Article

Sarbanes-Oxley compliance—obligatory and complex

August 05, 2025

Key takeaways

Initial SOX compliance can wallop companies not used to complex public company reporting.

Global expansion complicates SOX compliance exponentially.

Bringing on a SOX compliance advisor can alleviate stress and ensure accurate, timely performance.

#
Risk consulting Business risk consulting

Sarbanes-Oxley Act (SOX) compliance can be shockingly complicated and staggeringly time-consuming—especially when a private entity takes a company public and every element of the SOX process is new.

Compliance is an obligation, but the process also allows companies to get their numbers right and maintain shareholder value. Compliance cements shareholder trust and gives the attesting executives confidence and peace of mind since no one wants to get fined, censured or jailed.

Below we review common questions and issues that newcomers encounter, a structured approach to the SOX compliance process and some tips for success—especially if your operations involve overseas offices.

Unique challenges for the middle market

SOX compliance can be especially daunting for middle market firms that don’t have the deep staff or public accounting expertise of Fortune 500 companies.

Global growth compounds a middle market company’s challenges. Every country your business expands into exponentially increases the complexity of SOX because in each country the process must start from scratch. Leadership must understand the new requirements introduced by global expansion, particularly if an acquisition is involved, since a new company will have its own local management and human resources team, information technology system and unique financial processes—including accounts payable, inventory and close.

Even companies with an experienced and efficient internal audit department can be overwhelmed by the extra SOX compliance work that an international expansion brings. The controls piece alone—understanding, integrating and then implementing—can feel very much like a merger with another company.

A structured approach to SOX compliance

SOX compliance is a long and arduous process. Companies tackling it in-house or working with an advisor benefit from breaking down their approach into distinct steps and anticipating the time needed to adequately complete each step.

Step 1: Conduct risk assessment and scoping. A scoping exercise establishes a foundational understanding of where risk exists within financial reporting for all accounts and processes. After illuminating and documenting the risk areas for material misstatement, an organization identifies where it needs help to mitigate these risks. It’s critical to be thorough in this first step to set a clear path for efficient action in future steps.

Step 2: Design key internal controls. After a company has documented its risk areas, it needs to prepare risk and control matrices and create supportive process documentation like narratives and flow charts, which guide the risk mitigation actions. This step is more labor-intensive and time-consuming than most companies realize.

Step 3: Evaluate effectiveness and perform gap analysis. Are your controls effective at mitigating your risks, or are there gaps? What improvements or enhancements are needed? Would process automation help? This step includes detailed findings and recommendations for fixes. Investing the time needed in the first two steps prevents surprises from cropping up in Step 3.

Step 4: Test and evaluate operating effectiveness. Are the new controls working correctly? Are there control deficiencies? What still needs work? This step spans the full test period and should include remediation plans to correct shortcomings, with specifics on how those plans should be executed.

For companies new to SOX, the three most common questions are:

When should we start compliance efforts?

As soon as possible, but generally six months prior to going public.

Where do we start?

Begin with a risk assessment to determine focus areas and then design the internal controls.

What time commitment should we prepare for?

This varies greatly depending on the organization and whether all steps will be handled internally or some or all efforts will be outsourced or co-sourced.

Tips for successful SOX compliance execution

  • Be prepared. Awareness is power. Arm your leadership with the knowledge that SOX compliance is a heavy lift. You can’t wing it, and a significant investment of time and resources will be required.
  • Help leadership understand the benefits of global expansion as well as the significant challenges of meeting compliance requirements with offices in multiple countries.
  • Educate your overseas teams on the history of SOX and enlist local champions to frame the issue and gain acceptance.
  • Expect cultural differences and resistance. Other countries have their own compliance laws and often bristle at the fact that they must also abide by U.S. laws. Your overseas team is likely unfamiliar with SOX and may not understand why compliance is needed or how the process adds strategic value.
  • Be cognizant of the effort you’ll expend on system preparation. Complex systems that were designed for individual country needs and regional authorities will now have to accommodate SOX as well. The analysis and adjustments required to accomplish this are rarely simple or fast.
  • Acknowledge the heavy lift of software readiness, which can be complicated by disparate systems and programs that contain crucial information for SOX reporting. Data ingestion by your system during the audit phase and the rollout of controls during testing require major staffing and cost investments. Anticipate the complexity and extended timeline so you’re prepared.

RSM’s value as an advisor

If SOX compliance feels daunting—and it is—consider bringing in an advisor to assist you. Some of the capabilities RSM brings to SOX compliance are:

  • Extensive industry and global (in-country) experience, including foreign language skills, to inform and educate your team
  • The resources and support needed to reduce your team’s workload and accelerate confident compliance execution
  • A modern framework and technology solutions that include data analytics, process mining and automation

Featured solution

Is your program compliant?

Improve business process with a sustainable, risk-based approach to Sarbanes-Oxley compliance. Our tailored services help provide transparency and mitigate error risk.

"