The Sarbanes-Oxley Act of 2002 was passed in the wake of the Enron and WorldCom accounting scandals to restore investor confidence in public company financial reporting. More than two decades later, SOX compliance remains one of the most demanding — and expensive — requirements a company takes on when it enters the public markets or prepares to do so.
For mid-market companies, the challenge is executing SOX compliance efficiently. Unlike large enterprises with dedicated internal audit teams and mature GRC platforms, mid-market finance teams often face the same compliance obligations with a fraction of the headcount. The good news: a well-scoped, phased SOX program can get you audit-ready without consuming your entire finance department.
This guide covers the core SOX requirements, a practical SOX compliance checklist organized by phase, the control areas mid-market companies most commonly get wrong, and how to build a cost-effective program that satisfies external auditors.
Who Needs SOX Compliance
SOX applies broadly to companies registered with the SEC, but the specific requirements — and their severity — vary by filer category. Understanding where you fall determines which sections apply to you and how much work you need to do.
Public Company Filer Categories
Large accelerated filers are companies with a public float of $700 million or more. They face the full weight of SOX, including Section 404(b), which requires their external auditor to independently attest to management's assessment of internal controls over financial reporting (ICFR). This is the most expensive component of SOX compliance.
Accelerated filers have a public float between $75 million and $700 million. They must comply with Section 302 certifications and Section 404(a) management assessments, but are exempt from 404(b) auditor attestation — a meaningful cost difference. The SEC has periodically debated expanding the 404(b) exemption; as of this writing, accelerated filers remain exempt.
Non-accelerated filers have a public float below $75 million (or no public float if newly public). They must comply with Section 302 and Section 404(a), but like accelerated filers, are exempt from 404(b) auditor attestation. The compliance burden is still significant, but more manageable without external attestation.
IPO-Bound Companies
Companies preparing to go public need to be SOX-compliant before they file their S-1 registration statement, not after. The SEC expects new registrants to have functioning internal controls at the time of their IPO, and underwriters increasingly scrutinize SOX readiness as part of their diligence process.
The practical implication: IPO candidates typically need 2 to 3 years of runway to build SOX-compliant controls. This means mid-market companies that anticipate a public offering in 3 to 5 years should be starting their SOX readiness work today. Waiting until 12 months before the S-1 filing is one of the most common mistakes finance teams make — the remediation timeline alone often exceeds 18 months.
SPAC Transactions
Companies going public via SPAC merger face the same ultimate compliance requirements as traditional IPO registrants, but on a compressed timeline. SPAC transactions can close in 3 to 6 months from announcement, leaving little time to build SOX infrastructure from scratch. Companies entering a SPAC transaction should treat SOX readiness as an immediate priority the moment a LOI is signed.
Private Companies with SOX-Like Requirements
Not every company facing SOX-style demands is technically subject to the statute. Private companies with significant institutional debt, PE-backed businesses preparing for a sale, and subsidiaries of public parent companies may face contractual or governance requirements that effectively mandate SOX-level controls. Review your debt covenants and investor agreements — many include provisions requiring annual management certifications or independent audits that mirror SOX obligations.
SOX Section 302 vs. Section 404: What's Different
CFOs and controllers frequently conflate Section 302 and Section 404, but they impose distinct obligations on different parties. Understanding the difference is essential for scoping your compliance program correctly.
| Provision | Who Must Act | Frequency | What It Requires | Who It Applies To |
|---|---|---|---|---|
| Section 302 | CEO and CFO | Quarterly (10-Q) and annual (10-K) | Personal certification that financial statements fairly present results; disclosure controls are effective; no significant changes to ICFR | All public companies |
| Section 404(a) | Management | Annual (10-K) | Management's written assessment of ICFR effectiveness as of fiscal year-end; must identify material weaknesses | All public companies |
| Section 404(b) | External auditor | Annual (10-K) | Independent auditor attestation on management's ICFR assessment; separate audit opinion on ICFR | Large accelerated filers only |
Section 302: Quarterly CEO and CFO Certifications
Section 302 is primarily a certification requirement. The CEO and CFO must personally certify in each quarterly and annual filing that: (1) they have reviewed the report; (2) the report does not contain material misstatements or omissions; (3) the financial statements fairly present the company's financial condition; and (4) they are responsible for establishing and maintaining disclosure controls, have evaluated those controls, and have disclosed any significant changes.
Many companies implement sub-certification processes where the CEO and CFO cascade the certification down to business unit leaders, controller-level staff, and department heads. These sub-certs serve as both a governance mechanism and a documentation trail — if a misstatement is later discovered, the sub-certification record helps management understand where the breakdown occurred.
Section 404(a): Management Assessment of ICFR
Section 404(a) requires management to assess the effectiveness of internal controls over financial reporting (ICFR) as of the fiscal year-end. Management must identify the framework used for the assessment (COSO is the standard), document the controls tested, identify any deficiencies, and conclude on overall effectiveness. A single material weakness means management cannot conclude that ICFR is effective — a disclosure that carries significant consequences for investor confidence and stock price.
Section 404(b): External Auditor Attestation
Section 404(b) adds an additional layer: the external auditor must independently audit and attest to management's ICFR assessment. This is the most expensive component of SOX compliance, as it requires the auditor to test controls independently rather than simply reviewing management's work. For large accelerated filers, the 404(b) audit often adds $300,000 to $1,000,000 or more in incremental audit fees annually.
Remediation Requirements
When deficiencies are identified — whether through management testing or external audit — companies must remediate them and re-test remediated controls. The timing of remediation matters: deficiencies identified and remediated before the fiscal year-end assessment date may not need to be disclosed, while those remaining open at year-end must be included in the 404(a) assessment. Tracking remediation status with clear owners and target dates is a non-negotiable part of an effective SOX program.
The COSO Framework for Internal Controls
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control — Integrated Framework is the foundation for virtually all SOX compliance programs in the United States. The SEC has endorsed COSO as the appropriate framework for evaluating ICFR under Section 404. External auditors expect it. If you're building a SOX program, you're building it on COSO.
The framework identifies five components that must all be present and functioning for internal controls to be considered effective:
- Control Environment — The foundation of all other components. Encompasses the tone at the top, the organization's commitment to integrity and competence, governance structures, and the assignment of authority and responsibility. A weak control environment is the root cause of most material weaknesses.
- Risk Assessment — Management's process for identifying and analyzing risks to the achievement of objectives, including risks related to financial reporting. This includes evaluating the risk of fraud and assessing how changes in the business (acquisitions, new product lines, new systems) affect the risk profile.
- Control Activities — The specific policies and procedures that help ensure management directives are carried out. This is what most people picture when they think of internal controls: account reconciliations, approvals, segregation of duties, system access controls.
- Information and Communication — Systems and processes that ensure relevant information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Includes both internal and external communications.
- Monitoring Activities — Ongoing evaluations and separate evaluations that assess whether each component of internal control is present and functioning. Management reviews, internal audit activities, and continuous monitoring tools all fall here.
External auditors test all five components when evaluating ICFR. A deficiency in any single component — even the control environment — can result in a material weakness finding even if individual control activities appear to be functioning.
SOX Readiness Checklist
The following checklist is organized into four phases that span a typical 18-month implementation timeline for an IPO candidate or newly public company. Accelerated filers or companies with stronger existing control environments may compress some phases; companies starting from a lower baseline may need more time.
Phase 1: Scoping (Months 1–3)
- Define the financial reporting scope. Identify which legal entities, business units, and geographic locations are in scope for ICFR. Not every entity needs to be included — significance thresholds (typically 10–15% of consolidated assets, revenue, or pre-tax income) determine scope. Document your scoping rationale; auditors will review it.
- Identify significant accounts and disclosures. Work through the financial statements line by line to identify accounts with material balances or high transaction volume. Consider both quantitative significance and qualitative factors (complexity of accounting, risk of fraud or error). Revenue, accounts receivable, inventory, and debt typically make the list for most companies.
- Map business processes to significant accounts. For each significant account, identify the business processes that generate the transactions recorded in that account. Common process areas include financial close and reporting, revenue to cash, procure to pay, payroll, and IT general controls. This process-account mapping is the backbone of your control framework.
- Identify key systems supporting financial reporting. List all ERP, billing, payroll, and consolidation systems that process or store financial data. These systems will need IT general controls documentation and may require IT application controls testing.
- Engage an external SOX advisor. If this is your first SOX program, a specialized advisor — whether a Big 4 SOX advisory team, a regional firm with a dedicated SOX practice, or an independent consultant — will accelerate your scoping decisions and help you avoid common mistakes. The cost of advisor support in Phase 1 is almost always recovered through efficiency gains in later phases.
Phase 2: Documentation (Months 3–9)
- Document business process narratives. For each in-scope process, write a process narrative that describes the flow of transactions from initiation through recording. Narratives should include a description of the people involved, the systems used, the key decision points, and the handoffs between functions. These are the source documents for your control framework.
- Prepare Risk and Control Matrices (RCMs). For each process, create an RCM that maps financial statement assertions (existence, completeness, accuracy, valuation, presentation) to the risks that could cause a misstatement and the controls that mitigate those risks. RCMs are the primary working paper external auditors review during a 404 assessment.
- Identify and classify key controls. Not all controls need to be SOX key controls. Identify the subset of controls that individually or in combination address the most significant risks of material misstatement. Distinguish between preventive controls (which stop errors before they occur: access restrictions, required approvals) and detective controls (which find errors after they occur: reconciliations, variance analyses). Both are necessary; over-reliance on detective controls is a common deficiency.
- Document IT General Controls (ITGCs). IT general controls underpin every financial application control. For each in-scope system, document controls in four domains: change management (how code changes are authorized and deployed), logical access (who has access to what, and how access is granted and revoked), computer operations (job scheduling, backup and recovery, incident response), and program development (SDLC controls for new implementations). Weak ITGCs can invalidate the reliance you place on automated application controls.
- Document Management Review Controls (MRCs). Management review controls — variance analyses, budget-to-actual reviews, analytical procedures — are often the most effective controls in a mid-market environment but also the most frequently underdocumented. Document the specific criteria reviewers use, the thresholds that trigger follow-up, and how conclusions are recorded. A review that leaves no evidence is not a control for SOX purposes.
Phase 3: Testing (Months 9–15)
- Design your control testing approach. Determine the sample sizes and testing methodologies for each key control. The PCAOB's AS 2201 guidance, while directed at external auditors, provides a useful framework for management testing as well. High-frequency controls (daily reconciliations) require larger samples than low-frequency controls (quarterly reviews). Document your testing plan before you begin.
- Perform walkthroughs. For each key process, walk through one transaction end-to-end with the process owner to verify that the documented process reflects how the process actually operates. Walkthroughs are not a test of operating effectiveness — they are a confirmation that your documentation is accurate. Discrepancies between the walkthrough and the documentation must be resolved before testing begins.
- Test operating effectiveness. For each key control, test whether the control operated effectively throughout the period. Testing typically involves inspecting evidence of control performance (approval signatures, reconciliation sign-offs, access review logs), re-performing the control on a sample basis, or using data analytics to test the full population. Document your test procedures, the evidence inspected, and your conclusions in detail.
- Identify and classify deficiencies. When a control does not operate as designed or fails to prevent or detect a misstatement, that is a control deficiency. Classify each deficiency by severity: control deficiency (least severe), significant deficiency (requires disclosure to the audit committee), or material weakness (requires disclosure in the 10-K and results in an adverse 404(a) conclusion). Severity assessment requires judgment — engage your external auditor early when you find deficiencies of potential significance.
- Develop remediation plans. For each deficiency, assign an owner, define specific remediation actions, and set a target completion date. Prioritize by severity. Material weaknesses and significant deficiencies require written remediation plans with board or audit committee oversight.
Phase 4: Remediation and Certification (Months 15–18)
- Implement remediation actions. Execute the remediation plans developed in Phase 3. Common remediations include redesigning control procedures, adding compensating controls, implementing new system access restrictions, strengthening the financial close process, or adding headcount to support segregation of duties.
- Re-test remediated controls. After remediation, re-test the affected controls to validate that the remediation was effective. The re-test should use the same rigor as the original test. Controls remediated late in the fiscal year may need to operate for a sufficient period before management can conclude they are effective.
- Complete the management assessment. Compile the results of all testing into a management assessment report. The report should identify the framework used, the scope of the assessment, the testing performed, any identified deficiencies and their classification, and management's overall conclusion on ICFR effectiveness. This document is reviewed in detail by the external auditor.
- Engage external auditor for 404(b) if required. Large accelerated filers must coordinate their management assessment timeline with the external auditor's independent ICFR audit. The external auditor will conduct their own walkthroughs and testing; they cannot rely entirely on management's work. Begin coordinating with your audit team at least 60 days before your fiscal year-end to align on scope, timing, and evidence-sharing protocols.
Find SOX advisors and audit firms
Browse pre-vetted SOX advisory firms and audit practices in the CFOTechStack Marketplace — filtered by company stage, filer category, and industry expertise.
Key Control Areas Mid-Market Companies Most Often Miss
SOX advisory practitioners see the same gaps repeatedly in mid-market companies — not because finance teams are careless, but because the areas that matter most for SOX are often not the areas that receive the most management attention in day-to-day operations.
Financial Close Process
Approximately 40% of all SOX deficiencies originate in the financial close process. Account reconciliations that are prepared but never formally reviewed, journal entries approved by the same person who prepared them, and month-end close checklists that exist on paper but aren't consistently followed — all of these are deficiencies waiting to be found. The financial close process requires formalized review hierarchies, evidence of review for every significant reconciliation, and clear escalation paths for unresolved items.
IT Access Controls and Segregation of Duties (SOD)
Segregation of duties failures are among the most common SOX findings in mid-market companies. In small finance teams, it is structurally difficult to separate the initiation, authorization, recording, and custody functions for every transaction type — but the failure to do so must be addressed with compensating controls. Privileged access to financial systems (admin access, the ability to post journal entries without approval, ability to modify master data) requires careful monitoring. Access provisioning and de-provisioning processes are a frequent source of IT general control deficiencies.
Revenue Recognition
ASC 606 has made revenue recognition more complex for almost every company. The five-step recognition model, with its requirements to identify distinct performance obligations and recognize revenue as or when obligations are satisfied, creates numerous points where judgment errors can result in misstated revenue. Controls over contract review, performance obligation identification, variable consideration estimation, and cutoff are all areas that require careful design and testing.
Financial Reporting and Disclosure Controls
Controls over the preparation of financial statement footnotes, MD&A, and press release disclosures are often underdeveloped in mid-market companies. The disclosure process requires its own control framework: who drafts disclosures, who reviews them for accuracy, how are new disclosure requirements identified, and what process exists for reviewing subsequent events. Disclosure controls are specifically addressed by Section 302 certifications and are a distinct area of auditor scrutiny.
Management Review Controls
Management review controls are high-value but frequently deficient due to insufficient documentation. A CFO who reviews the monthly P&L and follows up on unusual items is performing a management review control — but if there is no record of what was reviewed, what thresholds triggered follow-up, what questions were asked, and what conclusions were reached, the control cannot be tested and cannot be relied upon for SOX purposes. Implement a standard template for key management reviews and require documentation of conclusions.
Entity-Level Controls
Entity-level controls (ELCs) are the COSO Control Environment and Monitoring components in practice: the audit committee charter, the code of conduct, the whistleblower hotline, risk assessment procedures, the internal audit function. These controls are often assumed to exist but not formally evaluated. Gaps in entity-level controls — an audit committee that meets infrequently, a code of conduct that hasn't been updated in years, no formal risk assessment process — represent systemic weaknesses that auditors will flag.
The most common finding in mid-market SOX assessments: inadequate documentation. A control that's operating but not documented is treated as a deficiency. A manager who reviews and approves journal entries but never signs off on evidence of that review has effectively no control from a SOX perspective. Start documenting before you start testing.
Significant Deficiency vs. Material Weakness: Know the Difference
The classification of a control deficiency determines its disclosure requirements, the urgency of remediation, and the impact on the company's overall ICFR conclusion. Getting the classification right matters — both understating and overstating deficiency severity creates problems.
Control Deficiency
A control deficiency exists when a control's design or operation does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. This is the base level — every finding begins as at least a control deficiency. Control deficiencies do not require disclosure outside of management reporting, but they must be tracked and remediated.
Example: The company has a policy requiring two signatures on checks above $50,000, but the secondary approver rarely reviews supporting documentation before signing. The control is performing in form but not in substance.
Significant Deficiency
A significant deficiency is a control deficiency, or a combination of control deficiencies, that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight — specifically, the audit committee. Significant deficiencies must be communicated in writing to management and the audit committee but do not require disclosure in the company's annual report.
Example: The company lacks a formal process to identify and review related-party transactions before they are recorded. No related-party transactions have been misstated in the current period, but the absence of a systematic control represents a meaningful gap in the control framework.
Material Weakness
A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. A material weakness finding means management cannot conclude that ICFR is effective — a disclosure that goes into the 10-K and is visible to every investor and analyst.
Example: The company has no controls over the revenue recognition cutoff process. Revenue is recorded based on invoice date rather than when performance obligations are satisfied, and no systematic review exists to catch errors. A restatement risk exists.
The consequences of a disclosed material weakness are significant: stock price impacts, audit committee scrutiny, potential SEC inquiry, and increased audit fees in subsequent years. Remediating a material weakness requires not just fixing the control, but demonstrating through re-testing that the remediated control is operating effectively — typically over a period of at least two or three months before management can conclude the weakness is remediated.
IT General Controls: The Foundation
IT general controls are not glamorous, but they are foundational to every other aspect of SOX compliance. The basic principle: if you cannot trust the integrity of your financial systems, you cannot trust the outputs of those systems. External auditors will not rely on automated application controls — system-enforced access restrictions, automated matching routines, system-generated reports — unless they have first evaluated the ITGC environment that governs those systems.
The four ITGC domains, and the most common deficiencies in each:
Change Management
Change management controls govern how modifications to financial systems are authorized, tested, and deployed. Common deficiencies include: developers having direct access to production environments (bypassing the change management process), changes deployed to production without documented testing evidence, emergency changes made outside the normal change management process without after-the-fact documentation, and access rights to version control systems that are overly broad.
Logical Access
Logical access controls govern who has access to financial systems, how access is granted and revoked, and how privileged access is monitored. The most frequent deficiency area in mid-market companies. Common findings include: terminated employees retaining system access beyond their termination date, no formal access review (user access certification) performed periodically, privileged accounts (system administrators, super users) that are shared or not individually assigned, and inadequate password policies.
Computer Operations
Computer operations controls cover the reliability and availability of financial systems: job scheduling, monitoring, backup and recovery procedures, and incident management. Common deficiencies include: no documented backup and recovery procedures tested within the past year, batch jobs and interfaces running without monitoring for failures, and no formal incident response process for financial system outages.
Program Development
Program development (or SDLC) controls govern the acquisition, development, and implementation of new financial applications. For most mid-market companies, the relevant concern is new ERP implementations, major module rollouts, or significant customizations. Common deficiencies include: inadequate user acceptance testing documentation for new system implementations, parallel testing not performed before cutover, and system configurations not formally reviewed and approved before go-live.
Vendor Support: SOX Advisors and GRC Platforms
Most mid-market companies cannot build a SOX program entirely with internal resources. The question is not whether to engage outside support, but how to structure it efficiently.
Big 4 SOX Advisory
Big 4 firms offer dedicated SOX advisory practices that can manage the entire SOX program on behalf of management — from scoping through testing. The advantage is the depth of methodology, experience with SEC and auditor expectations, and the ability to handle complex accounting and IT issues. The disadvantage is cost: Big 4 SOX advisory engagements for a first-year program can run $500,000 to $2,000,000+. For large accelerated filers with significant complexity and a 404(b) requirement, Big 4 advisory is often the appropriate choice.
Regional Firms with SOX Practices
Regional and national mid-tier firms increasingly have dedicated SOX and internal controls practices. Firms like Grant Thornton, BDO, RSM, and Moss Adams have deep experience with mid-market SOX programs and can provide comparable methodology at a lower price point — often $200,000 to $600,000 for a first-year program. For accelerated filers and non-accelerated filers, regional firms represent strong value.
GRC Software: Control Documentation and Testing Platforms
Governance, Risk, and Compliance (GRC) platforms have become an essential part of mid-market SOX programs. Tools like AuditBoard, Workiva, LogicGate, and Diligent streamline control documentation, workflow management, testing evidence storage, and deficiency tracking. A well-configured GRC platform can reduce the time spent on SOX administration by 30 to 50 percent and provides a defensible audit trail for management assessment. External auditors can often access the platform directly, reducing back-and-forth on evidence requests.
Outsourced Internal Audit
For companies without an internal audit function, co-sourcing or full outsourcing of internal audit to a specialized firm provides both independent testing capability and subject matter expertise. Outsourced internal audit teams can conduct SOX testing under management's direction while maintaining the independence required to provide credible results. This model is particularly cost-effective for accelerated filers who need robust testing but cannot justify a full internal audit headcount.
Ready to run an RFP for your SOX advisor?
Use our audit firm RFP template to structure your vendor selection process and evaluate proposals consistently.
Building a Cost-Effective SOX Program
First-year SOX compliance costs of $1.5 million to $3 million are real — but they reflect programs that are poorly scoped, over-engineered, or staffed entirely with high-cost external resources. A well-designed mid-market SOX program can achieve compliance at meaningfully lower cost by making smart decisions about scope, automation, and staffing.
Right-Size Your Control Framework
The biggest cost driver in SOX programs is the number of controls tested. More is not better. The SEC's guidance on SOX implementation has consistently emphasized a top-down, risk-based approach: focus testing on controls that address the most significant risks of material misstatement, and avoid documenting controls that do not meaningfully reduce financial reporting risk. A well-scoped program with 150 to 200 key controls is more defensible and far less expensive to maintain than a sprawling inventory of 400+ controls where the risk-to-control mapping is unclear.
Leverage Automation
Automated controls — system-enforced access restrictions, automated three-way matching, system-generated exception reports — require less testing than manual controls and operate with greater consistency. Investing in ERP configuration and system controls during your SOX readiness phase can reduce the manual control burden over the long term. Automated controls typically require only one or two test procedures versus the larger samples required for manual controls.
Co-Sourcing vs. Full Outsource
Full outsourcing of your SOX program to an external provider gives you access to expertise but leaves your internal team under-developed and creates dependency. Co-sourcing — where an internal SOX manager or controller owns the program and external resources augment specific capabilities — is typically more cost-effective over a multi-year horizon. Build internal capability early; the cost of a dedicated SOX manager or controller who owns the program is often recovered through reduced external advisory fees within two years.
GRC Tools That Reduce Manual Effort
Manual SOX programs — spreadsheet-based control matrices, email-based evidence collection, PDF workpapers stored in shared drives — are expensive to operate and difficult to audit. Investing in a purpose-built GRC platform in year one creates an infrastructure that pays dividends over subsequent years. Most GRC platforms are priced in the $50,000 to $150,000 per year range for mid-market companies — a fraction of the labor cost savings from automated workflow and evidence management.
Continuous Monitoring
Continuous monitoring tools that automatically flag anomalies in financial data — unusual journal entries, access rights changes, transactions outside normal patterns — allow the SOX team to focus testing on areas of elevated risk rather than sampling uniformly across all transactions. Data analytics tools integrated with your ERP can test entire populations rather than statistical samples, increasing coverage while reducing manual effort. Continuous monitoring also supports the Monitoring component of COSO, strengthening your overall control framework.
Key Takeaways
- SOX applicability and the specific requirements you face depend on your filer category — large accelerated, accelerated, or non-accelerated. Only large accelerated filers face the 404(b) auditor attestation requirement.
- IPO candidates need 2 to 3 years of SOX-ready controls before their S-1 filing. Starting the program 12 months out is too late.
- Section 302 certifications are quarterly; Section 404 assessments are annual. Both require robust documentation and evidence retention.
- The COSO framework's five components — Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring — must all be present and functioning for ICFR to be effective.
- The financial close process, IT access controls, and management review controls are the areas mid-market companies most commonly get wrong. Start there.
- Material weaknesses must be disclosed in the 10-K and carry significant investor relations consequences. Identify and remediate deficiencies well before the fiscal year-end assessment date.
- Right-sizing your control framework, investing in GRC technology, and co-sourcing appropriately are the primary levers for managing first-year and ongoing SOX costs.