KnowledgeLeader provides best practice articles, tools, guides and other resources on the Sarbanes-Oxley Act (SOX). This page contains an alphabetized list of all of the resources and tools on SOX, particularly Section 302 and Section 404, that are available for download on KnowledgeLeader. For more tools and publications on this subject, visit our
Sarbanes-Oxley Act topic area.
Page Contents:
Tools
SOX Policy Evaluation Checklist
Policies are an important part of the internal control over financial reporting evaluation process. This is a sample checklist to use when identifying the availability and status of company policies associated with the financial reporting process. This tool also assists with organizing policies by financial statement, area of significance, and financial statement element.
SOX Process Flow – High Level Methodology
This process flow documents a high-level methodology for Sarbanes-Oxley compliance.
SOX Process Walkthrough Questionnaire
The purpose of this template is to provide guidance to business units in the performance of walkthroughs associated with Sarbanes-Oxley Act compliance requirements. It may also be used by management in other matters related to the evaluation of internal controls over financial reporting.
SOX Self-Assessment and Self-Testing Instructions
This guide provides instructions to companies performing a self-assessment and self-testing for Sarbanes-Oxley compliance. Topics include mapping global risks, reporting results, and managing the project timeline.
SOX Testing Documentation Template
This template can be used to document SOX internal control testing procedures, results and recommendations.
SOX Year-End Update Testing Memo
This memo defines the process a company uses to update testing of internal controls for Sarbanes-Oxley compliance purposes near or at the year end.
Sarbanes-Oxley Walkthrough Checklist
The purpose of this checklist is to provide guidance to help a process owner prepare for a process walkthrough. It also includes post-walkthrough questions to help the process owner document any questions or issues raised.
Publications
2014 Sarbanes-Oxley Compliance Survey
Interestingly, many companies appear to be moving rather slowly to adopt the new COSO framework, even though it is recommended for fiscal year-end dates beginning on or after December 15, 2014. Of note, the Securities and Exchange Commission (SEC) has specifically pointed out that it is monitoring the transition by issuers to the new framework as part of their documenting internal control over financial reporting. In this report, we offer detailed breakdowns of this and numerous other findings by filer status and company size. Our key findings this year include: Companies are getting started, albeit slowly, with implementing the new COSO framework; There is measurable fallout from the PCAOB’s inspection reports; Compliance costs are going up but are still manageable for many; Organizations continue to automate more processes and controls.
2015 Sarbanes-Oxley Compliance Survey
In this report, we detail our findings from our 2015 SOX Compliance Survey.
2016 Sarbanes-Oxley Compliance Survey
Protiviti’s annual Sarbanes-Oxley compliance survey looks deeply into several areas, including costs, hours and control environments of a broad spectrum of organizations.
2016 Sarbanes-Oxley Compliance Survey Podcast
Brian Christensen, Protiviti’s global internal audit leader, highlights key findings from the 2016 Sarbanes-Oxley Survey in this podcast.
Capitalizing on Sarbanes-Oxley Compliance to Build Supply Chain Advantage
Executives rely on internal controls to provide a reasonable level of assurance that supply chain processes and financial transactions function as designed. As a result, executives should adopt a back-to-basics approach to understanding and prioritizing supply chain risks, capabilities, measures and controls, beginning with but expanding beyond their material impact on the company's financial statements. This booklet, co-produced by Protiviti and APICS, details how the Sarbanes-Oxley Act (SOX) has a complementary impact on supply chain risks in infrastructure design, transaction integrity and reporting measures. It also focuses on corporate governance requirements such as executive certification and internal controls over financial reporting. The scenarios we highlight, demonstrate how the failure of supply chain “operational controls” can strain an organization’s ability to produce reliable and fairly presented financial statements.
Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive Certification Requirements
There are many questions on the minds of directors, certifying executives and auditors as they work together to comply with the Sarbanes-Oxley Act and new requirements from the SEC and NYSE. Listed in this booklet are common queries from companies who are dealing with these requirements. We have provided responses based on our experience that will assist executives as they evaluate their company's disclosure controls infrastructure and processes supporting executive certifications.
Guide to the Sarbanes-Oxley Act FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act FAQ, which contains suggestions for Sarbanes-Oxley compliance matters, including effectively segregating incompatible duties, efficiently testing application security, and utilizing automated application controls to reduce the burden of manual procedures.
Guide to the Sarbanes-Oxley Act
As organizations complete their second year of Sarbanes-Oxley Act (SOX) compliance, executives and audit committees are expecting more value with lower costs. Fulfilling these expectations will require a shift from simply repeating the same SOX project each year to a sustainable, cost-effective compliance process that is embedded into business as usual. For many companies, significant opportunities to improve the efficiency and effectiveness of their SOX compliance efforts reside at the application level. The questions answered in this booklet have risen in our discussions with clients and others in the marketplace who frequently deal with SOX compliance matters and are focused on improving internal control over their critical business applications.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404
Since the third edition of Frequently Asked Questions Regarding Section 404 of Protiviti’s Guide to the Sarbanes-Oxley Act (SOX) series was released in August of 2004, much has happened. For example: The U.S. SEC has created a “large accelerated filer” category and has adopted different deadlines for initial Section 404 compliance for accelerated foreign private issuer filers and non-accelerated U.S. domestic issuer and foreign private issuer filers. This booklet is designed to help answer questions about the sections of SOX pertaining to public reporting; this information will assist Section 404 project sponsors, leaders and team members. We have provided responses and points of view based on our experience that we hope will assist companies as they document, evaluate and improve their internal control over financial reporting, and as they continue to enhance their executive certification process. We have also held discussions from time-to-time with both the SEC and PCAOB staff to understand their views on key points and confirm our interpretations in certain areas.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404, which considers the SEC’s interpretive guidance to management and incorporates the PCAOB’s major revisions to Auditing Standard No. 2.
Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
The Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly-traded companies establish internal controls for financial reporting and must maintain those controls to ensure they are effective, with the purpose reducing corporate fraud. The priority goals of Section 404 align with management’s existing responsibilities when undertaking an IT conversion or implementation project. In this booklet, we provide guidance to Section 404 compliance project teams on the consideration of information technology (IT) risks and controls at both the entity and activity levels within an organization. We also explore how application-control assessments are integrated with the assessment of business-process controls, and addresses documentation, testing and remediation matters.