Compliance
SOX SOP Requirements: Documenting Internal Controls for Sarbanes-Oxley Compliance
Sarbanes-Oxley is fundamentally a documentation problem. Section 302 requires CEO and CFO certification that disclosure controls are operating effectively. Section 404 requires management's assessment of internal controls over financial reporting (ICFR). Neither section is satisfiable without written, tested procedures that auditors can trace from control objective to documented process to evidence of execution. This guide covers which SOPs a public company needs for SOX compliance, how to structure them, and the 7-year retention challenge.
Why SOX Is Fundamentally an SOP Problem
The PCAOB and external auditors test controls by tracing them back to written procedures and then verifying that those procedures were followed. A control that exists in practice but isn't documented is not a testable control — it's an undocumented process that auditors can't rely on. The sequence during an audit is: show me the policy, show me the SOP, show me the evidence that the SOP was followed.
SOX 404 findings most commonly arise not from the absence of controls but from the absence of documentation proving that controls operated consistently throughout the period. The SOP is the bridge between the control objective and the audit evidence.
SOX SOPs You Need for ICFR
- →Financial close procedure. The month-end and quarter-end close sequence: which accounts are reconciled, in what order, by whom, reviewed by whom, and by what deadline. This is typically the most scrutinized SOP in a SOX audit.
- →Journal entry approval workflow. Who can create journal entries, who must approve them before posting, what documentation is required for non-standard entries, and how reversals are handled.
- →Access provisioning and de-provisioning for financial systems. How access to ERP systems (SAP, Oracle, NetSuite) is granted, modified, and revoked. Segregation of duties (SoD) conflicts must be documented and reviewed.
- →Change management for accounting software. The procedure for requesting, approving, testing, and deploying changes to financial systems. Unauthorized changes to financial systems are a top SOX deficiency.
- →Account reconciliation procedure. How balance sheet reconciliations are prepared, what evidence is required, review cadence, and escalation when reconciling items remain open past a threshold.
- →Financial reporting review. The internal review and approval chain before financial statements are filed. Who reviews the draft, what questions must be answered, and who has final approval authority.
The COSO Framework and SOPs
Most SOX compliance programs use the COSO Internal Control — Integrated Framework as their reference. The five COSO components each have a documentation dimension:
| COSO component | Documentation requirement |
|---|---|
| Control environment | Written tone-at-the-top policies, code of conduct, delegation of authority matrix |
| Risk assessment | Documented risk identification process, risk register, fraud risk assessment |
| Control activities | The SOPs themselves — the specific procedures that mitigate identified risks |
| Information & communication | Financial reporting procedures, escalation paths, exception reporting workflows |
| Monitoring | Control testing schedules, remediation tracking, management review procedures |
The 7-Year Retention Challenge
SOX Section 802 requires records relevant to audit or review of financial statements to be retained for 7 years. This applies to the SOPs themselves and to the evidence that those SOPs were followed (reconciliation sign-offs, journal entry approvals, access review completions).
Browser local storage does not guarantee 7-year persistence. Browser data can be cleared by the user, lost in a device replacement, or corrupted. For SOX compliance, the workflow documentation process should include a step where SOPs are exported as PDFs at the point of creation and stored in a records management system (SharePoint, Workiva, or a dedicated GRC platform) with appropriate access controls and retention locks.
Claudia's audit log CSV export provides a timestamped record of every session create, stop, export, and delete event. For SOX purposes, these logs should be exported monthly and archived in a system that satisfies the 7-year retention requirement. The local audit log in Claudia is the source of truth during the current period; the archived CSV exports are the long-term compliance record.
Documenting Financial Workflows Safely
Financial systems display sensitive information: account balances, transaction details, employee compensation, vendor banking details. When documenting ERP workflows, payroll procedures, or financial reporting processes, the SOP screenshots will often contain this data.
For SOX SOP documentation, the priority is keeping financial data out of the SOP distribution chain. Claudia stores all recordings locally with AES-256-GCM encryption. Sensitive field patterns are redacted before storage. URL query parameters containing session tokens or internal IDs are stripped on export. The resulting SOP can be shared with staff who need to follow the procedure without exposing the underlying financial data that was visible during the recording session.
This article is for informational purposes only and does not constitute legal advice. Consult your compliance team or legal counsel to evaluate how Claudia fits within your organization's specific regulatory obligations.
See Claudia's full SOX compliance details
Audit log format, CSV export workflow for monthly archival, and the partial SOX coverage assessment.
View compliance documentation →Related: PCI-DSS SOP Requirements · GDPR SOP Documentation · Best SOP Documentation Tools 2026