A Practical Framework for Becoming a True SOX Leader and Partner

If you asked your business stakeholders what the SOX process feels like, what would they say? If they were honest, would you hear words like bottleneck, check-the-box, overkill, or SOX police? Or would they say you’re a trusted advisor who partners with them to make the business better?

Now the trick is being honest with yourself: What would they REALLY say? And are you doing all you can to be seen as a true SOX leader and partner? 

This week, we’re sharing insights from my interview with SOX Internal Controls and Business Process leader Doug Timian, whose career spans public accounting, Internal Audit, and SOX. Doug’s practical framework focuses on enhancing communication, collaboration, and impact to help you graduate from check-the-box auditor to trusted, valued business partner. 

THE BIG QUESTION: How Do We Solve the SOX Identity Crisis?

Too often, SOX teams buy into the idea that they need to shrink their presence, being less of a “bother” to the organization. They try to minimize their SOX program rather than make it great. 

The problem is that these teams ultimately tend to lack executive management support. Driving a truly great SOX program requires gaining executive team trust and buy-in. 

THE BIG TAKEAWAY: You can’t add value if stakeholders don’t want to work with you. Fortunately, simple changes can help you reframe your SOX program as a strategic asset that drives business value — while positioning your team as trusted business advisors capable of taking the lead on important risk and assurance initiatives. 

THE MISSION: Building Stakeholder Trust

Stakeholder trust is foundational to our SOX mission, which involves: 

• Supporting management in upholding a strong control environment, promoting transparency and accountability, and reducing the risk of financial misstatements.
• Protecting investors by ensuring that financial data is complete, accurate, and reliable.

We can’t build trust if we’re seen as a burden, or as “police” out to catch and spotlight others’ mistakes. 

The good news is that your own behaviors set the tone, either compromising or building trust. 

THE FRAMEWORK: 6 Pillars for SOX Partnership

Pillar 1: Change Your Mindset 

Doug’s #1 point is that SOX leaders need to lean into their identities as ICFR SOX SMEs. This alone will make a massive difference in how you’re regarded in your organization. 

Your business stakeholders know their own processes and controls. 

But there’s plenty they may not know about — and where you can provide significant value: 

• What “good” controls look like in your industry, including opportunities to leverage external SMEs or benchmarking
• Audit methodologies, practices, and standards
• What the PCAOB is saying about X, Y, or Z
• What your External Auditor is looking for
• Effective issue management, including how to remediate SOX deficiencies
• Key IT dependencies (e.g., IPEs, key reports, automations)
• Developing control descriptions, process flow diagrams/narratives, and other documentation

You know your craft inside and out. Make sure you show it, providing stakeholders with relevant, context-specific education, insights, guidance, and support.

Pillar 2: Understand the Business

Of course, your stakeholders know far more than you do about their own role, business objectives, and workflows. So it’s super-important to: 

• Get curious and ask questions. Be humble, admitting what you don’t know. 
• Regularly request, acknowledge, appreciate, and use their expertise.
• Show gratitude for their time and insights.

Pillar 3: Focus on the Risks

Dig in and really define the risks that the controls are trying to address, ensuring you truly understand them in ways that will enable you to be effective in supporting the business. 

Everyone says to “focus on the risks.” But in practice, it’s easy to get focused on procedure and forget to really think through the risks the controls are designed to address.

That’s why you need to:

• Think through the process holistically, working back from the financial statement balance or account to more fully understand the underlying risks.
• Craft control activities or steps that will address those risks in a precise, meaningful way.

Pillar 4: Translate SOX Requirements into Actionable Insights

Don’t just point to SOX rules to explain why changes are needed. 

Instead, drawing on all you’ve learned from stakeholders about their processes, role, and objectives:

• Help them understand the reasons behind relevant SOX rules and how they apply in this context (e.g., how the process or control ties back to specific risks). 
• Explain how and why changes will help them strengthen their processes and controls, translating the technical elements into actionable insights that help them execute.

Pillar 5: Be Proactive, Empathetic — and Prepared

Show up as an empathetic, down-to-earth colleague who’s ready to help. 

Your stakeholders have complex and voluminous responsibilities. They’re often under stress, and their time is valuable. 

When you bring them a new problem to solve, their natural first reaction will be frustration and hesitation. That’s why it’s critical to:

• Show up having done your homework. Do everything in your power to arrive equipped with a strong understanding of their process. Have an agenda. Seeming unprepared is a surefire way to lose trust and confidence from day one. 
• Be authentic and transparent. Show humility and humanity. If you mess up, own it. Use plain language they readily understand. 
• Understand their perspective/pressures. Listen. Put yourself in their shoes. Be constructive, not judgmental. 
• Deliver on commitments. Operate with professionalism, showing up on time, delivering on deadlines, and doing what you say you’ll do.
• Find ways to reduce their load. How can you take work off their plate (e.g., access supporting documentation, help fix an issue that’s been plaguing them)? Show that you have their best interests at heart.

Pillar 6: Lead Collaboratively 

Effective SOX leadership can take many forms. Doug summarizes three options:

1. Advisor — Be the ICFR SOX SME that can help assess risk, recommend practical solutions, offer education, and convey External Auditor expectations and questions. 
2. Doer — Go beyond advice to get in the trenches alongside stakeholders, writing control descriptions, defining risks, developing narratives, and documenting issues/remediation plans. 
3. Driver — Partner with stakeholders during GAAP changes and system implementations, coordinate across teams to drive action, and help escalate issues.

Whatever option you choose, the idea is framing your role as “support” instead of oversight. You’re not there to police — you’re there to help. 

WHY THIS WORKS: It’s All About Trust

Earning trusted-advisor status requires gaining executive stakeholders’ trust. 

These six pillars help SOX teams show themselves as competent, authentic, and empathetic — foundational for any trusted relationship. 

Trust is the chicken AND the egg. 

THE LAST WORD: SOX Is a Lever for Earning Trusted-Advisor Status

Many Internal Audit leaders seem to view SOX as something to minimize and “get through.” Doug and I strongly believe the opposite. 

We hypothesize that your SOX program may be the single most valuable asset you have to prove your competence and value, establish trust, and position yourselves as true partners to whom the business can entrust its important risk and assurance initiatives. 

Leaning into improving your SOX program greatly improves your chances of being seen as a genuine leader and business partner. 

That’s why solving the SOX identity crisis requires a mindset shift. 

We’re far more than “testers” and nothing like “police.” We’re experts here to help make the business better. 

Make sure your behaviors communicate that.

‍