Practice area · 03/08
SOX compliance.
Scoping, walkthroughs, and remediation for first-time and seasoned filers. It passes external audit without bloating cycle over cycle.
Scoping, walkthroughs, and remediation for first-time and seasoned filers. It passes external audit without bloating cycle over cycle.
First-time filers scope SOX too narrowly. The PCAOB has noticed.
Section 404(a) is a management assertion. Section 404(b) is the auditor's opinion on that assertion. The gap between the two is where most SOX programs go wrong — usually because the scoping was done in a vacuum, the IPE (information produced by the entity) inventory was an afterthought, and the controls that matter to the auditor were not the ones the institution invested in testing.
We have run SOX programs for first-time S-1 filers, seasoned accelerated filers, and institutions emerging from material weakness remediation. The work is the same shape — scoping, walkthroughs, design and operating effectiveness testing, deficiency aggregation, reporting — but the calibration is different in each case.
The discipline is in what you leave out. A good SOX program does not test every control; it tests the ones that, if they failed, would matter. Our scoping starts with the financial statement assertions and works backward to the controls. Less work, more coverage, fewer surprises in October.
Materiality, account/disclosure analysis, process mapping, control identification calibrated to the audit firm's approach.
One full transaction per significant process; flowcharts updated; IPE inventoried and validated.
Test plans, sample sizes that match the auditor's expectations, exception evaluation, remediation cycles.
ITGCs across change, access, operations; tied explicitly to the application controls they support.
Deficiencies, significant deficiencies, material weaknesses — and the math that distinguishes them.
Disclosure controls (302), ICFR conclusion (404), and the conversations with the audit committee around each.
Materiality set, processes mapped, controls inventoried, IPE catalogued.
Walkthroughs, design assessment, gaps identified, remediation plans drafted.
Sample-based testing across the year; exceptions tracked, evaluated, communicated.
Deficiency aggregation, ICFR conclusion, audit committee briefing, 10-K disclosures.
Risk Advisory · Internal Controls · 27 yrs
Andres has led SOX programs through first filings, restatements, and steady-state cycles for community banks, regional banks, and Fortune 1000 institutions across twenty-seven years.
We do not sign the audit opinion on financial statements or on internal control over financial reporting. That is the external auditor's role; ours is to make sure the institution is ready to receive that opinion clean.