What Is a SOX Audit? A Practical Guide for Accounting and Finance Teams

A SOX audit touches nearly every corner of the accounting and finance function. It runs for most of the fiscal year and requires coordination across teams that don’t always speak the same language.

The experience looks different depending on where you sit. For accounting and finance teams, it’s about maintaining controls, keeping documentation organized, and staying audit-ready year-round. For auditors, it’s about evaluating whether those controls are designed correctly and actually working.

This guide is focused on SOX as it applies in the United States, where the Sarbanes-Oxley Act governs publicly traded companies. While other countries have adopted similar governance frameworks (like the UK Corporate Governance Code), the specific provisions, timelines, and reporting requirements covered here are US-specific.

Here’s what we’ll walk through: what a SOX audit actually evaluates, how the process plays out across a fiscal year, how to prepare, what auditors zero in on during fieldwork, common findings (and how to avoid them), and where technology fits in.

What Is a SOX Audit?

SOX stands for the Sarbanes-Oxley Act of 2002, a federal law Congress passed after a wave of corporate accounting scandals, including Enron and WorldCom, exposed serious gaps in financial reporting and audit oversight. Among its most significant provisions, the law requires publicly traded companies to establish, document, and test their internal controls over financial reporting (ICFR).

A SOX audit is the process that evaluates whether those controls are actually working. In plain terms: can the controls you have in place prevent or catch material misstatements in the financial statements? That’s what auditors are trying to answer.

The audit itself has two components, and which ones apply to your organization depends on its size and SEC filer classification.

Section 404(a) requires management to assess and report on the effectiveness of the company’s ICFR. Every public company must comply with this, regardless of size.

Section 404(b) takes it a step further. It requires an independent external auditor to attest to management’s assessment. This applies to accelerated filers (public float of $75 million or more) and large accelerated filers. Smaller reporting companies and emerging growth companies are generally exempt from this external attestation requirement.

For a deeper look at the full scope of the Sarbanes-Oxley Act and its compliance requirements, see our SOX compliance guide.

Key SOX Provisions That Shape the Audit

Three sections of the Sarbanes-Oxley Act have the most direct impact on how SOX audits are structured and what they evaluate.

Section 302: Executive certification

Section 302 puts personal accountability on the CEO and CFO. They must certify the accuracy and completeness of the company’s financial statements and take responsibility for establishing and maintaining internal controls. This isn’t ceremonial. Misleading or fraudulent certifications can result in fines and imprisonment.

Section 404: Internal controls assessment

This is the core of the SOX audit, and where the bulk of the work happens. Section 404 requires companies to document, test, and report on the effectiveness of their ICFR. Under 404(a), management conducts its own assessment. Under 404(b), an independent auditor provides an attestation of that assessment. It’s the most resource-intensive provision of the law, and the one that drives most of the cross-functional coordination.

Section 802: Record retention and penalties

Section 802 establishes criminal penalties for altering, destroying, concealing, or falsifying financial records. It also mandates that audit-related documents be maintained for a minimum of five years. Violations can result in fines and up to 20 years of imprisonment.

Who’s Involved in a SOX Audit

A SOX audit isn’t just an accounting exercise. It touches multiple functions, and the most efficient engagements are the ones where those functions are aligned early.

The way these roles connect matters. Accounting and finance own the financial controls, IT owns the system-level controls, and external auditors evaluate both. 

The most efficient engagements happen when all groups are communicating consistently throughout the year, not just when fieldwork starts. That ongoing alignment is what keeps findings from catching anyone off guard.

How a SOX Audit Works: The Typical Timeline

SOX audits aren’t a single sprint. They follow the fiscal year calendar, with distinct phases that build on each other. If you’re new to the process, this is the rhythm you’ll get to know well.

Q1: Scoping and risk assessment

Everything starts with scoping. Management and auditors identify which accounts, processes, and locations will be tested based on materiality and risk. This is where the risk-control matrix takes shape, mapping financial reporting risks to specific controls. The COSO framework (Committee of Sponsoring Organizations of the Treadway Commission) is the most widely used structure for this assessment, and it’s accepted by the SEC.

Q2: Walkthroughs and interim testing

During this phase, auditors perform walkthroughs to confirm controls are designed correctly. They’ll trace a transaction from start to finish through the relevant process to validate that the right controls exist at the right points. Internal audit teams typically run parallel testing during this period, which creates an early window to catch and fix issues before external auditors weigh in.

Q3: Control testing window

This is where the heavy lifting happens. Auditors conduct sample-based testing to evaluate whether controls are operating effectively over the full period, not just on a single day. Sample sizes depend on how often the control runs. A daily control might require 25 or more samples, while quarterly controls typically need two to three. This phase is also where most findings surface.

Q4 and year-end: Remediation, roll-forward, and reporting

Any deficiencies identified during interim testing need to be remediated before year-end. Auditors perform roll-forward testing to confirm controls continued to work through the end of the fiscal year. Management issues its 404(a) assessment, and external auditors (for 404(b) filers) issue their attestation report, which is included in the company’s Form 10-K.

Teams that treat SOX as a year-round discipline have smoother engagements and fewer findings than those that scramble when auditors show up.

How To Prepare for a SOX Audit

The difference between a smooth audit season and a painful one usually comes down to preparation, and most of it isn’t complicated. It’s about building good habits and sticking with them.

• Get control documentation in order. Every key control should have a clear description, an assigned owner, a defined frequency, and a documented evidence trail. If an auditor can’t find the documentation, the control might as well not exist.
• Keep reconciliations current. Account reconciliations are one of the most frequently tested areas, and one of the most common sources of findings. Falling behind creates compounding risk as year-end approaches. If you’re consistently closing out reconciliations on time, you’ve already eliminated one of the biggest headaches.
• Maintain review and approval evidence. Sign-offs, timestamps, and reviewer comments all matter. Auditors aren’t just checking whether the work got done. They want to see that someone reviewed and approved it, and that the evidence is clear. A reconciliation without a reviewer sign-off is an incomplete control, full stop.
• Align with IT early. Access reviews and change management are critical components of IT general controls. Coordinate with IT well before testing starts to surface and resolve access issues or segregation of duties conflicts. Waiting until Q3 to discover a user-access problem is a recipe for a finding.
• Run internal testing before external auditors arrive. This creates a window to find and fix problems before they become reportable findings. It also builds auditor confidence in the control environment, which can reduce the scope and intensity of external testing.

What Auditors Evaluate During a SOX Engagement

The teams that navigate fieldwork with the least friction tend to have one thing in common: they already know what auditors are looking for before the engagement starts.

During planning

Auditors start with entity-level controls, the broad controls that set the tone for the organization’s control environment. Think audit committee oversight, management’s risk assessment process, and the company’s code of conduct. They also establish materiality thresholds and review prior-year findings to identify areas of recurring weakness.

During fieldwork

Once testing begins, auditors focus on a few key things.

• Consistency of control execution. A control that works in January but wasn’t performed in June is a problem. Auditors test operating effectiveness over the full period, not just a point in time. Gaps in execution are one of the fastest paths to a finding.
• Evidence quality over volume. A binder full of spreadsheets doesn’t help if the evidence doesn’t clearly demonstrate that the control was performed, reviewed, and approved. Clean, organized documentation beats sheer volume every time.
• Both design and operating effectiveness. A well-designed control that nobody follows is a deficiency. So is a control that people follow consistently but that doesn’t actually address the underlying risk. Auditors evaluate both sides.

What makes an engagement run well

The smoothest SOX engagements share a few traits: documentation that’s ready before auditors request it, process owners who can clearly walk through how their controls work, reliable internal audit work that auditors can leverage, and timely remediation of anything flagged during interim testing.

Deficiency classification

Not all findings carry the same weight. Auditors classify deficiencies into three levels.

• A control deficiency exists when the design or operation of a control doesn’t allow employees to prevent or detect misstatements on a timely basis. On its own, a single control deficiency may not be severe.
• A significant deficiency is a control deficiency (or combination of deficiencies) that’s serious enough to warrant attention from those charged with governance, like the audit committee. It’s less severe than a material weakness, but still requires action.
• A material weakness is the most serious classification. The PCAOB defines it as a deficiency, or combination of deficiencies, that creates a reasonable possibility that a material misstatement won’t be prevented or detected on a timely basis. Material weaknesses must be disclosed in the company’s SEC filings, and they can affect stock price, investor confidence, and the ability to raise capital.

One thing to keep in mind: multiple smaller deficiencies can aggregate into a more severe classification. A handful of individually minor issues across the same process or assertion can collectively add up to a significant deficiency or a material weakness.

Common SOX Audit Findings and How To Avoid Them

Most SOX findings don’t come from dramatic failures. They come from repeated small gaps that build up over time. 

• Missing or incomplete review evidence. The control was performed, but there’s no documentation showing someone reviewed it. 
  • Fix: build review steps with timestamps and sign-offs directly into the workflow, so evidence is created as part of the process, not after the fact.
• Untimely account reconciliations. The reconciliation was completed, but not within the expected timeframe. 
  • Fix: set and enforce clear deadlines for monthly reconciliations, and track completion dates. Late is almost as bad as missing when it comes to operating effectiveness.
• Unsupported or unapproved manual journal entries. Journal entries lack adequate supporting documentation or weren’t properly approved before posting. 
  • Fix: require supporting documentation and manager approval for all manual entries, with no exceptions.
• Segregation of duties gaps. The same person initiates, approves, and records a transaction. 
  • Fix: review role assignments regularly and put compensating controls in place where full segregation isn’t practical.
• Generic or outdated management risk assessments. The risk assessment hasn’t been updated to reflect changes in the business, like new systems, acquisitions, or process changes. 
  • Fix: refresh the risk assessment at least annually and after any significant operational shift.
• Weak IT general controls. Access reviews aren’t performed regularly, or change management procedures aren’t followed for system updates. 
  • Fix: conduct quarterly access reviews and enforce formal change management protocols for all systems that touch financial data.

None of these are catastrophic on their own. But when auditors find several of them in the same engagement, they paint a picture of a control environment that isn’t running as intended. And that’s when individual findings start aggregating into something more serious.

The Role of Technology in SOX Audit Readiness

Spreadsheets and manual processes are where SOX compliance tends to break down. The controls themselves might be well-designed, but the evidence trail, version control, and consistency of execution suffer when everything depends on someone remembering to save the right file in the right folder.

For accounting and finance teams

Technology can address many of the most common SOX pain points. Automated data matching reduces the risk of errors in reconciliations. Timestamped review workflows create clear, defensible evidence of who reviewed what and when. Built-in audit trails eliminate the ambiguity around documentation. The result is a control environment that’s stronger by design, not just because someone remembered to follow the right steps.

For audit firms

On the audit side, organized, source-linked documentation reduces PBC (prepared by client) cycles and cuts down on the back-and-forth that slows fieldwork. When evidence is structured and traceable from the start, auditors spend less time chasing documents and more time on the judgment-intensive work that actually matters.

Trullion helps both sides of the engagement. Accounting teams maintain audit-ready controls year-round with automated workflows and traceable documentation. Audit firms access cleaner, better-organized evidence with minimal manual effort. It’s how compliance stops being a scramble and starts being built into the way work already gets done.

SOX Audit vs. SOX Compliance: What’s the Difference?

SOX audit and SOX compliance often get used interchangeably, but they refer to different things, and understanding the distinction matters for how teams plan their work. 

SOX compliance is the ongoing program. It’s the day-to-day work of maintaining internal controls, documenting processes, performing reconciliations, and running access reviews. Compliance is continuous.

A SOX audit is the periodic evaluation of that program. It’s the assessment of whether those controls are designed and operating effectively, covering the full fiscal year.

Teams that treat compliance as a year-round discipline, rather than something they ramp up before the audit, consistently have smoother engagements, fewer findings, and lower remediation costs.

For a deeper dive into building a sustainable SOX compliance program, see our SOX compliance guide.

Frequently Asked Questions

What is a SOX audit?

A SOX audit evaluates whether a publicly traded company’s internal controls over financial reporting are designed and operating effectively. It’s required under the Sarbanes-Oxley Act of 2002.

Who needs a SOX audit?

All US publicly traded companies must comply with Section 404(a), which requires management to assess ICFR. Accelerated filers and large accelerated filers must also comply with Section 404(b), which requires an independent auditor attestation.

What’s the difference between SOX 404(a) and 404(b)?

Section 404(a) requires management to assess and report on the effectiveness of internal controls. Section 404(b) requires an independent external auditor to attest to that assessment. Non-accelerated filers and emerging growth companies are generally exempt from 404(b).

How long does a SOX audit take?

A SOX audit spans most of the fiscal year. Scoping begins in Q1, walkthroughs and interim testing run through Q2 and Q3, and final testing and reporting wrap up in Q4. The most resource-intensive testing typically happens in Q3.

What happens if a company fails a SOX audit?

There’s no formal “pass/fail,” but if an auditor identifies a material weakness, it must be disclosed in the company’s SEC filings. This can affect stock price, investor confidence, and the company’s ability to raise capital.

What’s the difference between a SOX audit and a financial statement audit?

A financial statement audit evaluates whether the financials are presented fairly and in accordance with GAAP. A SOX audit evaluates the internal controls that support the accuracy of those financial statements. For accelerated filers, both audits happen together, and the auditor issues opinions on both.

Can private companies benefit from SOX-style controls?

Yes. While SOX only applies to public companies, many private companies adopt SOX-style controls to strengthen financial reporting, particularly if they’re preparing for an IPO, pursuing an acquisition, or working with investors who expect strong governance.

How does technology improve SOX audit readiness?

Technology strengthens SOX readiness by automating repetitive controls, creating built-in audit trails, and producing timestamped evidence of review and approval. This reduces the manual effort required to maintain compliance and makes documentation more consistent and accessible for auditors.