- Annual ICFR Scoping & Risk Assessment — SOX · 24 steps
Perform annual SOX scoping from materiality and significant accounts through RMMs, key controls, fraud risk, concurrence, and RCM publication. - Financial Controls Policy & Segregation-of-Duties Governance — SOX · 11 steps
The SOX PMO reapproves and communicates the financial-control policy suite, including entity-wide ITGC and period-end reporting oversight policies, on its annual cycle. Every quarter it also refreshes the segregation-of-duties conflict matrix, screens role design and system access for incompatible duties, and documents mitigating controls where segregation isn't practicable. - Financial Systems Transaction Integrity Monitoring — SOX · 11 steps
Operate the recurring financial-systems transaction-integrity cycle each period — clearing rejected-input and suspense queues, dispositioning automated-processing exceptions, and reconciling interface transfers. Validate system-generated reports and spreadsheets before reliance, with configuration retested on every change and evidence captured as you go. - Fraud Risk Assessment & Anti-Override Control Review — SOX · 12 steps
Lead the annual (or event-triggered) fraud risk assessment across fraudulent reporting, asset misappropriation, and corruption, evaluating incentives, opportunities, and rationalizations while explicitly rating the risk of management override of controls. Recalibrate the anti-override control set - journal-entry review criteria and significant-estimates scrutiny - and report refreshed results and mitigations to the audit committee. - Physical Asset Custody & Count Program — SOX · 10 steps
Operate the standing physical-asset custody and count program each cycle — counting and reconciling cash, negotiable instruments, and accounting records to the books, verifying custody-log authorization, and confirming storage and retention safeguards — with audit-ready evidence captured as you go. - Production Operations & Processing Integrity Cycle — SOX · 12 steps
Operate the recurring IT operations bridge each shift — authorized batch jobs executed and monitored, failures resolved through a tracked incident process, and backups verified with periodic restore testing against recovery objectives. The same cycle watches performance, capacity, and security telemetry against thresholds and confirms daily processing integrity, from input edit checks and interface reconciliation through outputs released only to authorized recipients. - Quarterly 302/906 Sub-Certification Cascade — SOX · 12 steps
The SOX PMO runs the quarterly sub-certification ritual that underpins the principal officers' Section 302 and 906 certifications: it maintains the certifier hierarchy, refreshes the questionnaire for period changes, launches the cascade from process owners through controllers to segment CFOs, chases completion to the cutoff, and triages every exception or qualification raised. Material items reach the disclosure committee before the CEO and CFO sign, and the certification population and its evidence are archived with the period's filing support. - SOX Deficiency Remediation — SOX · 15 steps
Track a control deficiency from initial identification and severity grading through root-cause analysis, remediation execution, and validated closure. - SOX IPE Validation — SOX · 14 steps
Validate an Information Produced by the Entity (IPE) report for completeness and accuracy, then decide whether it is reliable control evidence or a deficiency. - SOX ITGC Testing — SOX · 23 steps
Scope and test SOX-relevant ITGCs by referencing the controls-owned 800-53 catalog and test scripts rather than rebuilding procedures. - SOX Key Control Operation (Close Cycle) — SOX · 8 steps
Operate the financial-close key controls each period — reconciliations, management review, journal-entry approval — with audit-ready evidence captured as you go. - SOX Key Control TOD/TOE Test — SOX · 25 steps
Test key controls for design and operating effectiveness, including walkthrough, sampling, IPE linkage, exception handling, and reviewer sign-off. - SOX Process Walkthrough — SOX · 20 steps
Capture an end-to-end process walkthrough and identify the key controls inside it, producing a walkthrough memo and draft control records. - SOX Scoping Decision — SOX · 13 steps
Decide whether a process is SOX-relevant, then scope it or document the exclusion. - Year-End Deficiency Aggregation & Severity Evaluation — SOX · 18 steps
Freeze the year-end deficiency register, prove its completeness against testing results, aggregate related deficiencies, and evaluate severity through compensating-control and prudent-official conclusions that feed 302/404 certifications and audit-committee reporting.