SOX compliance review — AU subsidiary checklist
SOX obligations reach the Australian subsidiary through sub-certification and management testing of ICFR. This checklist covers the 12 control families most commonly tested and the local overlay that applies in parallel.
This is a 12-step Sarbanes-Oxley compliance review checklist for an Australian subsidiary of a US-listed parent. It covers s 302 and 404 sub-certifications, internal control over financial reporting (ICFR), entity-level controls, and how SOX intersects with Australian Corporations Act obligations. Use it as an annual or half-yearly control review.
The checklist
Identify SOX scope and materiality
Confirm whether the AU subsidiary is in SOX scope (financial materiality to the consolidated group) and the relevant testing cycle.
Entity-level controls (ELCs)
Review ELCs — tone at the top, code of conduct, whistleblower program, delegation of authority, and period-end close oversight.
Section 302 sub-certification
Obtain signed sub-certification from AU country CFO/MD confirming the fair presentation of financials and effectiveness of controls.
Section 404 ICFR testing
Test the design and operating effectiveness of key controls — procure-to-pay, order-to-cash, record-to-report, journal entry review.
Segregation of duties
Review SOD in the ERP — conflicting role combinations (eg, create vendor + pay vendor). Mitigate with compensating controls.
IT general controls (ITGCs)
Test ITGCs — change management, access management, job scheduling, backup/restore for financial applications.
Local Corporations Act overlay
Confirm local director duties and financial reporting obligations align with group-level SOX controls.
Whistleblower and complaints escalation
Confirm the AU whistleblower policy meets s 1317AI and complaints are escalated to the US audit committee per SOX requirements.
Related-party and management representation
Review related-party transactions and document management representations to the external auditor.
Deficiency remediation
Track control deficiencies — classify (deficiency, significant deficiency, material weakness) and set remediation plan before period end.
SOX documentation repository
Confirm process narratives, flowcharts, risk and control matrices, and test work-papers are current in the group repository.
Coordinate with external auditor
Coordinate with the external auditor on scope, walkthroughs, and reliance on management testing. Agree prepared-by-client (PBC) list early.
When this checklist applies
Use this checklist as the annual review for SOX compliance at the Australian subsidiary, and at half-year for interim sub-certifications. Coordinate timing with the US parent's reporting calendar.
Common pitfalls
- SOX controls duplicating (but not aligning with) local Corporations Act compliance
- Weak journal entry controls — top source of material weaknesses
- SOD conflicts in the ERP not remediated or mitigated
- Stale process documentation — no longer reflecting actual workflows
- Late coordination with the external auditor
Run this checklist on a real matter
Quillio benchmarks ICFR scope at the AU subsidiary, drafts process narratives, and generates sub-certification packs for the group reporting cycle. See /practice-areas/commercial-lawyers or start a free trial.
SOX obligations derive from US law and vary by the group's size and auditor scope. Use this checklist alongside specialist US SEC advisers for the authoritative scope.
Use this checklist on your matter.
Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no sales call.
Start your free trial