This guide provides auditors with a framework for managing changes to internal control over financial reporting. It underscores the importance of systematic documentation and communication in effecting changes, whether they pertain to SOA scope, corporate standard processes, or local business processes and controls. It outlines various types of changes, such as modifying materiality thresholds, updating templates, adding new risks, and deleting existing risks. These modifications could be triggered by several factors, including re-engineering business processes, developing or retiring products or services, outsourcing/offshoring activities, and changing IT environments and applications.

It also details best practices around quarterly control checklists and includes questions that help identify material changes to controls.

To aid process owners (POs) in maintaining updated control documentation, the guide specifies that action plans should be created to identify outdated controls without replacements. It emphasizes that any modifications to process maps should be clearly noted.

An integral part of this guide is its emphasis on clear roles and responsibilities between SOX office personnel and POs, along with a timeline for control change processes. Key steps include:

• Real-time updates by POs regarding control changes
• Completion of checklists within stipulated deadlines
• Reviews conducted by the SOX office based on checklists and changed history reports
• Creation of change management action plans
• Follow-ups on incomplete checklists or unaddressed change management actions
• Final sign-off procedures
• Incorporation into Section 302 Certification processes
• Rolling out plan timelines