organize SOX in big company 2871



  • Hello,
    I work as an organizational consultant for a large company with more than 10,000 workers.
    I need to organize a SOX unit and wonder how does it organize in other large comapnies: is it a separate unit or department from the accounting department, is it a part of the accounting department (a small gruop in the department), etc…
    How many workers should be in the SOX unit in a comapny like I am talking about?
    Any help is welcome
    Have a nice day



  • At many companies, the SOX compliance team would be a group within the accounting department (e.g., reporting to the Controller) or a group within the internal audit department. In rare cases, it could report to risk management or even legal. As to numbers of personnel, that can vary widely among companies, and it depends on whether the SOX group performs monitoring and independent testing or simply performs the project management function for SOX compliance. Also depends on how much you rely on self assessments. Including internal audit staff, I would give a ballpark range of 4 - 8 personnel dedicated to SOX for a company your size - maybe more if you are very decentralized or geographically dispersed.



  • I agree with NC_Sox that most SOX compliancy team members would come from: Internal Audit, Finance/Accounting, and Information Technology. Some team members may also be part time, although for a 10,000 person organization the coordinator and primary controllers/testers could be full time positions.



  • This is a delima that I have seen faced by many companies. Should the SOX position report through the corporate controller since they are testing and providing a management attestation on behalf of management or should they report through Internal Audit for independance. It’s a mixed bag and depends heavily on your IA department as well as your controllers. I would tend to lean more towards IA because of indepenance, but you may get some struggle from them because they don’t want to be responsible for providing managements attestation. I find time wise it is better to resource with IA because SOX does have downtime and if you have a FT SOX team you often have to work on special projects during the downtime which could impair your independance, vs if you work in audit they can just schedule you for an audit during downtime.
    Also, in years when there are big system or process changes, you will typically have more SOX issues and it will take more time, so having additional resources at your fingertips in the form of other audit staff is often useful and prevents the need to outsource to more expensive solutions. I would be happy to discuss further if you are still looking for information.
    Kind Regards,
    Cassandra
    cassandra.luppens_at_gmail.com



  • I also agree with Cassandra’s recommendation in using Internal Audit professionals to perhaps lead the SOX effort as the overall coordinator. This is primarily due to their specialized training and experience in evaluating and often designing controls via audit recommendations. Chosing the lead from IT or the Financial sector can also work, but there may be controls overlooked that might be better addressed when someone has functioned in this specialized capacity for many years



  • I also agree with Cassandra’s recommendation in using Internal Audit professionals to perhaps lead the SOX effort as the overall coordinator. This is primarily due to their specialized training and experience in evaluating and often designing controls via audit recommendations. Chosing the lead from IT or the Financial sector can also work, but there may be controls overlooked that might be better addressed when someone has functioned in this specialized capacity for many years I am a sox consultant and have worked internationally including Canada.
    If you need someone to document your processes I can do that.
    I have documented processes outside of accounting.



Log in to reply