At a large public retailer (over $45B in revenue), the SOX IT scope included more than
65 applications—many of them legacy mainframe systems. Due to significant turnover
and limited documentation, the financially relevant functionality of each application was
unclear. As a result, critical permissions and segregation of duties (SOD) risks were not
well understood, and the SOX testing strategy lacked focus.
Working closely with IT Audit and business stakeholders, we led working sessions with
business and IT owners for each in-scope application. Together, we identified and
documented the financially relevant functionality across the portfolio. Over the course of
the year-long engagement, we:
Mapped functionality to identify financially significant access and SOD risks
Designed testing procedures tailored to those risks
Identified relevant databases to support automation of access and SOD testing
This foundational work enabled the client to refocus SOX efforts on what mattered
most—reducing testing scope, improving audit quality, and enhancing risk coverage.
SOX Implementation & SOC 2 – Technology Company Preparing for IPO
A fast-growing SaaS company, preparing for IPO, needed to establish a SOX
compliance program while also preparing for SOC 2—required by its enterprise
customers. With primarily homegrown applications, it was critical to understand how
customer data and financial transactions flowed through its systems.
We facilitated in-depth workshops with IT and business teams to:
Map the functionality of key applications and data flows
Understand how customer data was collected, processed, and stored
Analyze integrations between applications, ERP, and CRM systems
We documented risks and controls across these systems and identified numerous gaps.
Working with IT and business leadership, we:
Developed and implemented remediating controls
Provided project management support to ensure timely execution
Helped the company prepare successfully for SOX and SOC 2 readiness
For business process controls outside of IT, we took an optimized SOX approach
aligned with the company’s fast-moving culture. Rather than a checklist, we:
Conducted a risk-based assessment to identify key risks of material
misstatement
Designed efficient, high-impact controls
Developed a self-assessment process to monitor effectiveness
This tailored, risk-smart approach allowed the company to meet compliance
requirements without disrupting growth.
SOX & Internal Audit Optimization – Mature Public Technology Company
A mature public technology company sought to reduce the cost of SOX compliance
while unlocking more strategic value from internal audit, which was spending nearly
100% of its time on SOX.
Our two-pronged solution: optimize the SOX program and reallocate freed-up resources
toward risk-focused audits.
To reduce SOX burden (achieving approximately 50% savings), we:
Performed a detailed risk assessment to isolate financial reporting risks
Conducted workshops with control owners to redesign controls—simplifying,
strengthening, and eliminating redundant ones
Reduced total key controls by nearly 50%
Aligned with external audit on scope and approach
Implemented a monitoring dashboard to track PBC status, testing progress, and
remediation
Freed-up resources were then deployed to conduct an enterprise risk assessment and
launch a 3-year audit plan focused on top strategic and operational risks. Resulting
audits led to improvements across supply chain, R&D, M&A, compliance, and financial
reporting—expanding internal audit’s value beyond compliance.