By Bala Krishnan

For multinational organizations, Sarbanes-Oxley compliance is far more than an annual audit exercise. It is a continuous enterprise-wide responsibility that requires strong governance, effective internal controls, reliable technology, and coordination across business functions, legal entities, and geographic regions.

Throughout my career managing and supporting SOX compliance programs for global organizations, I have seen companies approach SOX in very different ways. Some organizations treat compliance as a year-end documentation requirement, while more mature organizations embed internal controls into everyday business processes and technology operations.

The difference is significant.

A reactive SOX program may technically satisfy immediate audit requests, but it often results in repeated deficiencies, excessive remediation work, control fatigue, and escalating audit costs. A well-designed program, by contrast, improves financial reporting reliability, strengthens accountability, and enables leadership to make decisions with greater confidence.

The challenge for global enterprises is developing a SOX framework that is both standardized and flexible—consistent enough to provide reliable assurance, yet adaptable enough to accommodate different technologies, regulatory environments, and operating models.

Understanding the Scope of Global SOX Compliance

SOX compliance begins with accurately identifying the processes, systems, legal entities, and controls that could materially affect financial reporting.

In a multinational enterprise, this assessment may include:

Corporate and regional financial processes

Enterprise resource planning platforms

Financial reporting and consolidation systems

Cloud applications and software-as-a-service platforms

Interfaces between financial and operational systems

Shared-service centers

Third-party service providers

Acquired businesses and newly implemented systems

Infrastructure supporting financially relevant applications

The scope must be risk-based. Attempting to test every system or process creates unnecessary cost and operational burden. Conversely, defining the scope too narrowly may leave material risks unaddressed.

Effective scoping requires collaboration among Finance, Internal Audit, Information Technology, Cybersecurity, Legal, Compliance, and external auditors. These groups must understand how financial information is initiated, authorized, processed, transferred, reported, and retained.

Materiality is not determined solely by the dollar value of a transaction. Organizations must also consider qualitative risks, including management judgment, regulatory exposure, susceptibility to fraud, complexity of calculations, and reliance on automated systems.

The objective is to create a clear connection between financial reporting risks and the controls designed to address them.

Establishing Effective SOX Controls

An effective control environment begins with clearly defined risks. Controls should not exist simply because they appeared in a prior-year matrix or because an auditor once requested them. Every control should address a specific risk that could affect the completeness, accuracy, authorization, validity, or presentation of financial information.

Strong SOX controls generally have five characteristics:

1. Clear ownership

Each control must have a designated owner who understands the control’s purpose, execution requirements, frequency, and evidence expectations.

Control ownership should be assigned to individuals with sufficient authority, competence, and access to perform the control effectively. Assigning a control to someone without the appropriate knowledge or organizational influence increases the likelihood of failure.

2. Precise control descriptions

A well-written control description should explain:

Who performs the control

What activity is performed

When and how frequently it is performed

Which systems, reports, or data sources are used

What evidence is retained

How exceptions are identified and resolved

Vague statements such as “management reviews access” or “changes are approved” do not provide enough information to determine whether a control is properly designed or consistently executed.

3. Appropriate evidence

A control is only as defensible as the evidence supporting its execution.

Evidence should demonstrate what was reviewed, who performed the review, when it occurred, what criteria were applied, which exceptions were identified, and how those exceptions were resolved.

An email stating “review completed” is rarely sufficient. Review controls should retain the underlying reports, annotations, approvals, investigation records, and evidence of follow-up actions.

4. Alignment between risk and frequency

The frequency of a control should correspond to the speed and severity of the underlying risk.

For example, privileged-access monitoring may require frequent review because unauthorized administrative activity can create immediate financial reporting exposure. Other activities, such as reviewing a low-risk configuration, may be appropriately performed quarterly or annually.

Control frequency should be based on risk—not convenience.

5. Sustainability

Controls should be practical enough to operate consistently over time. A control that requires extensive manual effort may work temporarily but become unreliable during staff turnover, organizational restructuring, or peak reporting periods.

Where possible, organizations should automate repetitive activities, standardize evidence collection, and integrate control requirements into existing workflows.

The Importance of IT General Controls

Modern financial reporting depends heavily on technology. As a result, IT General Controls, commonly referred to as ITGCs, form the foundation of a reliable SOX program.

ITGCs typically address three major areas:

User access and security administration

System development and change management

Computer operations and production support

Access controls help ensure that only authorized individuals can enter, modify, approve, or administer financially relevant information. Key activities may include user provisioning, access termination, privileged-access monitoring, periodic access reviews, password management, and segregation-of-duties analysis.

Change-management controls help confirm that application, database, interface, and infrastructure changes are authorized, tested, approved, and appropriately migrated into production.

Computer-operations controls address areas such as job monitoring, incident management, backup processing, batch failures, interface monitoring, and the resolution of operational exceptions.

When ITGCs are ineffective, auditors may be unable to rely on automated application controls or system-generated reports. This can dramatically increase manual testing and create substantial compliance costs.

Global enterprises should therefore understand which applications support material financial processes, how those applications are configured, and which technology controls are necessary to maintain their integrity.

Managing Compliance Across Multiple Jurisdictions

Although SOX is a United States law, global organizations must execute controls within a broader international regulatory environment.

Regional operations may be subject to local privacy laws, employment requirements, cybersecurity regulations, data-residency restrictions, and record-retention rules. These requirements can affect how access reviews are conducted, how employee information is shared, where evidence is stored, and how incidents are investigated.

A globally standardized control framework should define minimum enterprise requirements while allowing documented regional adaptations.

For example, the underlying objective of a user-access control may remain consistent worldwide, but the evidence collection process may vary based on local privacy restrictions or works-council requirements.

The organization should clearly distinguish between:

Global control requirements

Regional implementation procedures

Approved local exceptions

Compensating controls

Regulatory dependencies

This approach prevents unnecessary fragmentation while recognizing that identical procedures may not be feasible in every jurisdiction.

Addressing Significant Deficiencies

Control deficiencies should never be treated as isolated audit findings. They often indicate broader weaknesses in governance, accountability, process design, technology, or organizational culture.

When a deficiency is identified, management should first determine whether it represents:

A control design failure

An operating effectiveness failure

An isolated execution error

A systemic process weakness

A technology limitation

A resource or training issue

A failure of oversight

An indicator of potential fraud risk

The remediation process should begin with root-cause analysis.

For example, a failed access review may initially appear to be a missed deadline. However, further analysis may reveal that ownership was unclear, reports were incomplete, terminated users remained active, reviewers did not understand access privileges, or the organization lacked a reliable identity-governance process.

Correcting only the missed review would not address the underlying problem.

A strong remediation plan should include:

A clearly defined root cause

Specific corrective actions

An accountable remediation owner

Target completion dates

Interim risk-mitigation measures

Evidence of implementation

Sufficient time for operating-effectiveness validation

Management must also evaluate the severity of the deficiency and determine whether multiple deficiencies, when considered together, represent a more significant issue.

Boards and audit committees should receive transparent reporting on major deficiencies, remediation progress, overdue actions, residual risk, and barriers requiring executive intervention.

Coordinating With External Auditors

A constructive relationship with external auditors can improve the efficiency and predictability of the SOX program. However, management must retain ownership of the control environment.

Organizations should align with auditors early regarding:

SOX scope

Materiality considerations

Key systems and reports

Planned control reliance

Testing timelines

Evidence expectations

System implementations

Organizational changes

Prior-year deficiencies

Use of service organizations

Waiting until year-end to resolve questions about control design or evidence quality creates unnecessary risk.

At the same time, organizations should avoid designing controls solely around individual auditor preferences. Controls should be based on clearly defined risks, regulatory requirements, and sustainable business practices.

The strongest audit relationships are transparent and professional. Potential issues should be communicated early, supported by facts, and accompanied by credible remediation plans.

Third-Party and Cloud-Service Risks

Global organizations increasingly depend on cloud platforms, payroll providers, data centers, financial processors, and other third parties. Outsourcing a business or technology process does not eliminate management’s responsibility for SOX compliance.

When a third party supports a financially relevant process, the organization should evaluate:

The services included in the provider’s SOC 1 report

The report period and auditor’s opinion

Control exceptions

Subservice organizations

Complementary user-entity controls

Changes occurring after the report period

Contractual responsibilities

Security and availability incidents

Management’s monitoring activities

Complementary user-entity controls are especially important. A service provider’s controls may operate effectively, but the customer organization may still be required to approve access, validate data, review reports, reconcile transactions, or monitor exceptions.

Vendor-risk management and SOX compliance should therefore be closely coordinated.

Using Technology to Improve SOX Programs

Technology can significantly improve SOX compliance when it is implemented thoughtfully.

Governance, risk, and compliance platforms can help organizations centralize risk-and-control matrices, automate testing workflows, track deficiencies, retain evidence, monitor remediation, and produce management reporting.

Data analytics can identify unusual transactions, access conflicts, unauthorized changes, control failures, and recurring operational exceptions.

Robotic process automation and workflow tools can reduce manual effort by standardizing approvals, retaining timestamps, enforcing required fields, and routing exceptions to the appropriate reviewers.

Artificial intelligence may further support control mapping, document analysis, evidence classification, anomaly identification, and the review of policies or audit documentation. However, AI-assisted processes must themselves be governed. Organizations should validate outputs, protect confidential information, document human oversight, and ensure that AI-generated conclusions are not accepted without appropriate review.

Technology should strengthen professional judgment—not replace it.

Creating a Sustainable SOX Operating Model

The long-term success of a SOX program depends on its operating model.

A mature model clearly defines responsibilities across:

Business-process owners

IT control owners

Finance leadership

Internal Audit

Cybersecurity

Compliance

Enterprise risk management

External auditors

Executive management

The audit committee

Many organizations benefit from establishing a centralized SOX program office or center of excellence. This group can maintain methodologies, coordinate testing, provide training, monitor remediation, manage auditor requests, and promote consistency across regions.

However, centralization should not remove accountability from the business. Control owners must understand that SOX compliance is part of their operational responsibility—not merely a requirement imposed by Internal Audit.

Sustainability also requires succession planning and cross-training. Controls that depend entirely on one employee create unnecessary risk. Procedures, evidence requirements, backup ownership, and escalation paths should be documented.

Measuring Program Effectiveness

SOX program performance should not be measured solely by whether the organization completed its annual certification.

Leadership should monitor indicators such as:

Number and severity of deficiencies

Recurrence of prior-year findings

Percentage of controls completed on time

Remediation aging

Evidence-rejection rates

Manual versus automated control coverage

Number of late access terminations

Change-management exceptions

Audit hours and compliance costs

Control-owner training completion

Reliance on key individuals

Number of controls eliminated or consolidated through rationalization

These metrics help management identify systemic weaknesses and opportunities for improvement.

A reduction in the number of controls is not automatically a sign of weaker compliance. In many cases, control rationalization produces a stronger framework by eliminating redundant activities and focusing resources on the most important risks.

The Role of the Board and Audit Committee

Boards and audit committees play a critical role in setting expectations for financial integrity, accountability, and ethical conduct.

Their responsibility is not to perform individual controls, but to provide effective oversight and ask the right questions:

Are the organization’s most significant financial reporting risks clearly understood?

Is management addressing recurring deficiencies?

Are control owners appropriately trained and accountable?

Do major technology transformations introduce new SOX risks?

Are acquisitions integrated into the control environment promptly?

Is the organization overly dependent on manual controls?

Are third-party risks being adequately monitored?

Does Internal Audit have sufficient independence and resources?

Are remediation timelines realistic and properly governed?

Board-level attention sends a clear message that SOX compliance is an enterprise priority rather than an administrative obligation.

Moving From Compliance to Business Value

SOX compliance is sometimes viewed as a cost that produces little direct return. That perception usually arises when the program is overly manual, poorly scoped, or disconnected from business operations.

A well-designed SOX program delivers benefits beyond regulatory compliance. It can improve process discipline, clarify accountability, reduce unauthorized access, strengthen change management, enhance data quality, identify inefficient workflows, and support more reliable decision-making.

The goal should not be to create the largest possible control environment. The goal is to establish the right controls over the right risks and operate them consistently.

For global enterprises, this requires a combination of strong governance, risk-based scoping, standardized methodologies, local adaptability, effective technology, and transparent executive oversight.

Organizations that approach SOX as an integrated business discipline—not simply an annual certification exercise—are better positioned to respond to regulatory scrutiny, technology transformation, acquisitions, market volatility, and evolving stakeholder expectations.

Ultimately, effective SOX compliance is about trust: trust in financial statements, trust in business processes, trust in technology, and trust in leadership. Building and maintaining that trust requires continuous attention, but it also creates lasting value for the organization, its board, its investors, and its customers.

About the Author

Bala Krishnan is a cybersecurity, governance, risk, and compliance leader with extensive experience supporting SOX, IT risk, internal controls, cybersecurity, privacy, and regulatory compliance programs for multinational organizations. He has led and advised cross-functional initiatives involving IT General Controls, enterprise applications, cloud environments, third-party risk, audit readiness, control remediation, and technology-enabled compliance transformation.