....................................................................................................10

Integrating SOX Program Enabling Technologies................................................................................ 11

Top SOX Readiness Questions.................................................................................................................13

Conclusion: Key Considerations for SOX Success...............................................................................15

About the Authors.....................................................................................................................................16

About Deloitte.............................................................................................................................................18

About AuditBoard......................................................................................................................................18

auditboard.com 2
 Introduction
Two decades on, the Sarbanes-Oxley Act (SOX) of 2002 has become a long-
standing fixture in public companies’ compliance landscape. Achieving SOX
compliance nonetheless remains a time- and attention-consuming process
for most organizations. Companies continue to underestimate the time and
resources it takes to become SOX compliant, often leading to increased costs,
tight turnaround times, and inefficient allocation of internal resources.

Increasingly complex regulatory requirements, accelerated digital transformation,

and evolving market, workforce, and workplace dynamics have made stable SOX
processes a moving target. Companies’ control environments and processes
are evolving as they strive to adapt their business models and technology usage
to address their challenges and meet changing conditions. The recent wave of
traditional initial public offerings (IPOs) and special purpose acquisition company
(SPAC) transactions have increased the number of new public companies
needing to become SOX compliant, meaning more public companies competing
for finite SOX resources.

Your organization’s SOX operating model is the core of your SOX program.
Accordingly, your choice of operating model has a massive impact on your
ability to plan and execute an efficient, effective, high-quality SOX program.
What steps should you take when choosing your operating model? And how
can you validate whether your selected operating model continues to be
the appropriate fit for your organization as it matures? Our practical guide to
choosing a SOX operating model helps you understand the differences, pros
and cons, and considerations of each, helping you make adequate choices for
your organization both now and in the future. As businesses and circumstances
change over their life cycle, this is not a decision you will only make once.

auditboard.com 3
 SOX Compliance Environment Today
The Changing World of Work
Companies are still adapting to a “new normal” impacted by remote or hybrid
work environments, reduced work schedules, increased pressure to reduce
operating costs and find efficiencies, and the “Great Resignation,” which has
seen record numbers of employees quitting jobs. As shown in US Bureau of
Labor Statistics data, job openings have reached near-record highs in 2022.
It’s harder than ever to find and retain internal and external resources with
the right skill sets and expertise, whatever your industry. Still, even as public
companies face increased turnover, disruption, and knowledge loss, they must
keep appropriate resources in place to ensure ongoing SOX compliance.

These market, workforce, and workplace changes are also impacting

companies’ control environments. Altered operating models often mean
new risks, opportunities, resource constraints, supply chain issues, information
security exposures, segregation of duty and system access implications, and
technology usage and opportunities. These impacts may require establishing
new controls or enhancing existing ones, or employing different materiality
assessment, testing, auditing, documentation, and collaboration methods.

Competition for SOX Resources

The recent wave of SPACs and traditional IPOs increased the number of new
public companies needing to become SOX compliant, meaning more public
companies competing for SOX resources. The accelerated going-public
process for SPACs necessitates a faster timeline for achieving SOX compliance.
Deloitte and AuditBoard’s SOX Readiness for SPACs offers leading practices
and additional background.

Navigating Auditor Independence Requirements

External auditors can provide valuable SOX readiness insights as advisers
in advance of your compliance deadlines, helping management gain a
better understanding of what their independent auditors will be looking for.
Accordingly, involving external auditors in early conversations is an excellent
strategy for improving and streamlining your SOX readiness efforts. To ensure
ongoing independence, the US Securities and Exchange Commission (SEC)
directly prohibits external auditors from providing “internal audit outsourcing
services” including helping to define or design the controls they’ll be testing.
Management must own all decisions regarding controls definition
and design.

auditboard.com 4
 SOX Program Operating Models
Before exploring the pros, cons, and considerations of the different operating
models, it’s helpful to revisit the big-picture objectives that any SOX program
should be designed to achieve. Your SOX program should encompass not only
ongoing controls testing, but also defining, setting up, and regularly refreshing
and maintaining controls. The operating model you choose should be designed
to support all of these activities for your organization. For more guidance:

• Deloitte’s A Practical Approach to SOX Readiness offers a pragmatic

look at the people, process, and technology aspects of the road to SOX
compliance, including pitfalls to avoid.
• AuditBoard’s The SOX Management Playbook outlines a risk-first
approach to SOX compliance, offering tips and best practices
throughout the life cycle.

Your SOX operating model will likely need to evolve over time to meet the
changing needs, risks, and goals of your business. The model you choose when
first setting up your SOX program may not be the appropriate fit further on in
your compliance life cycle.

Comparative Overview
Figure 1 provides a snapshot view of the four main SOX operating models. On
subsequent pages, we offer key questions to help you understand whether
each model may be appropriate for your organization.

auditboard.com 5
auditboard.com 6
 Fully Internal SOX Operating Model
In this model, your internal team oversees and executes all SOX activities 100%
in-house including readiness, maintenance, and testing. Before choosing a fully
internal model for your program, make sure you can answer yes to the following
questions:

• Do you have appropriate internal resources in place to build and maintain

a genuinely robust and repeatable SOX program?
• Do resources have sufficient bandwidth to perform the work on an
ongoing basis? (If their time and focus may be better used on other
strategic initiatives, you may wish to consider a different model.)
• Do resources have sufficient expertise in all relevant areas, including SOX
compliance and leading practices, key control risks and deficiencies,
which controls need to be tested and how, and any considerations
relative to recent changes in your business (e.g., new transaction types,
new market entries, M&A activity)?
• Are resources up to date on new accounting standards and SOX
mandates/guidance?
• Are resources seeking ways to innovate your SOX process to make more
effective use of enabling technologies?
• Does your SOX process provide the transparency, reporting, and
safeguards that give your organization ongoing confidence that activities
are being done correctly?

auditboard.com 7
 Co-sourcing SOX Operating Model
In this model, efforts are shared between internal and external resources. This
highly flexible model can take whatever form works best for your business.
Before choosing co-sourcing, make sure you can answer yes to at least ONE of
the following questions:

• Do internal resources need access to additional experience, insight,

and leading practices regarding SOX, recent business changes, or
other areas (see examples above)?
• Do internal resources need training in one or more areas?
In co-sourcing, external resources can also provide training on
controls design, documentation, what’s expected and important from
a SOX standpoint, how processes should work, risk assessment, and
much more.
• Do you seek recommendations on how to most effectively integrate
enabling technologies?
• Do your SOX needs fluctuate from year to year, such that having a
flexible, scalable team is either necessary or desirable?
• Do internal resources have a backup plan if external resources are
unavailable?

auditboard.com 8
 Staff Augmentation SOX Operating Model
In this model, your internal team owns all planning and oversight, but external
resources help to execute. Before choosing staff augmentation, make sure you
can answer yes to the following questions:

• Do you have one or more internal resources in place with the appropriate
expertise and bandwidth to design, own, oversee, and lead all aspects of
your SOX program?
• Is your internal resource equipped to assess and implement changes to
your SOX model relative to new risks or controls (e.g., from transactions,
acquisitions, new accounting standards)?
• Do you primarily seek flexibility, scalability, and bandwidth from your
external resources? (If you also seek insight, guidance, or specialized
expertise, consider co-sourcing.)
• Does your internal resource have a backup plan if external resources are
unavailable when needed?

auditboard.com 9
 Outsourced SOX Operating Model
In this model, an external team oversees and executes all efforts. Again, fully
outsourced SOX models are rare, primarily due to the lack of internal SOX
compliance process ownership, visibility, and control. Accordingly, before
pursuing an outsourced model, consider the following:

• Have you dedicated an internal resource to act as a liaison with your

outsourced team?
• Is your outsourced SOX program supported by enabling technologies
that ensure robust, timely, and appropriate information sharing with
internal stakeholders?
• Do you have appropriate protocols in place to ensure that internal
stakeholders will receive timely alerts and action plans regarding any
control deficiencies and material weaknesses?
• In choosing an outsourced model, is your primary goal either to (a)
supplement an internal lack of expertise/bandwidth and/or (b) lay the
groundwork for ultimately building and training at least some level of in-
house team?
• Do you have a backup plan if outsourced SOX resources are unavailable
when needed?

auditboard.com 10
 Integrating SOX Program Enabling
Technologies
While many organizations are managing their SOX programs in a manual
environment using a mix of spreadsheets, emails, and shared drives, a growing
number of teams are opting for cloud-based audit management technology.
The size of the opportunity for process improvement is huge — as illustrated
in Figure 2, which shares findings from the Internal Audit Foundation and
AuditBoard’s 2021 report, Internal Audit’s Digital Transformation Imperative:
Advances amid Crisis.

Technology can provide significant benefits to an organization’s SOX program.

The question isn’t whether to integrate technology in your operating model
— rather, it’s which technologies to choose, when, and in what areas. As you
prioritize which technologies to explore and ultimately implement, ask yourself:

• In what ways do your processes need to be more secure and accessible,

and less disruptive or labor-intensive?
• In what areas can you use technology to better centralize, control, and
drive value from your SOX readiness activities?
• Do you have a “single source of truth” that all resources can rely on?
The greater the potential that resources are relying on outdated or
disparate sources, the greater the risk that your SOX program will fail
to properly assess risk or detect deficiencies.
• How susceptible is your program to impacts from changing market,
workforce, and workplace conditions? Enabling technologies can offer
standardized, scalable processes and frameworks that remain stable
regardless of turnover or other disruptions.

auditboard.com 11
 Key opportunities include integrating an Audit Management System (AMS) into
your audit function and adopting technologies that link together your various
IT systems, services, and software so that they are able to work together.
Additional examples are shown in Figure 3.

auditboard.com 12
 Top SOX Readiness Questions
1. What is the appropriate mix of outsourced, internal resource, and center of
excellence (COE) resources for a 3-5 year public company?
The appropriate mixture of resources is dependent on the company’s
needs and strategies rather than the maturity level of the SOX environment.
Considerations such as the availability of resources, whether the company
has in-house expertise, and cost often drive what is appropriate from
a resource standpoint. Additionally, companies are not locked into one
resource mix over their SOX compliance life cycle. Companies should be
reevaluating whether they have an appropriate resource mix on a regular
basis to ensure they are set up for success.

2. If outsourced, isn’t management still responsible for the adequacy of controls

over financial reporting and must issue an ICFR assertion if publicly traded?
Yes, management still retains the ultimate responsibility for the adequacy of
the company’s internal controls over financial reporting. Management must
provide assertions related to their controls, which vary based on whether
they are required to comply with Section 302, 404(a), and/or 404(b). While
it is appropriate to utilize a variety of resources to meet these compliance
requirements, management must own the process and take responsibility for
the conclusions.

3. How should we break out responsibilities between internal audit versus ICFR?
There are a variety of acceptable divisions of responsibilities regarding SOX
compliance between internal audit and ICFR or management functions.
ICFR groups should generally report to senior management and be
separate from internal audit. Ideally, this group can help design and maintain
controls and act as an intermediary between internal audit and control
owners. It can be a challenge to obtain adequate internal audit resources,
let alone ICFR resources — especially with new public companies. In more
resource-constrained situations, there are ways to have internal audit help
management understand and evaluate controls, but it is critical to ensure that
internal audit is not designing controls that they will be testing, particularly if
the external auditors will be relying on internal audit’s work.

4. When is the best time to introduce an audit solution for a company that is
newly implementing SOX 404(a)?
Remember, SOX 404(a) requires you to start implementing effective internal
controls, which are needed to gain investor confidence — why not build
stakeholder confidence as well? Implementing an audit management
solution early on can help you get in front of common challenges that
plague SOX teams by eliminating version control issues and making
documentation consistent, accessible, and easier to maintain. Technology
enables you to update once; update everywhere — changes flow across
workpapers, process documents, RCMs, and issues instantly. Crucially,
managing everything in one central location provides continuous visibility
into areas of ownership from the start of your SOX program.
auditboard.com 13
 5. How can we leverage digital automation for SOX compliance?
If you are not already using an audit management solution for your SOX
program, this should be your first step. It’s important to create a system
of record, implement automated workflows, build a solid foundation, and
connect your risks before you start looking into more advanced capabilities
such as digital automation. When the time is right, digital automation can
bring needed efficiencies to SOX compliance through automated testing
and continuous monitoring.

auditboard.com 14
 Conclusion: Key Considerations for SOX
Success
Choosing a SOX program operating model for your business is not a decision
you’ll make only once. Businesses mature, circumstances change, and needs
ebb and flow. That’s why, over time, most businesses will employ a range of SOX
operating models.

For example, a company might begin with a co-sourced model with heavy
external involvement. Then, they might move toward using external resources
to assist with more highly specialized areas. At the same time, in less complex
areas, their internal audit team might lead efforts, using external resources
only to supply needed bandwidth (staff augmentation). Later, they might move
toward a primarily internal program, which better suits their needs at that time.

There is no one-size-fits-all SOX operating model. As we’ve illustrated, however,

each model accommodates a different combination of the same basic variables.
Figure 4 offers a summary.

Whatever your balance of these variables — and whatever SOX operating model
you choose — the most critical consideration is that you have the appropriate
resources in place, and that those resources have the appropriate skill sets to
help you develop and maintain a robust system of internal controls. By making
thoughtful choices about your SOX operating model and committing to evolving
it over time, you unlock the potential to:

• Improve the productivity, efficiency, quality, and cost-effectiveness of

your SOX work.
• More effectively manage risk across the organization.
• Elevate the role and value of the internal audit function.

SOX compliance is a journey. Make sure your organization is on a path that will
get you where you want to go.

auditboard.com 15
 About the Authors
Donna Cashman
Audit & Assurance Managing Director
Deloitte & Touche LLP

Donna has more than 20 years of experience in public

accounting and financial reporting advisory with a focus on
internal controls, working with internal audit departments
and shared service operations. She has extensive experience
with organizations implementing SOX programs as well as
remediating significant internal control deficiencies. Donna has
spent her career working with public and private companies
with technical and complex accounting and financial reporting
matters and has a passion for innovation and transformation.

Bryan Goldstein
Audit & Assurance Accounting & Reporting Advisory
Senior Manager
Deloitte & Touche LLP

Bryan has more than 13 years of experience in public accounting

and accounting and financial reporting advisory and private
industry with a focus on internal audit departments and internal
controls. He has extensive experience assisting companies
establishing SOX programs, including establishing control
frameworks, remediating control deficiencies, and establishing
testing programs. In addition to his experience advising clients,
Bryan spent several years as the associate director of SOX &
Internal Controls at an education technology company.

auditboard.com 16
 Scott Madenburg
Market Advisor
AuditBoard

Scott is a Market Advisor at AuditBoard, supporting

organizations, both large and small, in transforming their audit,
SOX, and risk management through best-in-class technology
solutions. Scott has more than 20 years of global experience in
the areas of audit, risk, and compliance. Beginning his career
at Arthur Andersen, Scott transitioned to internal audit with Fox
Entertainment Group, News Corporation, and Rovi Corporation,
where he helped lead operational and IT audits and SOX
compliance, consulted on business process improvements,
and participated in multiple ERP implementations and M&A
activities. Prior to joining AuditBoard, Scott was the chief audit
executive at Mobilitie, where he built the internal audit function
from the ground up to a six-person department focusing on
agile audits, SOX readiness, risk management, and cyber and IT
security compliance.

This publication contains general information only and Deloitte is not, by means of this publication,
rendering accounting, business, financial, investment, legal, tax, or other professional advice or
services. This publication is not a substitute for such professional advice or services, nor should
it be used as a basis for any decision or action that may affect your business. Before making
any decision or taking any action that may affect your business, you should consult a qualified
professional adviser. Deloitte shall not be responsible for any loss sustained by any person who
relies on this publication.

The services described herein are illustrative in nature and are intended to demonstrate our
experience and capabilities in these areas; however, due to independence restrictions that may
apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide
certain services based on individual facts and circumstances.

auditboard.com 17
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and
each of its member firms are legally separate and independent entities. DTTL (also referred to as
“Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one
or more of the US member firms of DTTL, their related entities that operate using the “Deloitte”
name in the United States and their respective affiliates. Certain services may not be available to
attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/
about to learn more about our global network of member firms.

About AuditBoard
AuditBoard is the leading cloud-based platform transforming audit, risk, and compliance
management. More than 30% of the Fortune 500 leverage AuditBoard to move their businesses
forward with greater clarity and agility. AuditBoard is top-rated by customers on G2 and Gartner
Peer Insights and was recently ranked for the third year in a row as one of the fastest-growing
technology companies in North America by Deloitte. To learn more, visit: AuditBoard.com.

auditboard.com 18