SOX Compliance Glossary
Master the terminology of internal controls and audit.
Assertion
Representations by management, explicit or otherwise, that are embodied in the financial statements. The five key assertions are: Existence/Occurrence, Completeness, Valuation/Allocation, Rights & Obligations, and Presentation & Disclosure.
Audit Trail
A chronological record of system activities that allows an auditor to reconstruct and examine the sequence of events and changes surrounding a transaction or process. A robust audit trail is essential for SOX compliance.
COSO Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework is the most widely used framework for designing, implementing, and evaluating internal controls. It consists of five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities.
Control Activity
Policies and procedures that help ensure management directives are carried out to mitigate risks. Examples include approvals, verifications, reconciliations, and segregation of duties.
Control Deficiency
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
Control Environment
The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. It includes the integrity, ethical values, and competence of the entity's people, management's philosophy and operating style, and the way management assigns authority and responsibility.
Entity-Level Controls (ELCs)
Controls that operate at the organizational level and have a pervasive effect on the entity's internal control. Examples include tone at the top, a code of conduct, whistleblower policies, and IT general controls.
Evidence
Documentation that supports the operating effectiveness of a control. Evidence can take many forms including screenshots, system-generated reports, signed documents, and email confirmations.
ITGC (IT General Controls)
Controls over the IT environment, including access management, change management, computer operations, and program development. ITGCs support the proper functioning of application controls and are a critical area of focus in SOX audits.
Key Control
A control that is significant enough that its absence or failure would reasonably be expected to prevent the timely detection or prevention of a material misstatement. Key controls are the subset of all controls that must be tested in a SOX audit.
Management Assessment
Under SOX Section 404(a), management of a public company is required to assess and report on the effectiveness of the company's internal control over financial reporting (ICFR) as of the end of each fiscal year.
Material Weakness
A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
Monitoring Activities
Processes that assess the quality of internal control performance over time. This includes ongoing evaluations, separate evaluations, or a combination of both, used to determine whether internal controls are present and functioning.
PCAOB
The Public Company Accounting Oversight Board is a nonprofit corporation established by the Sarbanes-Oxley Act of 2002 to oversee the audits of public companies. It sets auditing standards (such as AS 2201 for ICFR audits) that external auditors must follow.
Process-Level Controls
Controls that operate within specific business processes and transaction cycles, such as revenue, procurement, or financial close. They are typically the largest category of controls tested in a SOX audit.
Remediation
The process of designing and implementing corrective actions to address identified control deficiencies. Timely remediation of deficiencies—especially significant deficiencies and material weaknesses—is critical to maintaining SOX compliance.
Risk Assessment
The process of identifying and analyzing risks to the achievement of the entity's objectives, forming a basis for determining how the risks should be managed. COSO identifies risk assessment as one of the five components of internal control.
Risk Control Matrix (RCM)
A document that maps financial statement risks to the internal controls that mitigate them. It is the central document of any SOX program, typically including control descriptions, owners, frequency, type (manual/automated), and assertions addressed.
Sample Size
The number of transactions selected for testing to evaluate whether a control is operating effectively. Sample sizes depend on the frequency of the control: annual controls may require 1 sample, quarterly controls 2–4, monthly 2–5, weekly 5–15, and daily controls 25–60.
Sarbanes-Oxley Act (SOX)
A U.S. federal law enacted in 2002 in response to major corporate accounting scandals (Enron, WorldCom). It established new standards for public company boards, management, and public accounting firms, with key sections including Section 302 (CEO/CFO certification) and Section 404 (internal controls assessment).
Section 302
A provision of the Sarbanes-Oxley Act requiring the CEO and CFO of a public company to personally certify the accuracy of financial statements and the effectiveness of disclosure controls and procedures.
Section 404
The most significant SOX provision for compliance teams. Section 404(a) requires management to assess ICFR annually. Section 404(b) requires the external auditor to attest to management's assessment—applicable to larger accelerated filers.
Segregation of Duties (SoD)
The concept of having more than one person required to complete a task. In business, the separation of duties across different individuals within a single process is an internal control intended to prevent fraud and error. Common SoD conflicts include separating authorization, custody, and record-keeping.
Significant Deficiency
A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Walkthrough
A procedure where an auditor traces a transaction from its origination through the company's information systems until it is reflected in the financial reports. Walkthroughs are used to confirm the auditor's understanding of the transaction flow and to evaluate the design of controls.