CA Sakshi Jain | Finance & Audit | SOX Compliance for Indian Companies

The first SOX readiness project I worked on taught me something that no textbook had: the hardest part of Sarbanes-Oxley compliance for an Indian company is not understanding the law. It is rewiring how the entire finance organisation thinks about controls.

Indian companies operating under the Companies Act, 2013 are not new to internal controls. Section 143(3)(i) already requires auditors to report on Internal Financial Controls over Financial Reporting (IFCoFR). But the moment an Indian company lists on a US exchange (or is a subsidiary of a US-listed parent), the control environment enters a different orbit. SOX does not just ask whether controls exist. It asks whether they are designed effectively, operating consistently, and documented to a standard that an external auditor can independently test. That gap between “we have controls” and “we can prove our controls work” is where most Indian finance teams discover the real work begins.

Section 302 and Section 404: What They Actually Require

SOX has many sections, but two define the daily reality for finance teams.

Section 302 requires the CEO and CFO to personally certify, every quarter, that the financial statements are accurate and complete, that they have evaluated the effectiveness of disclosure controls and procedures, and that any material changes in internal controls have been disclosed. This is not a symbolic sign-off. It carries personal criminal liability. When I have walked CFOs through Section 302 for the first time, the moment they grasp that their personal signature carries the weight of potential prosecution is the moment SOX stops being an abstract compliance project and starts being a leadership priority.

Section 404 requires management to assess the effectiveness of internal controls over financial reporting (ICFR) as of the fiscal year end, and for large accelerated filers, requires the external auditor to issue a separate opinion on those controls. This is the integrated audit: the auditor is simultaneously auditing the financial statements and auditing the controls that produce them.

In practice, Section 404 is where the bulk of the work lives. It requires a complete inventory of financially significant processes, identification of risks and controls at each process level, documentation of how each control operates, testing to confirm the control operated effectively throughout the period, and evaluation of any deficiencies found. For Indian companies accustomed to the IFCoFR framework, the scope and rigour of Section 404 is a step change.

How Big 4 Firms Approach the Integrated Audit

Understanding how the external auditor thinks about a SOX engagement helps finance teams prepare more effectively, because the auditor’s methodology determines what your team will be asked to produce.

Big 4 firms follow a top-down, risk-based approach mandated by PCAOB Auditing Standard No. 2201. The auditor starts by identifying the financial statement line items and disclosures that carry the highest risk of material misstatement. From there, they map down to the significant processes, the specific assertions at risk within those processes, and the controls that address those assertions.

The practical implication is that not every control matters equally for SOX purposes. The auditor is focused on controls that directly address the risk of material misstatement in the financial statements. A company might have hundreds of controls documented in its internal controls manual, but the auditor will select a subset for testing based on their risk assessment. Knowing how this selection works allows the finance team to prioritise its own testing and remediation efforts.

The auditor will also evaluate entity-level controls (tone at the top, the control environment, monitoring activities) and IT general controls (access management, change management, IT operations). For Indian companies running on a mix of ERP systems, legacy applications, and manual processes, the IT general controls are often where deficiencies surface first. I have seen companies invest heavily in process-level controls while leaving their IT control environment undertested, only to face findings that cascade across multiple processes because the underlying system controls were not reliable.

Companies Act 2013 Controls vs. SOX: Where the Differences Bite

Indian finance teams familiar with IFCoFR often assume that their existing controls framework translates directly to SOX. Some of it does. Much of it does not, and the differences are specific and consequential.

Documentation standard. IFCoFR requires controls to be documented, but the practical standard for that documentation in India is often a controls matrix and narrative description. SOX requires documentation detailed enough for an independent third party to understand the control, identify the risk it addresses, and test whether it operated effectively. That means process flowcharts, control descriptions with specific attributes (who performs the control, what evidence they review, what action they take, how exceptions are handled), and retention of evidence for every control execution throughout the year.

Testing frequency. Under IFCoFR, the testing of controls often concentrates around the year-end audit period. SOX requires controls to operate effectively throughout the entire fiscal year. A control that worked perfectly in March but was not performed consistently from April through December will fail the SOX assessment. This “throughout the year” requirement changes how finance teams plan their monitoring because it means the controls testing programme cannot be a once-a-year exercise bolted onto the statutory audit timeline.

Deficiency evaluation. Both frameworks classify deficiencies, but SOX has a precise three-tier classification: control deficiency, significant deficiency, and material weakness. A material weakness is defined as a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. The auditor must report material weaknesses in their opinion, and Section 302 requires management to disclose them. In India, the equivalent IFCoFR reporting is less granular in its classification, and the consequences of reporting a weakness are less severe in terms of market and regulatory reaction.

Scope of IT controls. The Companies Act framework references IT controls but does not prescribe the depth of testing that SOX demands. PCAOB standards expect the auditor to evaluate IT general controls across all financially relevant applications, including access provisioning and de-provisioning, change management over application code, database management, and IT operations including batch processing and backup. Indian companies running on a mix of Tally, custom-built applications, and partially implemented ERPs often find this the most challenging area to bring to SOX standard.

What Finance Teams Need to Prepare

Having led teams through SOX readiness, I can tell you the preparation breaks down into four workstreams, and the sequence matters.

First, scoping. Identify the financially significant accounts and disclosures, the locations or business units that are in scope, and the significant processes that feed those accounts. This is not a one-time exercise. Scoping should be revisited annually because the business changes, acquisitions add new entities, and materiality thresholds shift with revenue growth.

Second, documentation. For every in-scope process, document the end-to-end flow, the risks of material misstatement, the controls that address those risks, and the evidence that demonstrates each control’s operation. The documentation must be specific enough that someone unfamiliar with the process can read it and understand exactly what happens, when, and by whom. I have found that the biggest time investment in a first-year SOX programme is not the testing. It is the documentation, because most Indian companies have controls that work in practice but have never been written down to the standard SOX requires.

Third, testing. Management must test its own controls before the external auditor arrives. This means building an internal testing programme (or engaging a co-sourced internal audit partner) that tests controls with the same rigour the external auditor will apply. The sample sizes, the evidence standards, the deficiency evaluation criteria: all of it should mirror PCAOB expectations. A management testing programme that uses different standards than the auditor’s creates a gap that surfaces as surprises during the integrated audit.

Fourth, remediation governance. Deficiencies will surface. The question is not whether but how quickly and how transparently they are addressed. A remediation governance framework (clear ownership, defined timelines, escalation protocols, and re-testing requirements) is what separates a SOX programme that matures steadily from one that cycles through the same findings year after year.

Common Deficiencies I Have Seen

The deficiency patterns across Indian companies going through SOX for the first time are remarkably consistent.

Segregation of duties in ERP systems. Users with access to both create and approve transactions, or access to both master data maintenance and transaction processing. This is often a legacy of implementation choices made when the company was smaller, and it becomes a SOX finding the moment the auditor maps user access against the segregation of duties matrix.

Lack of formalised review evidence. The control operates (a manager reviews the bank reconciliation every month) but there is no documented evidence of that review. SOX requires evidence. A verbal confirmation that “yes, I reviewed it” does not satisfy the auditor’s testing requirements. Building the habit of signing off, dating, and annotating review evidence is a cultural change for many teams.

IT change management gaps. Application code changes deployed without documented approval, testing, and sign-off. For companies with in-house development teams building financial applications, this is a recurring finding because the development workflow was built for speed, not for control.

Incomplete entity-level controls. No formalised code of conduct, no whistleblower mechanism, no documented fraud risk assessment. These entity-level controls form the foundation of the COSO framework that SOX relies on, and their absence signals to the auditor that the control environment itself may not be reliable.

Journal entry controls. Manual journal entries without adequate review, approval, and supporting documentation. The auditor will select a sample of journal entries and test whether they were authorised, supported, and posted correctly. Companies that allow any member of the finance team to post journals without a review layer will face findings here.

Remediation Timelines and the Cost of Getting It Wrong

A realistic SOX readiness timeline for a first-year programme is twelve to eighteen months. That assumes the company has a reasonable starting point (an existing controls framework, an ERP system, a finance team with some controls awareness). Companies starting from a less mature position should plan for closer to twenty-four months.

The cost of non-compliance is not abstract. A material weakness disclosed in the auditor’s report triggers a market reaction (research consistently shows stock price declines following material weakness disclosures). It triggers regulatory scrutiny from the SEC. It increases the cost of capital because investors price in the control risk. And it creates a remediation obligation that consumes management time and audit fees for the following year, because the auditor must re-test the remediated controls and evaluate whether the material weakness has been resolved.

The audit fees alone for a SOX integrated audit are significantly higher than a financial statement audit alone, often two to three times the cost, depending on the complexity and number of locations. Adding a material weakness to that equation increases the fee further because the auditor must expand their testing scope.

Beyond the direct costs, a material weakness changes the dynamic between the finance team and the board. I have seen audit committees that were previously supportive shift to an oversight posture, requesting quarterly updates on remediation progress and questioning whether the finance organisation has the capability to manage the control environment. That is a difficult position for a CFO, and it is avoidable with proper preparation.

The Strategic Frame

SOX compliance, done well, is not just a regulatory burden. It builds an infrastructure that makes the finance function more reliable, more transparent, and more resilient. The discipline of documenting controls, testing them regularly, and remediating deficiencies systematically creates a finance organisation that operates with rigour even when nobody is watching.

The CFOs I respect most treat SOX not as a checkbox exercise but as a mechanism for building the control environment that a scaling business needs. The controls that SOX requires (segregation of duties, formalised review and approval, IT change management, entity-level governance) are the same controls that prevent the operational failures that derail growth. The compliance framework and the good management framework are the same thing, viewed from different angles.

For Indian companies listing in the US or operating as subsidiaries of US-listed parents, SOX readiness is a leadership capability, not just a compliance project. The finance teams that approach it with that mindset build something lasting. The ones that treat it as an annual fire drill spend more money, generate more audit findings, and never quite get ahead of the cycle.

If you are preparing for SOX readiness or working through your first integrated audit cycle, I would be glad to compare notes on what works in practice. Let’s connect.