SOX certification programs that work well

sox certification programs that work well
October 21, 2016

Please welcome Matt Kelly, Editor and CEO of Radical Compliance, to the blog.

Implementing a program of Sarbanes-Oxley (SOX) compliance certifications is not a new idea. Anyone reading these words already knows this.

In one form or another, SOX certification programs have been kicking around for years. (I can recall writing about them as early as 2004.) Today those programs are a routine part of your annual compliance exercise—even though they can be prone to error and exasperating to business units if your program is unwieldy. Everyone already knows that, too.

The challenge is to implement a systematic, automated process for SOX certification. Even now, with 12 years of compliance experience behind us, that can be a tricky task.

This past September, the 2016 Workiva user conference, The Exchange Community, included an excellent session on how to structure SOX certification programs, so they can ease the burden for business units and the compliance team. The solution is one part technology, one part human collaboration. So let’s break down those concepts into their component parts and see how we can drag certifications into the modern era.

First, remember what automation does: it establishes a normal operating procedure and then lets that procedure run without close oversight. Normal stuff moves along, abnormal stuff is halted for inspection. In the world of SOX certifications, that means you want to automate affirmative replies.

For example, if one of your financial controls is that every branch office must get two directors to preapprove payments greater than $25,000, and the directors of your Peoria office are certifying that yes, that control has worked normally all quarter—you on the SOX compliance team shouldn’t need to process those submissions manually.

Rather, those affirmative certifications from Peoria should flow into one central repository, where they can be aggregated with the certifications from all the other branch offices.

An efficient SOX certification program won’t leave the compliance team sifting through reams of documentation for internal controls that are working right. Instead, it will process them automatically, so you can focus on the controls that are working wrong.

A good idea, right? Now consider how your compliance processes and technology will need to work to achieve it. Every company will have its own unique challenges, but we can deduce a few broad principles to get you there.

SOX certification: some good practices

First, ditch the attachments.

A company might start its SOX certification program by sending Word® or Excel® files to the people who must certify controls—and to a certain extent, why wouldn’t you? If your SOX compliance program began by writing out narratives of business processes or listing controls in a spreadsheet, the temptation is to modify those documents into certification questionnaires that you email to control owners.

They reply, you collect the attachments, and compliance goes forward.

That manual process is rife with risks: loss of version control, loss of the certification itself, false certifications (when one person signs for another), or possibly even fraud risk if your control plans leak outside the company.

An automated SOX process will treat each certification as a pseudo webpage—a secure link you can email to each employee, so he or she can go to a fixed page and answer a fixed series of questions. The data can feed into a back-office database, where the compliance team can view all responses in bulk and a negative answer can be flagged immediately for further attention.

Ideally, your system would assign a unique URL to each person. Even without that, approaching SOX certifications as a set of fields to fill out and buttons to check is far better than collecting attachments manually.

Second, remember who answers to whom within your internal control regime.

A senior supervisor should not be able to certify that entity-level controls are effective before his or her subordinates certify that process-level controls are effective. Or you might have a control that’s a two-step process, requiring two people to certify—can Person A certify her half before Person B certifies his? Would you want to send one certification form to both people, where they can comment to each other and then co-certify together?

Perhaps you want to let senior executives trace a chain of certifications back to the original signers. In that case, you’ll need to ensure that those senior supervisors only see controls relevant to them. (If someone ends up seeing control documentation he shouldn’t, that means your segregation of duties isn’t right.)

From a technology standpoint, all these ideas are possible. You simply need to think through your business processes and controls, and then design a certification program that meets your needs. Once you have a design that works well with your business operations, you can get better completion rates and generate data about SOX controls for higher-level, more thoughtful analysis.

And then you can do it all over again next quarter.

Word and Excel are registered trademarks of Microsoft Corporation in the United States and/or other countries.

Matt Kelly

About the author

Matt Kelly is an independent compliance consultant who studies corporate compliance, governance, and risk management issues. He maintains a blog,, where he shares his thoughts on business issues and speaks on compliance, governance, and risk topics frequently. Kelly was named as "Rising Star of Corporate Governance" by the Millstein Center for Corporate Governance in the inaugural class of 2008 and named to Ethisphere’s "Most Influential in Business Ethics" list in 2011 (no. 91) and 2013 (no. 77). Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Mass., and can be reached at or on Twitter at @compliancememe.