A couple of questions to see other companies' practice 2948



  • I am curious on a couple of items:

    1. Those companies that have SOX testing completed by local offices i.e. do not have a core SOX team that travels to different locations to do the SOX test - how many people are there in the Corporate SOX group to manage these efforts?
    2. Those companies that have the SOX function report outside of Internal Audit - to what extent do the SOX group and Internal Audit Group interact? We have a regular IA group, and a SOX function where one person oversees the SOX compliance. It seems that by nature and through sheer number of staff, IA constantly finds control issues at locations, and as the SOX function, I am constantly playing catch-up to evaluate these issues to see whether they should be added to the SOX test program. So far it seems to work well, but I feel that I am always at the ‘reactive’ side to address items found. Any thoughts?


  • Hoiya,
    I can appreciate your desire to benchmark. The company that I work at is Fortune 200. I’m only a staff level auditor, but I’ve been involved in our SOX assessment and testing since I started.
    SOX testing should be performed by ‘process owners’ where ever the controls are located. Internal auditor (or a SOX team) then reviews the review of the ‘process owners’ to determine if controls are working and intended. So with that in mind:

    1. The SOX testing should be performed where ever the control is taking place. With pdf and fax, reviewing the testing is easily performed at a central location. Our IA team is about 20 strong, and we test in 3 phases: Walkthrough, Round 1 and Round 2. It’s a big effort. We have one person who’s responsibility is to coordinate process owners and auditors.
    2. We recently transitioned from a split Internal Audit and SOX team into one team. In the beginning developing a comprehensive SOX program required a dedicated team. Now that the controls have been identified and documented, it no longer made sense to have a dedicated team.
      Overall, these are some pretty high level and strategic questions. You will need to evaluate where you are in the time line of SOX and how many resources you have available to determine how to structure yourself.


    1. My company has 2 people in its Corp. SOX group.
    2. We interact with IA almost daily. I don’t feel like we are in the same reactive mode as you, possibly because there are two of us (instead of just one), and because over the years our numbers of issues have declined as our SOX environment has matured. Our issues are at a manageable level now. At one time when our deficiency counts were higher, we had 5 people in our PMO, and we’ve slowly cut back to our current staff of two.

Log in to reply