SOX Compliance & Consulting

The Sarbanes-Oxley (SOX) Act was promulgated in 2002 with the goal of protecting the investing public by creating more company responsibility and transparency. SOX changed the way public companies evaluated their internal controls over financial reporting and how companies provided that information to the investing public. Since its inception, the spirit of SOX has remained the same, but the path to achieve compliance has changed drastically and continues to do so. SOX requires an ongoing effort that includes the continuous assessment of the financial and information technology control environments, control testing and the ongoing maintenance of a companies’ SOX program.


MFA's SOX Compliance Services
MFA’s experienced SOX compliance team will drive the creation and maintenance of a strong control environment for your business, helping you to reduce the costs and complexity associated with maintaining internal controls over financial reporting (ICFR), maximize available resources, streamline business processes and ensure overall compliance with SOX requirements.
Pre-IPO SOX Compliance Planning & Strategy
We help prepare companies for the IPO market — and the impending SOX requirements — by strengthening internal control environments and establishing sustainable and efficient compliance practices before a company goes public.
Sarbanes-Oxley Initial & Sustained Compliance
Whether you're a new or established public company, our team will drive a streamlined effort to ensure the creation and/or maintenance of a strengthened controls and compliance environment in coordination with all SOX requirements.
Controls Optimization
We'll assess your organization's control environment and provide practical recommendations for remediation and optimization to help improve corporate governance, streamline internal processes and mitigate financial risk.
Target Acquisition Control Assessment
For buyers, we'll perform a controls assessment of your target company to help facilitate the due diligence process and ensure you minimize risk and maximize the potential of your future deal.
Acquisition Compliance Integration
We'll evaluate the compliance risks associated with a corporate merger or acquisition and guide you through the process of integrating control practices and procedures.
Corporate Governance Assessment
We’ll help assess your governance structure and related control environment to ensure you deliver the core benefits of corporate transparency, financial stability and business integrity.


An Ideal Fit for:

Established public companies looking to transition to an outsourced internal auditor team
New public filers that need to meet SOX requirements for the first time Growing businesses preparing for their initial public offering Private companies looking to adopt robust, SOX-like internal controls Businesses considering an acquisition and in need of an assessment of a target company’s controls 



What MFA’s SOX Compliance & Consulting Services Can Do For You

  • Deliver a full suite of SOX compliance process documentation which narrates financial and information technology processes, classifies areas of risks and identifies key and non-key controls
  • Establish your existing materiality thresholds
  • Identify control deficiencies and remediation opportunities through routine testing of your business processes and IT controls, including the design and operational effectiveness assessment of your controls at the entity, process, transaction and application levels
  • Provide key stakeholders, including Audit Committees and Boards of Directors ,with a comprehensive review of your SOX compliance efforts, including a conclusion on management’s assessment as to the effectiveness of your company’s ICFR environment


FAQ: Sarbanes-Oxley Compliance

SOX was designed to help provide the public and company stakeholders with transparency into corporate practices, including accounting and IT operations, as well as to mitigate the fraud risk within the financial statements.

Two of the most significant provisions of SOX are Section 302 and Section 404.

  • Section 302: Mandates that senior corporate officers (typically the CEO and CFO) attest to the accuracy and reliability of the company’s financial statements, as well as, its internal control environment.
  • Section 404: Requires that there is both a management attestation, 404(a), and an independent external auditor attestation, 404(b), on the design and operating effectiveness of internal controls over financial reporting. Section 404(a) is always required, while Section 404(b) is based on the company’s filing status.

You should expect the following steps to occur during a SOX compliance audit. Your auditors will:

1. Review documentation and analysis including but not limited to:

  • Calculation of materiality thresholds;
  • Financial account assessment, risk ratings and inclusion to business processes;
  • Business process and IT narratives;
  • Risk and Control Matrix for key and non-key controls inclusive of mapping to the financial statement assertions;

2. Perform compliance testing of key controls to show investors, employees, and other key stakeholders of the company that it has procedures in place to prevent fraud and that the financial reports the company produces are accurate and reliable.

3. Report on the work performed including concluding on the effectiveness of internal controls over financial reporting.

4. Present the results to the Audit Committee and/or Board of Directors.

The COSO Internal Control Integrated Framework is the most widely used framework for the development of internal control objectives. It covers three key categories: operations, reporting and compliance across five objectives: control environment, risk assessment, control activities, information and communication and monitoring activities.

While it wasn’t specifically developed for SOX, the COSO framework is considered the gold standard for companies by which to build and assess their SOX programs by. It provides companies with a foundation for designing their internal controls over financial reporting.

In addition to the COSO framework, the Control Objectives for Information and Related Technology (COBIT) principles are most commonly used to provide guidance for internal controls related to information technology.  The COBIT principles assist companies in their development of a strong IT environment and, alongside COSO, can enable a more comprehensive SOX program that encompasses both business process and information technology control environments.

Nearly all provisions of the Sarbanes-Oxley Act demand compliance at the time of an IPO, which is why most companies preparing to go public typically begin pre-IPO SOX compliance planning and strategy at least 12-18 months in advance of filing. Following that timeline should allow companies to complete a full, 12-month controls testing period to ensure systems and processes work as intended and any risk areas or controls gaps are mitigated prior to the effective compliance date.

There are exceptions to first-time SOX compliance for emerging growth companies (EGCs), as well as smaller reporting companies (SRCs).

  • EGCs: Companies that qualify as EGCs under the Securities Act are given an additional five years to comply with Section 404(b) of SOX and are thus not immediately required to provide an auditor attestation of ICFR. However, 404(a) is still required for EGCs.
  • SRCs: In 2020, the SEC adopted amendments to the accelerated and large accelerated filer definitions; as a result, SRCs with less than $100 million in annual revenue are no longer required to obtain an audit of ICFR. Read more about the latest filer definitions and specific qualification thresholds here.


Let’s Connect

Whether you’re an established enterprise or a new public filer, MFA’s Sarbanes-Oxley Team can help guide you through the nuances of SOX compliance and maintenance. Please reach out to our team to learn more.

  • MFA is committed to protecting and respecting your privacy and will only store and process the personal information submitted above to provide you the content requested.
  • This field is for validation purposes and should be left unchanged.