6 steps to achieving SOX compliance

Start your Sarbanes-Oxley compliance journey here

Jun 14, 2023
Risk consulting Business risk consulting Regulatory compliance

Not all companies need to go public, but for some it opens a new level of funding and stature. It’s a huge step that requires a great deal of planning and work. Operating as a public company in the U.S. demands a very stringent level of compliance that can require building out additional processes, controls and technology that weren’t necessary as a private company but are essential to planning and executing an initial public offering (IPO).

You need to develop a Sarbanes-Oxley (SOX) compliance strategy—a framework that will help you reduce time, save money and minimize risk, including personal liability of the CEO and CFO, who must certify compliance. Even if you are already a public company, you will need to periodically reassess and possibly update your SOX compliance processes and strategies.

What is involved?

Developing a SOX compliance program is a complex, time-consuming process that requires coordination, specific skills and scrupulous documentation. But as with any huge business task, the key is to tackle it in an incremental fashion. The typical approach contains six distinct stages, each of which results in a set of deliverables to drive the next step in the process. Success requires deep preparation, though, and some of your earliest goals will be to conduct a top-down risk assessment and to calculate materiality—at what dollar level might an error in an account balance materially impact the economic decisions made by the company?

How long will it take?

You should expect to spend 18 months or more readying your organization for SOX compliance. If you are preparing for an IPO, leading practice is to start this process no later than six months prior to your offering, as you have one year from the date of your IPO to document and assess internal controls and provide an independent auditor’s attestation report.

Chess pieces illustration
  • Calculate materiality: At what dollar level might an error or omission in an account balance materially affect the economic decisions made by users of the company’s financial statements, such as company management or investors? Materiality will vary from company to company. While $1 million may be material to one company, $10 million may be material to another.
  • Perform a top-down risk assessment and define program scope, considering both qualitative and quantitative factors.
  • Map the financial statements to the core business processes to determine the accounts to be in scope and identify the relevant financial statement assertions for each material account.
  • Review scoping with project sponsor before defining project approach, milestones and timeline.


  • Risk assessment, scoping document, and project plan

Related insights


Do you have the tools you need?

Our latest implementation guide details the top five challenges companies face in SOX compliance. Overcome them with the right advisory team to help make the process more affordable and far easier.