Eliminating Duplicative Work in Sarbanes-Oxley Documentation and Certification


  • On the verge of going public and filing its S-1, a company must implement a scalable, repeatable, and sustainable Sarbanes-Oxley (SOX) program. The director of internal audit said, "Unless you're a big company where you have an in-house SAP® GRC or can use ArcherTM, etc., there aren't many suitable cost effective SOX solutions available for small, fast growing companies."
  • The SOX team manages around 120 business process controls, 22 IT general controls (ITGC) controls, and 20 entity-level controls linked to the COSO 2013 Framework.
  • Facing global expansion, the director of internal audit needed to identify a solution that was scalable and allowed business users from locations around the world to better collaborate, test, and review documentation.
  • While using Microsoft Office® products, including Visio® and SharePoint®, and DocuSign®, the team exchanged multiple documents while providing new edits, leading to duplicative work and version control issues as process owners exchanged changes and other communications via email.
  • DocuSign was supporting the technology company's quarterly revenue certification program for approximately 500 users. The quarterly SOX certification process was established as the SOX framework and was evolving across various processes. The certification process was painful because DocuSign did not facilitate two-way communications—making responding to email communications cumbersome and difficult to manage.

How Wdesk works for the SOX and internal audit teams

  • The teams now work with a single source of truth for all documentation. The business process narratives feed the risk control matrix (RCM). As the company was going through a period of high growth and constant change, the ability to link controls from the process narratives to feed directly into the RCM and test plan reduced duplication of effort and avoided errors and version control issues.
  • The company has around 40 process owners spread over various SOX cycles and functions (finance, operations, IT, HR, etc.). Four SOX consultants assisted in developing the SOX documentation, and the provision of four licenses for the external auditors to review the work in real time provided an intuitive interface for feedback, comments, and modifications.
  • The director of internal audit uses Wdesk to fulfill the full suite of SOX requirements—including linking entity level controls to the updated COSO Framework, risk assessments, dashboards, and tracking the results of control testing. Audit committee presentations will be facilitated by outputs directly from Wdesk. The company's goal is to expand the use of Wdesk for a complete SOX and risk management solution.
  • Automated certifications allow the team to spend less time babysitting a complex process and more time on value-added tasks.


  • Using a cloud-based solution is essential for global expansion. It enables teams and auditors from different locations around the world to collaborate, review documentation, and monitor and manage testing of controls.
  • Documentation has been streamlined and standardized, creating a single working environment that removes duplicative work and manages version control. This has created considerable efficiencies.
  • The risk control matrix is fed from a single source of quality assured data—the business process narratives. Linking directly between documentation facilitates modifications as systems evolve and people and processes change. Errors are substantially reduced.
  • The audit committee and other stakeholders receive more consistent reports with up-to-date results and details from controls testing.
  • Transparency into the certification process has increased auditability and reduced the need for time-consuming email correspondences.

Microsoft Office, Visio, and SharePoint are registered trademarks of Microsoft Corporation in the United States and/or other countries.
SAP is the registered trademark of SAP SE in Germany and in several other countries.
Archer is a trademark of EMC Corporation in the United States and other countries.
DocuSign is a registered trademark of DocuSign, Inc.

Read More