SOX COMPLIANCE CHECKLIST

SOX compliance checklist

A practical Sarbanes-Oxley compliance checklist focused on Section 404: scoping significant accounts and ITGCs, documenting control design, testing operating effectiveness, evaluating deficiencies, and supporting management's assertion. With the annual ICFR cycle rendered as a BPMN map.

Official source:

Read the Sarbanes-Oxley Act of 2002 (SEC, official PDF)

Download the checklist (PDF)Download DOCX

Who must comply with SOX

Who SOX applies to

US public companies that file annual reports with the SEC (and their material subsidiaries). SOX Section 404(a) applies to all SEC filers; Section 404(b) external-auditor attestation applies to accelerated filers and large accelerated filers only. Three populations are exempt: non-accelerated filers have always been exempt; smaller reporting companies with annual revenues below $100M were carved out by the SEC's 2020 amendments to the accelerated-filer definitions; and emerging growth companies are exempt for up to five years post-IPO under the 2012 JOBS Act.

Jurisdiction: US public companies (and their material subsidiaries). Full name: Sarbanes-Oxley Act of 2002.

SOX Checklist

The SOX compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDF Download DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

STEP 1
Identify significant accounts, processes, and locations in the SOX scope each year.
STEP 2
Identify IT General Controls (ITGCs) for the systems supporting financial reporting.
STEP 3
Document control design - risk-control matrix, control owners, frequency, evidence.
STEP 4
Map controls to COSO 2013 internal-control framework components.
STEP 5
Perform walkthroughs to confirm design as documented.
STEP 6
Test operating effectiveness across the year - sample size driven by frequency.
STEP 7
Evaluate findings; remediate and re-test before year-end.
STEP 8
Issue management's Section 404(a) assertion on ICFR effectiveness.
STEP 9
External auditor performs the Section 404(b) integrated audit (where applicable).
STEP 10
File the 10-K with management assertion and auditor opinion.

FILLABLE PDF PREVIEW

SOX compliance checklist

Sarbanes-Oxley Act of 2002

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Identify significant accounts, processes, and locations in the SOX scope each year.

Identify IT General Controls (ITGCs) for the systems supporting financial reporting.

Document control design - risk-control matrix, control owners, frequency, evidence.

Map controls to COSO 2013 internal-control framework components.

Perform walkthroughs to confirm design as documented.

+ 5 more checkboxes in the downloaded PDF

SOX Process Map

SOX as a process map

The annual SOX Section 404 cycle, from scoping through 10-K filing. The deficiency re-test loop is the part that breaks year-end timelines - most companies leave too little time for remediation between testing and management's assertion.

Open in editor

SOX control deficiency evaluation and remediation

A SOX (Sarbanes-Oxley Act §404) control-deficiency evaluation and remediation process rendered as a BPMN 2.0 process map. The flow identifies a deficiency through testing, evaluates severity against PCAOB AS 2201 / SEC Final Rule 33-8810 (control deficiency, significant deficiency, or material weakness), drives the remediation plan, re-tests the control, and feeds the outcome into management's §404 assertion and the auditor's ICFR opinion - including the public disclosure path when a material weakness cannot be remediated by year-end.

Identify a potential control deficiency through walkthroughs, design assessment, or operating-effectiveness testing.
Evaluate severity using AS 2201 paragraphs 62-68 - probability of misstatement and magnitude of potential misstatement.
Classify the deficiency as a Control Deficiency, Significant Deficiency, or Material Weakness based on the severity matrix.
Open a remediation plan with control owner, root cause, compensating controls, and a target re-test date.
Re-test the remediated control with a sufficient sample after the control has operated for a reasonable period.
If the re-test passes by year-end, close the deficiency and reflect it in the period's ICFR conclusions.
If a Material Weakness remains at year-end, management must report ICFR as not effective in the §404(a) assertion and disclose under Item 9A; the auditor issues an adverse ICFR opinion under §404(b).

SOX FAQ

Frequently asked questions

What is SOX Section 404?

Section 404 of the Sarbanes-Oxley Act requires US public companies to assess and report on the effectiveness of their internal controls over financial reporting. Section 404(a) is management's assessment and applies to all SEC filers. Section 404(b) is the integrated audit performed by the external auditor and applies only to accelerated and large accelerated filers. Non-accelerated filers have always been exempt; smaller reporting companies under $100M in revenue were carved out by the SEC's 2020 amendments; emerging growth companies have a separate 5-year post-IPO exemption under the JOBS Act.

How does SOX interact with COSO and PCAOB AS 2201?

COSO 2013 is the most widely used framework for the internal control structure. PCAOB Auditing Standard 2201 governs how the external auditor conducts the integrated audit. A SOX programme typically maps each significant control to a COSO component and follows AS 2201 logic for testing depth.

What are ITGCs?

IT General Controls - the controls over the IT environment that support reliable processing for the financial-reporting systems. The classic ITGC categories are access management, change management, IT operations, and program development.

How long does a SOX programme take to build from scratch?

A first-year SOX programme typically takes 9–12 months from scoping to auditor walkthrough. The cadence shortens after Year 1 because the scope, control documentation, and testing approach roll forward - but the testing window remains the binding constraint.

More Compliance Checklists

Other compliance checklists

CCPA / CPRA compliance checklist

A practical CCPA / CPRA compliance checklist covering personal-information inventory, privacy notice, consumer rights request workflow, vendor agreements, and staff training - the operational backbone for California consumer privacy obligations.

NIST RMF compliance checklist

A practical NIST compliance checklist focused on the SP 800-37 Rev 2 Risk Management Framework: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

FedRAMP compliance checklist

A practical FedRAMP compliance checklist for cloud service providers: impact-level determination, agency sponsorship, 3PAO assessment, authorization package, and the continuous monitoring obligations that keep the ATO alive.

ITAR compliance checklist

A practical ITAR compliance checklist for entities that manufacture, broker, or export defense articles or technical data: USML determination, DDTC registration, Technology Control Plan, license / exemption strategy, and ongoing audit.

DORA compliance checklist

A practical DORA (Digital Operational Resilience Act) compliance checklist for EU financial entities: ICT risk management framework, incident classification and reporting, resilience testing, third-party register, and annual reporting - the five pillars of Regulation 2022/2554.

CMMC 2.0 compliance checklist

A step-by-step CMMC 2.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Turn the SOX checklist into a working process

Open the SOX process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.