close
lumiform
LumiformMobile audits & inspections
Get AppGet App

SOX Compliance Checklist Template

A SOX compliance checklist is used by the management team of publicly traded companies to assess compliance with the Sarbanes-Oxley Act and improve areas where violations may occur. Use this checklist as a practical application of Section 404: Management Assessment of Internal Controls, as it seems to cause the most compliance difficulties.
Rated 5/5 stars on Capterra

Say goodbye to paper checklists!

Lumiform enables you to conduct digital inspections via app easier than ever before
  • Cut inspection time by 50%
  • Uncover more issues and solve them 4x faster
  • Select from over 5,000 expert-proofed templates

Digitalize this paper form now

Register for free on lumiformapp.com and conduct inspections via our mobile app

  • Cut inspection time by 50%
  • Uncover more issues and solve them 4x faster
  • Select from over 4000 expert-proofed templates
Rated 5/5 stars on Capterra
App StorePlay Store

SOX Compliance Checklist Template

Management Assessment of Internal Controls

Has operating management taken ownership of their processes and documentation, rather than leaving it to the Section 404 team or the internal auditing function?

Does operating management update all process and control documentation promptly throughout the year and not just when testing starts?

Is there an effective change management process in place, including the timely assessment of process changes for their potential impact on key controls?

Is operating management committed to assess and remediate all control deficiencies promptly?

In situations where remediation is not justified based on management’s assessment of risk and cost, is management committed to communicating that decision promptly so the effect on management’s overall assessment of controls can be identified and discussed with senior management?

Has a top-down, risk-based approach been used to identify the key controls?

Is management confident that all identified key controls are truly key?

Has the design of the related processes been reviewed to determine if changes can result in fewer and more effective controls, relying more on automated controls or on higher-level controls?

Is the management of the Section 404 program at a sufficiently high level within the organization to influence operating management relative to completion of their responsibilities?

Is the management of the Section 404 program at a sufficiently high level within the organization to communicate effectively with executive management the program’s progress and potential issues?

Is the management of the Section 404 program at a sufficiently high level within the organization to negotiate as needed with the external auditor?

Is the use of internal resources optimized, including the use of internal auditors to perform testing or to validate testing performed by management staff?

Has overall staffing been optimized, reducing reliance on more expensive external consultants and testers?

Has reliance by the external auditor on management testing been optimized?

Does the external auditor follow a top-down, risk-based approach as required by AS 5?

Is there a detailed project plan that includes a walk-through of all significant processes early in the year, preferably in the first quarter?

Is there a detailed project plan with testing scheduled in such a way that all key controls are tested by mid-year, with additional testing to update the results scheduled closer to year-end?

Is there a detailed project plan that includes all key activities required to complete the program, such as fraud risk assessment, consideration of any end-user computing issues, assessment of SAS 70 reports from service providers, etc.?

Is there a detailed project plan detailing all required resources, including specialists (e.g., for IT or tax processes and controls), so they can be scheduled early?

Is there a detailed project plan with regular reporting to senior management that focuses on key metrics and issues?

Has there been communication and coordination with all service providers to ensure that a SAS 70 type II report will be available at the appropriate time?

Is early warning provided for potential deficiencies being identified during the SAS 70 audit?

Is the Section 404 program itself assessed for effectiveness on a continuing basis, to ensure it is improved as the organization learns from experience and benefits from changes in regulations or their interpretation?

Sign Off

Additional Comments

Management Team

Member Name

Member Signature

Position

Share this template: