It’s a rare company that doesn’t have too many controls in scope for SOX.
Many have far more than they need.
I am not surprised when a reinvigorated focus on a risk-based program is able to deliver cuts in scope of 20%-50%.
The secret to the “right” scope is in understanding what should be included:
The controls relied upon to either prevent or detect a material error or omission in the financial statements filed with the SEC.
What doesn’t have to be included?
Those controls that, if they failed, wouldn’t present at least a reasonable possibility of a material error or omission.
I have been leading a SOX Masters class (with one scheduled for April) for SOX project managers and their teams for about a dozen years. It is based on my best-selling book, Management Guide to Sarbanes-Oxley Section 404 (now in its 5th edition).
Over those years, I have worked with hundreds of SOX leaders and helped them right-size their SOX program scopes.
There are several reasons why scopes have become so bloated, including one or more of the following:
- Management has never (or at least not in many years) taken controls out of scope. Controls have been added but are rarely deleted.
- The scope includes what are considered important While they may be important for the business the question has not been asked whether,…
