What are SOX controls? Best practices for defining your scope

Key Takeaway: SOX controls are the internal controls over financial reporting (ICFR) required of SEC registrants under the Sarbanes-Oxley Act of 2002. Amended PCAOB AS 2201 and AS 2101, effective for fiscal years beginning on or after December 15, 2026, formalize a top-down, risk-based scoping approach centered on entity-level controls. KPMG's 2025 SOX Survey puts average program cost at $2.3M and 15,581 hours.

The Sarbanes-Oxley Act of 2002 (SOX) has been on the books for more than two decades, yet scoping debates over what counts as a SOX control still consume hours of audit committee time each quarter. The simplest framing: SOX controls are the subset of internal controls that directly address risks to the accuracy and integrity of financial reporting. Everything else — however critical to the business — sits outside the SOX boundary even if it deserves rigorous controls of its own.

SOX compliance requirements

The SOX requirements for publicly traded companies registered with the Securities and Exchange Commission include internal controls for processes and systems impacting financial reporting. SOX regulations exist to ensure accurate and reliable financial reporting and rebuild investor trust after fraud scandals like Enron and WorldCom. SOX controls are specifically designed to prevent and detect corporate fraud, material misstatements, and inaccuracies — whether intentional or unintentional — in financial reporting. The confusion is mostly a matter of scoping — understanding where SOX ends and regular management internal controls start.

The Sarbanes-Oxley Act of 2002 has 11 titles, with three having a major impact on financial reporting and the responsibilities of the CEO and CFO: Section 302, Section 404, and Section 906.

• Section 302 mandates that CEOs and CFOs certify the financial records of their companies, indicating that (1) reports are accurate, (2) reports are fairly presented in all material aspects, (3) management acknowledges responsibility for disclosure controls, procedures, and internal controls over financial reporting, and (4) reports are risk-based. This holds CEOs and CFOs personally accountable for their organization's financial statements — a baseline that wasn't codified until SOX was passed.
• Section 404 requires publicly traded companies and companies pursuing an IPO to engage accounting firms to independently assess and sign off on management's assessment of internal controls. It also requires external auditors to report on the adequacy of the company's internal control over financial reporting (ICFR). It involves annual assessments to ensure controls are effective and reliable.
• Section 906 explicitly opens the way for criminal penalties to be issued in the event of non-compliance.

The Sarbanes-Oxley Act also created the Public Company Accounting Oversight Board (PCAOB) to watch the watchmen — that is, the PCAOB audits the auditors and accounting firms who sign off on organizations' financial statements and internal control reports.

Image: Section 302, Section 404, and Section 906 Summary from Deloitte

Source: Deloitte SOX Compliance

What SOX controls are (and aren't)

SOX controls address, mitigate, or otherwise manage risks to the accuracy and integrity of financial reporting. The Sarbanes-Oxley Act has a specific jurisdiction — it governs how internal control structures should support accurate, honest, and trustworthy financial information reporting. Controls outside that boundary, no matter how operationally important, are not SOX controls.

Not all controls in an organization's environment will be in scope for SOX, but many will. The best way to determine if a control should be considered relevant for SOX purposes is to ask:

1. Does this control relate to or input into the financial information used for financial disclosures?
2. Does this control affect material financial accounts or financial statement reporting?
3. Does this control affect any systems or processes that feed into financial statement reporting?

If the answer is yes to any of these questions, an organization should consider including that control in the scope of its SOX procedures and internal controls reporting.

The 5 components of SOX internal controls (COSO framework)

SOX internal controls are typically structured around the COSO framework (Internal Control – Integrated Framework), which the PCAOB recognizes as the de facto standard for SEC registrants. The framework consists of five interrelated components:

1. Control environment — the tone at the top, governance structures, ethical values, and HR policies that set the foundation for internal controls.
2. Risk assessment — management's process for identifying and analyzing risks to achieving financial reporting objectives.
3. Control activities — the policies and procedures (approvals, reconciliations, segregation of duties, IT controls) that mitigate identified risks.
4. Information and communication — the systems and channels that capture financial data and communicate control responsibilities up, down, and across the organization.
5. Monitoring activities — ongoing and separate evaluations that confirm each component is present and functioning, with deficiencies escalated to management and the board.

Auditors and the PCAOB expect management to design and evaluate ICFR against all five components, not just control activities. COSO's 2023 Internal Control over Sustainability Reporting (ICSR) interpretive guidance also extends these same five components to ESG data, giving teams a defensible structure for non-financial disclosure controls.

Common types of SOX controls

Beyond the COSO components, practitioners classify SOX controls along several axes. Understanding these categories helps audit teams defend control design to external auditors and avoid duplicative testing.

• Preventive vs. detective controls. Preventive controls (segregation of duties, system access restrictions, approval workflows) stop errors or fraud before they occur. Detective controls (reconciliations, management review controls, exception reports) identify issues after the fact. A defensible control environment uses both.
• Manual vs. automated controls. Manual controls depend on a person executing the procedure (e.g., a controller signing off on a journal entry). Automated controls are performed by a system (e.g., a configured three-way match in the ERP). Per KPMG's 2025 SOX Survey, automated controls dropped from 21% of total controls in FY22 to 17% in FY24 — a missed efficiency lever.
• Entity-level vs. process-level controls. Entity-level controls operate organization-wide (control environment, board oversight, fraud risk programs, period-end financial reporting). Process-level controls operate within a specific cycle like order-to-cash or procure-to-pay and address assertion-level risks like completeness, accuracy, and cutoff.
• IT general controls (ITGCs) vs. application controls. ITGCs cover access, change management, and operations across the systems environment. Application controls are configured within specific systems (edit checks, automated reconciliations, system-enforced approvals).

Is SOX compliance mandatory?

SOX compliance is mandatory for publicly traded companies registered with the SEC and is strongly advisable for companies preparing for an IPO. Nonprofits and private companies are not subject to SOX, though many adopt comparable internal control frameworks voluntarily.

Even without a SOX obligation, nonprofits and private companies often use internal controls frameworks such as COSO ICIF and COBIT, to apply risk management and internal controls best practices.

How many SOX controls are there?

There is no required number of SOX controls. A risk-based approach means each business will have a different palette of risks and controls that address them. KPMG's 2025 SOX Survey found the average number of key controls grew 18% from 463 in FY22 to 546 in FY24 — but a higher count is not necessarily a better risk-mitigation strategy and contributes directly to rising program costs.

Common controls most SOX programs share include access controls, segregation of duties, change management, business process controls, data backup, and corporate governance controls. See the SOX program checklist for benchmarking guidance.

SOX 404 controls

SOX 404 refers to Section 404 of the Act, which spells out the requirement for management to implement internal controls over financial reporting. Specifically, Section 404 mandates:

(Sec. 404) Directs the SEC to require by rule that annual reports include an internal control report which (1) avers management responsibility for maintaining adequate internal control mechanisms for financial reporting and (2) evaluates the efficacy of such mechanisms. It also requires the public accounting firm to attest in their annual audit report on the effectiveness of the issuer's internal controls over financial reporting (ICFR).

Section 404(b) explicitly requires an independent public accounting firm to perform an audit on a company's ICFR. When used as shorthand, "SOX 404 controls" refers to those controls that will be audited by a public accounting firm for compliance with the Act.

How AS 2201 and AS 2101 (effective December 15, 2026) change SOX scoping

The PCAOB's amended AS 2201 and AS 2101 take effect for audits of fiscal years beginning on or after December 15, 2026, and formalize a top-down, risk-based approach to integrated audits. Auditors begin at the financial statement level, focus first on entity-level controls, and work down to significant accounts, disclosures, and relevant assertions.

Practically, SOX teams should re-scope their control matrices so entity-level controls are well-designed and documented, and process-level controls are explicitly linked to specific assertions and material misstatement risks. AS 2201 also expands the use of benchmarking for fully automated application controls: if ITGCs over the underlying system (particularly change management and access) are effective and the control logic has not changed, auditors can conclude the control remains effective without repeating prior-year operating effectiveness testing. The companion QC 1000 standard, also effective December 15, 2026, overhauls firm-wide quality control at external audit firms — tightening how those firms will evaluate and rely on client control environments.

SOX IT controls and cybersecurity

SOX requirements generally include business process controls and SOX IT controls. On the business side, in-scope controls cover the accuracy of data feeding into financial reporting, reconciliations, and financial data processing. From the IT perspective, there are IT general controls (ITGCs) and application controls. SOX IT controls aim to ensure the systems are well-controlled, accurate, complete, and free of errors that could impact financial reporting.

The key to defining SOX scope is understanding which processes and systems impact financial reporting. The most common point of confusion is differentiating between business-critical IT systems and SOX IT systems. A system holding all of your customer information is critical to the organization, but if it does not capture financial data feeding into financial reporting, it is not a SOX application. It should still be well-controlled, but it sits outside SOX testing scope. By contrast, a data center hosting SOX-sensitive (i.e., financial) systems, data, or information is in scope and may even require a physical audit.

When originally issued, the Sarbanes-Oxley Act did not account for the emerging cybersecurity threat landscape. Implementing and maintaining a strong internal controls program still typically calls for strong security controls, especially around sensitive data that may impact financial reporting. SOX controls that also support cybersecurity posture include incident response and remediation, business continuity planning, and data security tied to financial data.

Under the SEC's 2023 cybersecurity disclosure rules, registrants must disclose material cybersecurity incidents on Form 8-K Item 1.05 within four business days of materiality determination and provide annual Regulation S-K Item 106 disclosures on cyber risk management, strategy, and governance. The PCAOB and SEC increasingly view material cyber control weaknesses as potential ICFR deficiencies, so SOX teams should expand their control matrix to cover incident response, materiality assessment workflows, board and management governance over cyber risk, and disclosure controls and procedures (DCP) that feed the 8-K timeline.

Automated controls help here too: they reduce the manual effort needed to mitigate risks and limit user error when executing controls. Even though SOX is not explicitly framed to encourage cybersecurity best practices, stakeholders should keep security in mind as cyber events can cost companies massively in dollars and reputation.

Key SOX controls

Within the universe of SOX controls, the primary controls relied upon for mitigating risk are designated as key controls. Because considerable reliance is placed on them, key controls should be monitored and tested more frequently. Organizations may also set up compensating controls to support key controls if a key control fails to operate. Compensating controls provide additional assurance that financial information is being accurately reported. Because controls identified as "key" can have a major impact on ICFR, SOX teams should stay close to these processes and understand their ins and outs.

Management review controls (MRCs) also play a critical role. MRCs are typically embedded in key controls such as the monthly close, budget vs. actual analysis, and quarterly and annual financial reviews, allowing management to review financial statements for accuracy and completeness before reporting to investors. MRCs also appear in account reconciliations and in approval workflows for significant financial transactions (e.g., wiring funds), ensuring multiple levels of management review before a transaction executes. MRCs are essential because they provide an additional layer of oversight and help ensure financial information is accurate and reliable — but they are also one of the PCAOB's most frequent inspection findings, with "level of precision" (what the reviewer actually evaluated and what threshold triggered follow-up) cited as a common deficiency.

SOX controls testing

SOX control testing is performed by management, internal audit, or both, as well as by external auditors from a public accounting firm. Testing determines whether controls are working as intended or whether there are gaps in the internal control process.

External auditors test controls to vet management's assertions and validate that controls are operating as designed. Internal audit teams and external auditors test SOX controls by first understanding the control and the risks it is designed to mitigate, then designing a test around the control's key attributes or gates, and finally obtaining the evidence and reasonable assurance needed to conclude whether the control is working as intended or whether there are findings. PCAOB inspection findings underscore why rigor matters — deficiency rates remain elevated, particularly at smaller non-affiliated firms.

One scoping gap practitioners routinely contend with: per KPMG's 2025 SOX Survey, 56% of organizations report their external auditors test fewer in-scope controls than management does internally, and 90% cannot quantify fee savings from auditor reliance. A formal annual scope reconciliation — walking the auditor's reliance model line-by-line against the internal control matrix — is the most direct way to identify duplicative effort.

SOX reporting

SOX reporting is performed both internally and externally. Internal SOX reporting includes testing status updates created by management or internal audit, with any issues found and remediation plans to address control failures or deficiencies.

External SOX reporting combines reports submitted by the company to the SEC and an audit report from the external auditor. The auditor's report expresses an opinion on the accuracy of the financial statements and the effectiveness of management's internal controls over financial reporting. Mandatory components of external SOX reporting include:

• Quarterly and annual reports. Public companies are required to submit quarterly (10-Q) and annual (10-K) reports to the SEC. These reports must include certified financial statements and disclosures about the company's financial health and internal controls.
• Internal control reports. Section 404 requires management to include an internal control report in the annual 10-K. The report must state management's responsibility for establishing and maintaining adequate ICFR, along with an assessment of effectiveness.
• Material changes disclosure. Section 409 requires companies to disclose material changes in financial condition or operations on a rapid and current basis, usually through an 8-K filing. The SEC's 2023 cyber rules added Form 8-K Item 1.05 for material cybersecurity incidents.
• Record retention requirements. Section 802 imposes stringent record retention requirements. Companies must retain all audit or review work papers for five years (seven under PCAOB rules). Destruction, alteration, or falsification of records is subject to severe penalties.
• Enhanced financial disclosures. SOX requires enhanced financial disclosures, including off-balance-sheet transactions, pro forma figures, and the use of special purpose entities (SPEs). This drives greater transparency and accuracy in financial reporting.

Start testing SOX controls today

Given the scope and complexity of SOX audit programs, the Institute of Internal Auditors (IIA) recommends that management start testing SOX controls early each year and treat the program as an ongoing, year-round internal control testing process.

SOX compliance checklist

1. Define the SOX audit scope using a risk assessment approach.

PCAOB AS 2201 states, "A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts, disclosures, and their relevant assertions."

This step in a SOX compliance audit process should not produce a list of compliance procedures. It should help the auditor identify potential risks and their sources, how they might impact the business, and whether internal controls qualify as SOX controls — i.e., whether they provide reasonable assurance that a material error will be avoided, prevented, or detected.

2. Determine materiality in SOX — accounts, statements, locations, processes, and major transactions.

• Step 1. Determine what items are material to financial statements and financial disclosures reported to investors. Items are "material" if they can influence the economic decisions of users. Auditors typically determine materiality by calculating a percentage of key financial statement accounts — for example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and balance sheet accounts.
• Step 2. Determine all locations holding material account balances. Analyze financials for every location where you do business. If account balances at any of these locations exceed the materiality threshold from Step 1, they will likely be considered material and in scope for SOX testing in the coming year.
• Step 3. Identify transactions populating material account balances. Meet with your controller and the specific process owners to determine the transactions (both debits and credits) that cause the financial statement account to increase or decrease. Document how these transactions occur and how they are recorded in a narrative, flowchart, or both.
• Step 4. Identify financial reporting risks for material accounts. Understand what could prevent the transaction from being correctly recorded — the specific risk event — then document how the risk event could cause the account balance to be incorrectly recorded or break a financial statement assertion.

3. Identify SOX controls — non-key and key controls, ITGCs, and other entity-level controls.

During materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will identify the checks and balances in the financial reporting workflow that ensure transactions are recorded correctly and account balances are calculated accurately.

Often, material accounts need multiple controls in place to prevent a material misstatement from occurring. However, audit teams should resist a brute-force approach that creates a new SOX control whenever a new risk is identified. Each new control inadvertently classified as "key" without a true risk assessment contributes to the ever-increasing control count — and to the 18% jump in average key control volume KPMG documented between FY22 and FY24.

The quickest way to differentiate a non-key from a key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, internal audit teams can better prioritize and focus their efforts on key controls.

Finalizing an effective system of internal controls plan

To finalize and plan for an effective system of internal controls, your audit team must identify manual and automated SOX IT controls. For each automated control, evaluate whether the underlying system is in scope for ITGC testing, which will shape the overall testing strategy. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of SOX IT control testing needed — and qualify for AS 2201 benchmarking on fully automated controls in future cycles.

Once you have defined scope and identified SOX controls using these practices, you will be on track to a well-rounded SOX testing program. Learn more in How to Build a Well-Rounded SOX Testing Program.

Meeting SOX requirements does not need to be overly complicated. Implementing SOX management software such as Optro's SOXHUB can help you eliminate version control issues in your SOX documentation process, centralize SOX control testing, facilitate SOX reporting, and streamline your SOX program from end to end.

Frequently asked questions

What does SOX stand for, and what are SOX controls?

SOX stands for the Sarbanes-Oxley Act of 2002, the U.S. federal law that mandates how publicly traded companies maintain financial records and internal controls. SOX controls are the internal controls — preventive and detective, manual and automated — that ensure the accuracy, integrity, and transparency of financial reporting and protect against corporate fraud and material misstatements.

What are the 5 components of SOX internal controls under the COSO framework?

SOX internal controls are typically structured around the COSO Internal Control – Integrated Framework, which has five interrelated components: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities. The PCAOB expects management to design and evaluate ICFR against all five components, not just control activities. COSO 2013 remains the de facto standard used by virtually all SEC registrants, and COSO's 2023 ICSR guidance extends the same five components to sustainability reporting.

How are the new PCAOB AS 2201 and AS 2101 standards changing SOX control scoping in 2026?

The amended AS 2201 and AS 2101, both effective for audits of fiscal years beginning on or after December 15, 2026, formalize a top-down, risk-based approach that starts at the financial statement level, focuses first on entity-level controls, and works down to significant accounts and relevant assertions. SOX teams should re-scope control matrices so entity-level controls are well-designed and process-level controls are linked to specific assertions. AS 2201 also expands benchmarking for fully automated application controls when ITGCs are effective.

What's the difference between preventive and detective SOX controls?

Preventive controls (segregation of duties, system access restrictions, approval workflows) stop errors or fraud before they occur. Detective controls (reconciliations, management review controls, exception reports) identify issues after the fact. A defensible SOX control environment uses both, and external auditors expect a documented rationale for the mix — particularly for MRCs, where "level of precision" is a frequent PCAOB inspection finding.

Why are automated SOX controls declining, and how can practitioners reverse the trend?

KPMG's 2025 SOX Survey found automated controls dropped from 21% of total controls in FY22 to 17% in FY24, even as average in-scope systems jumped from 17 to 40 and average program costs hit $2.3M. New SaaS and cloud platforms are being added without re-architecting controls to use native automation. Practitioners can reverse the trend by migrating high-volume manual controls — three-way matches, journal entry approvals, access provisioning — to automated or IT-dependent manual controls, then using AS 2201 benchmarking to reduce repetitive testing.

What do you do when external auditors have a different SOX control scope than your internal team?

Per KPMG's 2025 SOX Survey, 56% of organizations report their external auditors test fewer in-scope controls than management does, and 90% cannot quantify fee savings from auditor reliance. Run a formal scope reconciliation at least annually: walk the auditor's reliance model line-by-line against the internal control matrix, identify which management-tested controls the auditor will rely on versus retest, and quantify the testing hours saved. Where divergence is unjustified, push back with documented risk rationale grounded in AS 2201's top-down approach.

What are the criminal penalties for SOX non-compliance under Sections 802 and 906?

SOX carries some of the harshest penalties in U.S. corporate law. Under Section 906, knowingly certifying a non-compliant financial report carries fines up to $1 million and up to 10 years imprisonment; willful certification carries fines up to $5 million and up to 20 years imprisonment. Section 802 penalizes destruction, alteration, or falsification of records or audit work papers with fines and up to 20 years imprisonment, and mandates retention of audit work papers for five years (seven years under PCAOB rules).

About the authors

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.