At a large public retailer (over $45B in revenue), the SOX IT scope included more than 65 applications—many of them legacy mainframe systems. Due to significant turnover and limited documentation, the financially relevant functionality of each application was unclear. As a result, critical permissions and segregation of duties (SOD) risks were not well understood, and the SOX testing strategy lacked focus.

Working closely with IT Audit and business stakeholders, we led working sessions with business and IT owners for each in-scope application. Together, we identified and documented the financially relevant functionality across the portfolio. Over the course of the year-long engagement, we:

• Mapped functionality to identify financially significant access and SOD risks
• Designed testing procedures tailored to those risks
• Identified relevant databases to support automation of access and SOD testing

This foundational work enabled the client to refocus SOX efforts on what mattered most—reducing testing scope, improving audit quality, and enhancing risk coverage.

SOX Implementation & SOC 2 – Technology Company Preparing for IPO

A fast-growing SaaS company, preparing for IPO, needed to establish a SOX compliance program while also preparing for SOC 2—required by its enterprise customers. With primarily homegrown applications, it was critical to understand how customer data and financial transactions flowed through its systems.

We facilitated in-depth workshops with IT and business teams to:

• Map the functionality of key applications and data flows
• Understand how customer data was collected, processed, and stored
• Analyze integrations between applications, ERP, and CRM systems

We documented risks and controls across these systems and identified numerous gaps. Working with IT and business leadership, we:

• Developed and implemented remediating controls
• Provided project management support to ensure timely execution
• Helped the company prepare successfully for SOX and SOC 2 readiness

For business process controls outside of IT, we took an optimized SOX approach aligned with the company’s fast-moving culture. Rather than a checklist, we:

• Conducted a risk-based assessment to identify key risks of material misstatement
• Designed efficient, high-impact controls
• Developed a self-assessment process to monitor effectiveness

This tailored, risk-smart approach allowed the company to meet compliance requirements without disrupting growth.

SOX & Internal Audit Optimization – Mature Public Technology Company

A mature public technology company sought to reduce the cost of SOX compliance while unlocking more strategic value from internal audit, which was spending nearly 100% of its time on SOX.

Our two-pronged solution: optimize the SOX program and reallocate freed-up resources toward risk-focused audits.

To reduce SOX burden (achieving approximately 50% savings), we:

• Performed a detailed risk assessment to isolate financial reporting risks
• Conducted workshops with control owners to redesign controls—simplifying, strengthening, and eliminating redundant ones
• Reduced total key controls by nearly 50%
• Aligned with external audit on scope and approach
• Implemented a monitoring dashboard to track PBC status, testing progress, and remediation

Freed-up resources were then deployed to conduct an enterprise risk assessment and launch a 3-year audit plan focused on top strategic and operational risks. Resulting audits led to improvements across supply chain, R&D, M&A, compliance, and financial reporting—expanding internal audit’s value beyond compliance.