Do you know that old Dunkin’ Donuts commercial from the 1980s? 

‍

A mustached man wearing a Dunkin’ Donuts uniform goes in and out the front door of his home saying, “Time to make the donuts,” and then — looking more and more tired — “I made the donuts.” In any weather and any time of day or night, he’s endlessly making donuts. At the end, leaving yet again to make the donuts, he runs into himself coming back in, saying wearily that he already made the donuts.

‍

When doing SOX controls testing, it’s easy to feel like the Dunkin’ Donuts guy. Because if you are a staff or senior Internal Auditor doing the testing, it feels like you’re always reviewing controls or talking about controls. It’s all controls, all the time. 

‍

It can make it hard for SOX teams and control owners to see past the donuts — I mean the controls — to remember the other opportunities they have to provide value. 

‍

With that in mind, whether you’re beginning interim testing now or it’s still far off, I wanted to provide some ideas and inspiration for using this time effectively. 

‍

After all, you know that you are more than your donuts. But it’s up to you to build your brand so that everyone in your organization knows it. 

‍

During our most recent SOX Accelerator program session, SOX Accelerator instructor and That Career Coach Kendall Berg shared tactics SOX and Internal Audit teams can use to better communicate and improve their brands. 

‍

The SOX leaders who participated agreed: Small changes to the way control owners and senior management perceive you can make a big difference. 

‍

Here are six ways SOX teams can build their brand — during control testing time or any other time. 

1. Create a SOX Team Vision and Mission Statement

Developing a vision and mission statement specific to your SOX team provides two big benefits. 

‍

First, it conveys that your SOX team takes its job seriously, showing purpose and commitment.

‍

Second, it can help inspire, motivate, and focus your team, reminding them of the big-picture value they help provide to the organization. 

‍

• Your vision explains who you want to be further down the road. Who do you strive to be for your organization? What does success look like for you? Consider how your team’s success ties into your organization’s overall objectives and culture.
• Your mission statement explains how you’re going to do it. How specifically are you going to serve your organization’s purpose? In what ways will your team provide value and uplevel its approach? Further, as one Internal Audit Collective member called out, how is each individual member responsible for contributing? 

‍

Most likely, neither of these will mention donuts. 

2. Be Seen as a SOX SMR

A SOX practitioner is testing a control. The control owner asks them why. 

‍

Sounds basic, right? Maybe not.

‍

This could actually be a big moment, depending on how the SOX practitioner responds.

Do they just point to and repeat whatever it says on the slide, risk and control matrix (RACM), or another document? 

‍

Or do they use the opportunity to dig in, teach, and provide insight? 

‍

Instead of defaulting to rote, compliance-based responses, make sure your answers consistently offer relevant context, education, and insight. For example, “This control is key because it’s managing a transaction that populates a material financial statement line item. So it plays an important role in managing the enterprise’s financial risk.”

‍

This type of answer lets you showcase your expertise while justifying the testing. It helps you develop a reputation not just as “that SOX tester,” but as “that SOX expert.” 

‍

Everyone feels better when they’re working with someone they see as an expert. It makes problems or mitigation feel less worrisome. It gives you confidence in their approaches. It makes you feel like your time isn’t being wasted. 

‍

Plus, every time someone on your team responds to a question with valuable, relevant insight, your team’s overall brand inches that much higher. 

3. Develop a Reputation for Taking Work Off Other People’s Plates

Can you access the supporting documentation you need from a control owner yourself? 

‍

Great. Do it and let them know. 

‍

Can you proactively offer options to help them fix an issue that’s been a thorn in their side? 

‍

Awesome. Just don’t frame it as compliance. Frame it as, “I’m helping you make your job easier.”

‍

When your actions show control owners you have their best interests in mind, they’re more likely to view you positively. 

‍

That positive view can translate to: The benefit of the doubt. An open door when you come knocking. Stronger trust and rapport. An invitation to help. A vote of support about how easy you are to work with. 

‍

It all helps cement your reputation as a collaborator, partner, and trusted advisor — not as “corporate police.” 

‍

Not sure about the best way to lighten their load? Ask. 

‍

Ask what their problem areas or obstacles are — what annoys them, what they’d like changed and why. Make sure they feel safe pointing out their problems, assuring them you’re not going to point any fingers back at them. Instead, you’re going to help them find solutions. 

‍

You’re also helping yourself as you help them. These informal conversations can be incredibly valuable. As one Internal Audit Collective member shared, “When you become a free therapist for them and they’re able to air their concerns and problems, you get nuggets of information you don’t get in formal process walkthroughs.” 

‍

Plus, that documentation you got yourself? You avoid any delays from waiting for them to provide it. 

4. Be Kind and Empathetic

For better or worse — especially during testing — SOX practitioners can come across as being very black and white. Given our mandate to stay objective, it’s the easy default. Plus, many of the things we’re testing really do have black-and-white answers. 

‍

But most situations have at least some gray nuances. To start with, everyone deserves empathy and kindness when they screw up. 

‍

When control deficiencies occur, it’s usually not due to some devious intent. 

‍

Maybe they’re overextended, or something is going on in their personal lives. Maybe their managers prioritize other responsibilities over control responsibilities. Or maybe they did just screw up. 

‍

Whatever the case, we are all fallible. So, don’t be judgmental. Just be there to help. 

‍

Tone and word choice are also important. We often have to deliver hard messages. But as one Internal Audit Collective member puts it, “Instead of just always using an iron fist, you could use a velvet glove. Thinking, ‘I can deliver the hard message, but I can deliver it in a kind way’.” 

‍

For example, you could say, “Hey, I know you have a million things going on. I understand that SOX probably isn’t the most important thing on your plate. I hear you, and I’ve got you. How can I help?”

5. Deliver Insights Beyond SOX

Regularly help control owners see and understand the bigger picture behind SOX testing, including bringing in external expertise and insight.

‍

For example:

‍

• How do SOX controls tie into ERM risks? 
• How does the SOX testing work contribute to the organization’s overall success? 
• What has gone wrong at other organizations, and what can your organization learn from that? 
• What do effective controls look like in other organizations? What can they do to make their controls more effective?
• What changes can they make to help them perform their control owner role in alignment with management’s expectations?

‍

Delivering relevant insight also requires making sure you’re delivering what the control owner is hoping for. So, regularly confirm: What’s important to them? What are their goals and expectations?

‍

One Internal Audit Collective member suggested, “It could be a good pulse check to just sit down and say, ‘Hey, we've been sharing SOX-related information with you. If you had a magic wand, what would you change? Is this information relevant to you? Is it too much? Is it too little?’ Don’t just assume everything is okay because no one's talking about it.”

6. Shine the Light on SOX Successes

People won’t buy a product unless (a) they know it exists, (b) they believe they need it, and (c) it provides value in return for their investment. 

‍

Your SOX team is your product. You need to market it.

‍

Can you create and share a newsletter? How about a Slack or Microsoft Teams channel that goes out to control owners? Or an intranet site showcasing your team and a few success stories? 

‍

Generally speaking, success stories — especially those that give control owners credit for their wins — will be your most effective marketing. Can you highlight a control owner’s recent successes? Showcase a new control owner who got up to speed quickly? Illustrate how your team’s coaching made a difference? 

‍

Avoid highlighting negative stories. While they may make your SOX team look good, they risk making another team look bad. 

Get Out of the Donut Zone

Kendall made the point that our brands are what walk into a room before we get there, and what stick around after we leave. Why not create a brand that serves as your red-carpet-rolling sidekick, hype man, and wing woman?

‍

No SOX team wants to be viewed as doing repetitive, low-value corporate policing. Nobody wants to feel like the Dunkin’ Donuts guy. 

‍

Fortunately, there are small, simple things you can do to shake that stereotype and build a better brand. 

Here’s what you can do today: Share this article with your SOX team. Make a game plan to divide and conquer. Everyone can pick one or two ideas to focus on and drive. If you work together to implement them, your team is certain to have a stronger brand by 2026.