Risk Advisory · Risk Advisory Services
SOX Compliance
For US-listed companies with an India or UAE subsidiary, branch, GCC/GBS centre, or outsourced finance function, Sarbanes-Oxley compliance does not stop at the US parent's boundary — it extends into every location where financial data is processed, transactions are initiated, or controls are performed.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
For US-listed companies with an India or UAE subsidiary, branch, GCC/GBS centre, or outsourced finance function, Sarbanes-Oxley compliance does not stop at the US parent's boundary — it extends into every location where financial data is processed, transactions are initiated, or controls are performed. At PNPC Global, we support the India and UAE side of SOX Section 302 and Section 404 programmes: documenting process narratives and control matrices, testing design and operating effectiveness of local controls, remediating deficiencies before they roll up into a parent-level material weakness, and coordinating directly with the US external auditor and the parent company's internal audit or SOX PMO team. We do not issue the SOX opinion — that responsibility sits with US management and the company's PCAOB-registered external auditor — but we are the on-the-ground CA team that makes the India/UAE component of that opinion defensible.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
The Sarbanes-Oxley Act of 2002 (SOX) is a United States federal law enacted in response to the Enron and WorldCom accounting scandals, administered by the US Securities and Exchange Commission (SEC) with auditing standards set by the Public Company Accounting Oversight Board (PCAOB). It applies to companies that are required to file periodic reports with the SEC under the Securities Exchange Act of 1934 — principally companies listed on a US stock exchange (NYSE, Nasdaq) or otherwise SEC-registered, including foreign private issuers in many cases. Two provisions dominate the compliance workload: Section 302 requires the CEO and CFO to personally certify, in each quarterly (Form 10-Q) and annual (Form 10-K) filing, that they have reviewed the report, that it does not contain material misstatements, and that they have evaluated the effectiveness of the company's disclosure controls and procedures. Section 404 requires management to include an assessment of the effectiveness of internal control over financial reporting (ICFR) in the annual report, and — for most accelerated and large accelerated filers — requires the company's independent external auditor to separately attest to and report on that assessment under PCAOB Auditing Standard No. 2201 (AS 2201).
SOX compliance is fundamentally a US regulatory and securities-law matter, and the ultimate management assertion, the CEO/CFO certification, and the external auditor's attestation opinion are US-side responsibilities that PNPC does not undertake or replace. Where PNPC's role becomes essential is in the operational reality of most US-listed companies with meaningful India or UAE operations: a significant share of the transactions, journal entries, IT systems, and control activities that roll up into the consolidated US financial statements are actually performed by teams in Chennai, Bangalore, Hyderabad, Gurgaon, or a UAE entity. If the India/UAE component is deemed a "significant location" or contains a "significant account" under the scoping methodology the external auditor and management use (generally following a risk-based, top-down approach consistent with the SEC's 2007 interpretive guidance and PCAOB AS 2201), then the controls performed at that location must be documented, tested, and — if deficient — remediated to the same standard as controls performed at US headquarters. A control failure discovered in an India shared-service centre in month 10 of the fiscal year can, if not caught and fixed, cascade into a material weakness disclosure in the parent's 10-K.
Practically, PNPC's SOX engagement covers the full local control lifecycle: walkthroughs and process narrative documentation for in-scope processes (typically order-to-cash, procure-to-pay, record-to-report, payroll, fixed assets, and IT general controls for locally-managed systems); building or refreshing the Risk and Control Matrix (RCM) for the location, mapped to relevant COSO 2013 Internal Control — Integrated Framework components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring Activities); performing management's own Section 404 self-testing (often called "first-line" or "second-line" testing depending on the parent's Three Lines Model) ahead of the external auditor's independent testing; tracking and remediating any control deficiencies identified, and preparing the evidence package the parent's SOX PMO and the external audit team will request. Because the PCAOB-registered external auditor issuing the actual attestation opinion is engaged directly by the US parent — often a US-headquartered firm or its India member firm — PNPC's work is explicitly structured as management-side support: we help the India/UAE entity be control-ready and audit-ready, working alongside (not in place of) whichever firm holds the SOX attestation engagement.
SOX exposure also arises for companies that are not yet listed but are actively preparing for a US listing (direct listing, IPO, or SPAC merger) or for a reverse merger into a US-listed shell, and for Indian/UAE subsidiaries of US private equity portfolio companies whose sponsors impose SOX-like control discipline as a pre-IPO readiness requirement even before a formal listing. In these pre-listing scenarios, PNPC's engagement typically starts earlier and is framed as "SOX readiness" — building the control framework, documentation, and testing muscle memory well before the first Section 404 assessment is legally required, since a first-year ICFR material weakness discovered right after listing is a costly and reputationally damaging outcome that is largely avoidable with 12–18 months of advance preparation.
When PNPC's SOX support is the right engagement
You are the India or UAE subsidiary, branch, or GCC/GBS (Global Capability Centre) of a US-listed parent, and your location has been flagged as in-scope by the parent's SOX scoping exercise
Your location processes financial transactions, maintains books of account, or operates IT systems that feed into the US parent's consolidated financial statements
Your company is preparing for a US listing (IPO, direct listing, or de-SPAC transaction) and wants ICFR and control documentation in place well ahead of the first mandatory Section 404 assessment
You are a portfolio company of a US private equity sponsor that requires SOX-readiness as part of pre-exit or pre-IPO governance discipline
Your parent company's external auditor or internal audit/SOX PMO has requested local walkthroughs, control testing evidence, or remediation of a deficiency identified at your location
You need an India/UAE-based team that can liaise directly and in real time with your US-based SOX PMO and external audit team, rather than routing every query through a headquarters finance team already stretched thin during quarter-close
A prior year's SOX testing identified control deficiencies at your India/UAE location and you need structured remediation with re-testing evidence before the next assessment cycle
Your company recently completed a US acquisition (or was acquired by a US-listed company) and SOX obligations are new to your India/UAE finance team
When a different engagement is more appropriate
You need the actual SOX 404 attestation opinion issued on your consolidated US financial statements — that requires a PCAOB-registered external auditor engaged directly by the US parent; PNPC supports the India/UAE control environment but does not issue the attestation opinion
Your company is Indian or UAE-incorporated, has no US listing, no US SEC filing obligation, and no US-listed parent or PE sponsor requiring SOX-equivalent discipline — the relevant India framework is Internal Financial Controls (IFC) under Section 143(3)(i) of the Companies Act 2013, a related but separate and India-specific requirement
You need a broad, entity-wide governance and enterprise risk review rather than a financial-reporting-controls-specific programme — our GRC Assurance engagement covers governance and risk management more broadly, of which SOX/ICFR testing is one component
You are a US-listed "non-accelerated filer" or "smaller reporting company" that is exempt from the external auditor's Section 404(b) attestation requirement under the Dodd-Frank Act — management's own Section 404(a) assessment is still required, but the scope and cost profile of the engagement is materially lighter, and we scope accordingly
Your immediate need is a specific fraud investigation rather than ongoing or annual control testing — a targeted Forensic Audit is the more direct engagement
You need dedicated cybersecurity or penetration-testing depth beyond IT general controls (ITGC) relevant to financial reporting — a standalone Cybersecurity Audit engagement covers that scope with more technical depth
SOX Compliance Support vs adjacent India/US assurance and control engagements
| Feature | SOX 302/404 Support (PNPC) | India IFC Review (Sec 143(3)(i)) | GRC Assurance | Internal Audit (Sec 138) | Forensic Audit |
|---|---|---|---|---|---|
| Governing law/framework | US Sarbanes-Oxley Act 2002, SEC rules, PCAOB AS 2201, COSO 2013 | Companies Act 2013 (India), ICAI Guidance Note on Audit of ICFR | COSO ERM 2017, COSO 2013, ISO 31000 (reference frameworks) | Companies Act 2013 Sec 138 & Rule 13, Standards on Internal Audit | No single statute — engagement-specific scope |
| Who issues the final opinion | US parent's PCAOB-registered external auditor (management asserts; auditor attests for applicable filers) | Company's Indian statutory auditor, as part of the statutory audit report | PNPC reports findings to Board/Audit Committee — no formal opinion issued | Internal auditor reports to Audit Committee — no opinion on financial statements | Investigator reports findings to whoever commissioned the review |
| Applies to | US-listed companies and their global subsidiaries/branches in scope, incl. India/UAE operations | Every Indian company subject to statutory audit under the Companies Act | Any organisation seeking systemic governance and risk assurance | Listed Indian companies and prescribed classes under Rule 13 | Any organisation facing a specific suspected irregularity |
| PNPC's role | Management-side support: documentation, first/second-line testing, remediation, external-auditor liaison for the India/UAE component | Supports management in designing, documenting and testing ICFR ahead of/alongside the statutory auditor's own testing | Independent assurance reviewer reporting directly to Board/Audit Committee | Can be engaged to perform outsourced/co-sourced internal audit under Rule 13 | Independent investigator, engaged on a need basis |
| Scope focus | Controls over financial reporting at the India/UAE location that roll up into the US parent's consolidated ICFR assessment | Controls over financial reporting for the standalone Indian entity | Entity-wide governance, risk framework, and control environment together | Process- and function-specific per risk-based annual audit plan | Narrow and incident-specific |
| Typical trigger | Parent company SOX scoping identifies the India/UAE location as significant, or pre-listing SOX-readiness programme | Every statutory audit cycle, automatically, for applicable companies | SEBI LODR obligation, pre-fundraise readiness, post-incident review, governance formalisation | Mandatory annual cycle for in-scope companies | One-off, triggered by a specific event |
| Testing cadence | Interim testing (typically Q2/Q3) plus year-end roll-forward testing, aligned to the parent's fiscal calendar | Annual, alongside the statutory audit | Annual or defined multi-year cycle | Continuous per annual audit plan, typically quarterly | One-off, triggered by an event |
| Output | Process narratives, Risk & Control Matrix (RCM), test-of-design and test-of-operating-effectiveness workpapers, deficiency log, remediation evidence | Management's ICFR documentation and test results supporting the statutory auditor's Sec 143(3)(i) reporting | Governance & risk maturity rating, control gap register, remediation roadmap | Audit findings report per engagement/quarter | Investigation report — findings, quantification, recommendations |
| Best suited to | India/UAE subsidiaries, GCCs, and branches of US-listed parents, and pre-IPO/pre-SPAC companies preparing for a US listing | Every Indian company subject to statutory audit, whether or not SOX applies | Boards & Audit Committees needing systemic assurance ahead of listing, fundraise, or governance maturity milestones | Companies meeting Sec 138/Rule 13 thresholds, or choosing best practice | Companies facing a specific fraud, whistleblower complaint, or dispute |
SOX compliance for an India/UAE location is almost never a standalone engagement — it runs alongside the location's Indian statutory audit obligations (and IFC testing under Sec 143(3)(i), where applicable) and is coordinated with the US parent's external auditor and SOX PMO. PNPC scopes the India/UAE-side SOX support explicitly as management-side work, distinct from and complementary to the attestation opinion issued by the PCAOB-registered auditor engaged by the US parent.
| # | Stage & What PNPC Does | What Generic Providers Skip | Timeline |
|---|---|---|---|
| 1 | Scoping Alignment with the US Parent's SOX Programme | We start by understanding how the parent's SOX PMO or external auditor scoped your location — is it a "significant location" by quantitative threshold (typically a percentage of consolidated revenue/assets), or in-scope due to a specific significant account or fraud risk factor? Which processes, systems, and significant accounts were flagged? Generic providers often propose a one-size-fits-all control checklist without first understanding the parent's actual scoping rationale, which leads to testing the wrong things. | Week 1 |
| 2 | Process Universe & Significant Account Mapping | We map the in-scope processes at your location — typically order-to-cash, procure-to-pay, record-to-report/general ledger close, payroll, fixed assets, inventory (where applicable), and treasury — against the significant accounts and assertions the parent's materiality and risk assessment identified. Every process is tied back to a specific financial statement line item and assertion (existence, completeness, valuation, rights & obligations, presentation), not documented generically. | Week 1–2 |
| 3 | Process Narrative & Walkthrough Documentation | For each in-scope process, we document a clear, auditor-readable process narrative describing how a transaction flows from initiation to recording in the general ledger, and conduct a walkthrough — tracing one or more actual transactions end-to-end with the process owner to confirm the narrative matches reality. Narratives are written to the standard a PCAOB-registered external auditor will actually rely on, not an internal summary that needs rework when the audit team arrives. | Week 2–4 |
| 4 | Risk & Control Matrix (RCM) Build or Refresh | We build or update the location's Risk and Control Matrix — identifying the key controls (manual and automated/IT-dependent) that address the risk of misstatement for each significant account and assertion, mapped to the relevant COSO 2013 components. Each control entry specifies the control owner, frequency, control type (preventive/detective), and whether it is a key control relied upon for the SOX assessment or a secondary control. | Week 3–5 |
| 5 | IT General Controls (ITGC) Scoping for Locally-Managed Systems | Where financially relevant applications or infrastructure are managed locally (ERP instances, payroll systems, local databases, access provisioning), we scope and document the relevant ITGC domains — access management (including segregation of duties and privileged access), change management, and IT operations/backup — since a weak ITGC environment can undermine reliance on application controls that otherwise look well-designed. | Week 4–6 |
| 6 | Test of Design (ToD) | Before any operating-effectiveness testing, we assess whether each key control, as designed, would actually prevent or detect a material misstatement if it operated as intended. Controls that are well-documented but poorly designed (for example, a review control with no defined threshold for follow-up) are flagged and redesigned before testing proceeds — testing a badly designed control to "pass" is not useful to anyone, least of all the external auditor. | Week 5–6 |
| 7 | Management's Self-Testing / First-and-Second-Line Testing (Interim) | We perform management's own testing of operating effectiveness — sampling actual transactions or control instances over an interim period (commonly aligned to the parent's Q2/Q3 fiscal timing) using attributes and sample sizes consistent with the parent's SOX methodology and, where shared, the external auditor's expected approach. This interim self-testing surfaces deficiencies with enough runway left in the fiscal year to remediate before year-end. | Interim period — typically mid-year per parent's fiscal calendar |
| 8 | Deficiency Evaluation & Classification | Any exception found is evaluated and classified using the parent's (and ultimately the external auditor's) severity framework — control deficiency, significant deficiency, or material weakness — based on the magnitude of potential misstatement and the likelihood of occurrence, consistent with PCAOB AS 2201 guidance. We document the evaluation rationale clearly, since an unsupported severity classification is one of the most common points of external-auditor pushback. | Ongoing, as testing proceeds |
| 9 | Remediation Design & Implementation | For every deficiency, we work with the process owner to design a practical remediation — a redesigned control, additional review layer, system configuration change, or training — with a clear owner and a realistic implementation date that leaves enough time for re-testing before year-end evidence is needed by the external audit team. | As identified — with year-end deadline in view |
| 10 | Remediation Re-Testing | Once management confirms a remediated control has been operating for a sufficient period (generally requiring multiple instances of operation to draw a testing conclusion), we independently re-test it and document the evidence that supports concluding the deficiency has been remediated — evidence the external auditor will specifically ask to see before agreeing the deficiency is closed. | 4–8 weeks after remediation implementation, timed to allow sufficient operating instances |
| 11 | Year-End Roll-Forward Testing | Controls tested at the interim date are rolled forward to year-end — confirming no significant process or control changes occurred in the intervening period, and performing additional testing to cover the roll-forward period as required by the parent's methodology. This is the testing window the external audit team relies on most heavily for their own opinion. | Q4, aligned to parent's fiscal year-end |
| 12 | External Auditor Liaison & Evidence Package Handover | We prepare the complete evidence package — narratives, RCM, walkthrough documentation, test-of-design and test-of-operating-effectiveness workpapers, deficiency logs, and remediation evidence — organised to the format the parent's external auditor expects, and PNPC's engagement team is directly available to the external audit team for walkthroughs, evidence requests, and query resolution during their fieldwork at your India/UAE location. | Aligned to parent's audit fieldwork schedule, typically Q4/Q1 |
| 13 | Post-Cycle Debrief & Next-Year Planning | After the parent's SOX cycle closes, we debrief with the local finance team and the parent's SOX PMO on what worked, what created friction, and what should change for the following year — refreshing the RCM for any process changes, new systems, or organisational changes (new ERP module, outsourced process, new significant account) before the next cycle begins. | Post year-end, ahead of next cycle kickoff |
A first-year SOX support engagement for a newly-scoped India/UAE location typically runs the full 12-month fiscal cycle described above, front-loaded with 6–8 weeks of documentation work before interim testing begins. Subsequent years are materially faster once narratives, the RCM, and prior-year workpapers exist as a baseline — refresh and re-testing, rather than a build from zero. Actual timeline depends on the number of in-scope processes, the number of locations, and the complexity of locally-managed IT systems.
Parent company's SOX scoping memo or materiality/significant-location documentation identifying why your India/UAE location is in scope
Parent's Risk & Control Matrix template, control naming conventions, and testing methodology (sample sizes, attributes, severity classification framework)
List of significant accounts and assertions the parent's scoping exercise has mapped to your location's processes
Name and contact details of the parent's SOX Program Management Office (PMO) lead and the engagement partner/manager at the PCAOB-registered external auditor
Prior-year SOX testing results and any open or carried-forward deficiencies relevant to your location
Existing process narratives or standard operating procedures for order-to-cash, procure-to-pay, record-to-report, payroll, fixed assets, and any other in-scope process
Organisation chart identifying control owners and process owners for each in-scope process at the location
Delegation of Authority / approval matrix currently in force for financial transactions at the location
Segregation of duties matrix for key financial processes and system access roles
Chart of accounts and general ledger close checklist/timetable
Inventory of financially-relevant applications and infrastructure managed locally, including ERP module ownership and any locally-hosted or locally-administered systems
User access provisioning, de-provisioning, and periodic access review records for in-scope financial systems
Change management logs and approval records for changes made to financially-relevant systems during the review period
Backup, business continuity, and disaster recovery documentation for locally-managed financial systems
System-generated reports used as evidence for key controls (e.g., exception reports, three-way match reports, reconciliation reports)
Sample population data for each key control under testing — transaction listings, approval logs, reconciliation records, or system-generated control reports for the period under review
Supporting documentation for sampled transactions — purchase orders, invoices, approval emails or workflow records, payment vouchers, journal entry support
Month-end and quarter-end close checklists with evidence of completion and review sign-off
Reconciliations for key balance sheet accounts (bank, intercompany, accruals, fixed assets) with evidence of independent review
Most recent Indian statutory audit report and management letter, and IFC (Internal Financial Controls) testing results under Section 143(3)(i), if applicable
Any internal audit reports covering processes relevant to the SOX scope, and their closure status
Whistleblower / ethics hotline complaint log relevant to financial reporting concerns, if maintained locally
Any regulatory correspondence, notices, or findings received by the Indian/UAE entity relevant to financial reporting or tax compliance
Deficiency log from the current and prior testing cycles, with severity classification and remediation status for each item
Evidence supporting remediation of each closed deficiency — updated policy/procedure, revised control design, system configuration change record, or training records
Re-testing workpapers demonstrating the remediated control has operated effectively over a sufficient period before year-end
Management representation letter drafts or templates used by the parent for local sign-off, where applicable
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Scoping & Kickoff | Parent's SOX PMO confirms India/UAE location is in scope for the fiscal year | Alignment call with the parent's SOX PMO and, where introduced, the external audit team to confirm in-scope processes, significant accounts, and the testing calendar. Right-sizing the local engagement to what the parent's scoping actually requires — not a generic full-scope assumption. | Misaligned scope leads to either wasted effort documenting processes the parent never asked for, or — more damaging — missing a process the parent did flag, discovered only when the external auditor arrives for fieldwork. |
| Documentation Build (Narratives & RCM) | Kickoff complete | Process narratives and the Risk & Control Matrix built to the standard the external auditor will actually rely on — walkthrough-tested against real transactions, not drafted from a generic template and left untested. | Documentation that looks complete but was never walked through against a real transaction routinely fails at the first external-auditor walkthrough, forcing a rushed rebuild during fieldwork under time pressure. |
| Interim Testing | Mid-year, per parent's fiscal calendar | Management's own test-of-design and test-of-operating-effectiveness performed early enough in the year to leave time for remediation — using sample sizes and severity classification consistent with the parent's methodology so results are not disputed later. | Deferring all testing to year-end leaves no time to remediate a deficiency before the external auditor's own testing — converting a fixable control gap into a reported significant deficiency or material weakness. |
| Deficiency Remediation | Interim testing identifies an exception | Practical, owner-assigned remediation designed with enough lead time for the control to operate multiple times before year-end — because a control "fixed" the week before year-end cannot be concluded as operating effectively for the period. | A deficiency remediated too close to year-end cannot be adequately re-tested, and often still rolls up as a reported deficiency for the fiscal year even though the underlying fix was correct. |
| Year-End Roll-Forward | Fiscal year-end approaches | Roll-forward testing and confirmation that no unassessed process or system changes occurred since interim testing — the single most time-sensitive phase of the annual cycle, run in close coordination with the parent's own year-end close timetable. | An unassessed mid-year process change (new ERP module go-live, outsourced process, reorganised approval hierarchy) discovered only at year-end can force late, compressed re-testing that jeopardises the external audit timeline. |
| External Audit Fieldwork Support | Parent's PCAOB-registered auditor conducts fieldwork at or on your location | Evidence package prepared and organised in advance; PNPC engagement team directly available to the external audit team for walkthroughs and query resolution — reducing the burden on your own finance team during an already demanding close period. | An unprepared or fragmented evidence handover extends external audit fieldwork, increases audit fees typically borne in part by the local entity's cost allocation, and creates avoidable friction with the parent's SOX PMO. |
| Reporting & Certification Support | Parent's CEO/CFO Section 302 certification and annual Section 404 assessment | Confirmation to the parent (via the SOX PMO) that the location's control environment supports the sub-certification typically required from local finance leadership, with any residual open items and their status clearly flagged rather than left ambiguous. | An India/UAE finance lead who sub-certifies without a clear, evidenced basis exposes both themselves and the parent's CEO/CFO certification to risk if a gap later surfaces. |
| Continuous Improvement & Next-Cycle Planning | Fiscal year closes | Debrief on friction points, refresh the RCM for any organisational or system changes, and plan the next cycle's testing calendar earlier — converting each year into a faster, lower-friction repeat rather than starting over. | Treating each SOX cycle as a one-off rebuild rather than a maturing annual programme keeps costs and effort elevated indefinitely and increases the risk of a control gap resurfacing that should have been permanently closed the previous year. |
What is SOX compliance, in plain terms?
The Sarbanes-Oxley Act is a US federal law that requires companies listed on US stock exchanges (and other SEC-registered filers) to certify the accuracy of their financial reports and to assess — and in most cases have independently attested to — whether their internal controls over financial reporting actually work. Section 302 is the CEO/CFO's personal certification on each quarterly and annual filing. Section 404 is the broader annual assessment of internal control effectiveness, plus (for most larger filers) an independent auditor's attestation on that assessment.
Does SOX apply to my company if we are incorporated in India or the UAE and not listed in the US?
SOX itself is a US law and does not directly regulate an Indian or UAE company as such. However, SOX obligations flow down to you if you are a subsidiary, branch, or shared-service centre of a US-listed parent — because the parent's consolidated financial statements and its Section 404 assessment must cover controls at every significant location, wherever it is incorporated. If your India/UAE entity's transactions and account balances are material to the US parent's consolidated statements, your location is very likely in scope for the parent's SOX programme even though your entity itself files nothing with the SEC.
Does PNPC issue the SOX attestation opinion for our company?
No. The SOX Section 404(b) attestation opinion on internal control over financial reporting must be issued by a PCAOB-registered public accounting firm engaged directly by the US-listed parent, and the underlying management assertion is made by the parent's own CEO and CFO. PNPC's role is management-side support at the India/UAE location — documentation, self-testing, remediation, and coordination with whichever firm holds the actual attestation engagement. We are explicit about this boundary with every client so there is no ambiguity about what PNPC's engagement does and does not cover.
What is the difference between Section 302 and Section 404?
Section 302 is a certification requirement — the CEO and CFO personally certify, in every quarterly (10-Q) and annual (10-K) SEC filing, that they have reviewed the report, it contains no material misstatement, and they have evaluated the effectiveness of the company's disclosure controls and procedures. Section 404 is a broader, annual internal-control assessment requirement — management must include in the 10-K its own assessment of the effectiveness of internal control over financial reporting (ICFR), and, for accelerated and large accelerated filers, the external auditor must separately attest to that assessment. In practice, the year-round documentation and testing work most people mean by 'SOX compliance' is Section 404 work; Section 302 is the quarterly certification output that relies on that underlying control environment being sound.
What is a 'significant location' and how do we know if our India/UAE entity is one?
In a typical top-down, risk-based SOX scoping approach (consistent with SEC interpretive guidance and PCAOB AS 2201), the parent's management and external auditor identify 'significant locations' based on quantitative thresholds — commonly a percentage of consolidated revenue, assets, or another relevant financial metric — and qualitative factors such as unique or higher-risk processes performed at that location, or specific fraud risk indicators. If your India or UAE entity crosses the parent's chosen threshold, or performs a process the parent's risk assessment flags as significant regardless of size, it will be designated in scope. This determination is made by the parent's management and external auditor, not by the local entity.
What does PNPC actually deliver in a SOX support engagement?
Process narratives and walkthrough documentation for in-scope processes; a Risk & Control Matrix (RCM) mapped to COSO 2013 components and the parent's significant accounts; test-of-design and test-of-operating-effectiveness workpapers for interim and year-end testing; a deficiency log with severity evaluation; remediation support and re-testing evidence; and direct liaison with the parent's SOX PMO and external audit team during fieldwork. The specific mix is agreed in a written scope based on what the parent's programme requires from your location.
How is SOX ICFR testing different from India's Internal Financial Controls (IFC) requirement under the Companies Act?
Both address the same underlying idea — controls over financial reporting — but they are separate legal requirements with different scope, standards, and reporting lines. IFC under Section 143(3)(i) of the Companies Act 2013 requires the Indian statutory auditor to report on the adequacy and operating effectiveness of internal financial controls over financial reporting for the standalone Indian company, following ICAI's Guidance Note on Audit of ICFR. SOX Section 404 requires the US parent's management to assess, and (for applicable filers) its PCAOB-registered auditor to attest to, ICFR at the consolidated group level, which includes the India/UAE component. A company can be fully compliant with Indian IFC requirements and still have a SOX deficiency at the same location if the parent's control expectations (methodology, sample sizes, or specific control requirements) differ from the Indian statutory audit approach — the two exercises inform each other but are not interchangeable.
Our India entity is small relative to the US parent's total revenue. Are we still in scope?
Not necessarily — quantitative scoping thresholds mean many smaller subsidiaries fall outside the parent's 'significant location' designation entirely, in which case detailed local SOX testing may not be required, though some baseline entity-level controls and fraud risk considerations can still apply group-wide. However, size alone is not the only factor: a smaller location can still be scoped in if it performs a qualitatively significant process (for example, if it is the sole processing centre for a specific significant account, or has unique fraud risk indicators) even below the standard revenue/asset threshold. Only the parent's scoping exercise can confirm your actual status for a given fiscal year, and it can change year to year as the group's structure and materiality shift.
What happens if a control deficiency is found at our location?
It is first evaluated and classified by severity — a routine control deficiency, a significant deficiency, or (at the most serious end) a material weakness — based on the likely magnitude of potential misstatement and how likely it is to occur, following the framework in PCAOB AS 2201. Most deficiencies, correctly classified, are routine control deficiencies that get remediated within the fiscal year without any external disclosure. A significant deficiency or material weakness has a higher bar and, particularly for a material weakness, may need to be disclosed in the parent's SEC filings — which is why early identification (interim testing, not year-end) and prompt, well-documented remediation matter so much.
How does remediation and re-testing actually work?
Once a deficiency is identified, the process owner designs a fix — a redesigned control step, an added review layer, a system configuration change, or training — with a clear implementation date. The control then needs to operate for a sufficient period, with multiple instances of operation, before a re-test can support a conclusion that it is now operating effectively; a control that has only run once cannot be concluded as reliably effective. PNPC independently re-tests the remediated control and documents evidence a subsequent external audit review will specifically look for — timestamps, approval trails, sample selections, and the rationale for concluding the deficiency is closed.
Do you coordinate directly with our US parent's external auditor?
Yes, where the client wants that coordination — and in practice, most do. PNPC's engagement team is available directly to the parent's PCAOB-registered external audit team for walkthroughs, evidence requests, and query resolution during their fieldwork at your India/UAE location, working through whatever access and confidentiality protocols the parent and external auditor require. We are not the attesting firm, but we are frequently the local team the audit fieldwork staff spend the most time with.
What are IT General Controls (ITGC) and why do they matter for SOX?
ITGCs are the foundational controls over the IT environment — access management (who can get into financially relevant systems and what they can do once there), change management (how changes to applications and infrastructure are authorised, tested, and deployed), and IT operations (backups, job scheduling, system availability) — that underpin the reliability of the automated and IT-dependent controls built on top of them. If ITGCs are weak, an external auditor generally cannot rely on the automated controls in the application even if those controls look well-designed, because there is no assurance the underlying system and its data have not been improperly altered.
Our company is preparing for a US IPO or a SPAC merger. When should SOX readiness work start?
Generally 12–18 months before the anticipated listing date, and certainly well before the first Section 404 assessment becomes mandatory. Newly public companies typically get a limited transition period before the external auditor's attestation requirement applies (and non-accelerated filers/smaller reporting companies may remain exempt from the auditor attestation requirement even after listing, under Dodd-Frank), but management's own Section 404(a) assessment and Section 302 certifications apply from very early in the newly-public company's reporting cycle, and a material weakness identified in year one is a damaging, highly visible outcome for a newly listed company. Building the control framework, documentation, and testing discipline well ahead of listing avoids discovering foundational gaps under public-market scrutiny.
We are a portfolio company of a US private equity firm but not yet listed. Why would SOX apply to us?
SOX itself does not legally apply until there is an actual SEC filing obligation. However, many US PE sponsors — particularly those planning an eventual IPO or trade sale exit, or those already managing a portfolio of SEC-registered funds with reporting obligations — impose SOX-equivalent control discipline on portfolio companies well before any formal listing, as a governance and exit-readiness requirement. In these cases, PNPC's engagement is framed explicitly as 'SOX readiness' rather than SOX compliance in the legal sense, but the documentation, testing, and remediation methodology is essentially the same.
How long does it take to become 'SOX ready' at our India/UAE location for the first time?
A first-year build — process narratives, the Risk & Control Matrix, walkthroughs, and initial interim testing — typically takes 6–8 weeks of concentrated documentation work before interim testing can begin, and the full first fiscal-year cycle through year-end roll-forward testing and external audit support runs the length of the parent's fiscal year. Subsequent years are materially faster, since the baseline documentation exists and only needs refreshing for process or system changes.
What does a SOX support engagement with PNPC cost?
Fees depend on the number of in-scope processes, the complexity of locally-managed IT systems, whether this is a first-year build or a refresh of an existing programme, and the depth of testing agreed with the parent's methodology. PNPC provides a written scope and fixed-fee proposal after reviewing the parent's scoping documentation and understanding what your location is actually expected to deliver — we do not quote a fee before seeing that.
Can PNPC also be our Indian statutory auditor while supporting SOX work at the same location?
It depends on the independence rules that apply to your specific structure, and we assess this explicitly at scoping rather than assuming it is fine. Where PNPC is also the Indian statutory auditor or otherwise has an independence-restricted relationship with the entity, we structure the SOX support engagement with appropriate separation, or advise that an independent firm should perform the work, consistent with both Indian independence requirements under the Companies Act and any independence expectations the parent's own external auditor may have regarding management-side support providers.
What is a 'walkthrough' and why does PNPC insist on doing one for every process?
A walkthrough traces one or more actual transactions through the entire process — from how it is initiated, through each control point, to how it is ultimately recorded in the general ledger — confirming with the process owner, in real time, that the documented narrative and control matrix actually reflect what happens in practice. A narrative written from memory or from a policy document, without a walkthrough against a real transaction, frequently misses steps, informal workarounds, or controls that exist on paper but are not actually performed.
Does SOX testing cover fraud risk specifically?
Yes, in a defined way. SOX Section 404 assessment and the external auditor's attestation both require consideration of fraud risk as part of evaluating internal control effectiveness — including management override of controls, a recognised heightened risk area under professional auditing standards. PNPC's control testing and RCM design specifically consider fraud risk factors relevant to the location's processes (for example, journal entry controls, segregation of duties in cash handling, and management override safeguards), though a full, standalone fraud risk assessment or investigation of a suspected specific incident is a separate, more targeted engagement.
What if our location uses a shared, group-wide ERP system managed centrally by the US parent, not locally?
Where the ERP is centrally managed and its ITGCs are tested at the parent or a central IT location, your India/UAE testing scope typically focuses on the application-level and manual controls performed locally on top of that system — approvals, reconciliations, review controls — rather than duplicating ITGC testing the parent's programme already covers centrally. We confirm this scoping boundary explicitly with the parent's SOX PMO to avoid either duplicated testing effort or an unintentional gap where neither team tests a control that falls in the seam between central IT and local process ownership.
How does PNPC keep our finance team from being overwhelmed by two parallel obligations — Indian statutory audit and US parent SOX testing?
We deliberately sequence and, where possible, combine evidence requests — for example, using the same underlying reconciliations, approval trails, and transaction samples to support both the Indian statutory audit's IFC procedures and the parent's SOX testing, rather than running two disconnected data-collection exercises that ask your finance team for overlapping information twice. A single coordinating point of contact on the PNPC side manages both work streams so your team is not fielding duplicate requests from different PNPC engagement teams.
What happens during the external auditor's fieldwork at our location, and how does PNPC help?
The parent's PCAOB-registered external audit team typically conducts fieldwork — either on-site or remotely — reviewing the evidence package, re-performing walkthroughs, independently testing a sample of the same (or additional) controls, and raising follow-up queries. PNPC's engagement team is present to walk the auditors through our documentation, retrieve additional evidence on request, and resolve process-owner queries quickly, so fieldwork proceeds efficiently rather than stalling on document requests that take days to fulfil internally.
Can a control deficiency at our India/UAE location cause the US parent's overall SOX opinion to be qualified?
Potentially, yes, if the deficiency is severe enough. If a deficiency at your location is evaluated as a material weakness and is not remediated before year-end, it must generally be disclosed in the parent's Section 404 assessment and can result in management concluding that ICFR was not effective at the consolidated level — a material weakness disclosure is a serious, publicly visible event for a US-listed company, and can affect investor confidence and, in some cases, stock price. This is precisely why early interim testing, honest deficiency classification, and prompt remediation at the local level matter so much — a well-run local programme materially reduces this risk for the parent.
Do you also support UAE entities of US-listed companies, and does UAE Corporate Tax or VAT interact with SOX testing?
Yes — PNPC's Dubai office supports the same SOX documentation and testing methodology for UAE entities of US-listed parents, including Free Zone and Mainland companies. UAE Corporate Tax and VAT compliance are separate regulatory obligations from SOX, but the underlying financial processes (revenue recognition, procurement, payroll, tax provisioning) are frequently the same processes tested for both purposes, so we design a coordinated evidence set covering both where the client engages us for both scopes.
What if this is the first year our location has ever been asked to do SOX testing, and we have no existing documentation at all?
This is a common starting point, and we scope for it explicitly as a first-year build rather than assuming existing documentation to refresh. We start with process walkthroughs to understand how things actually happen today, build narratives and the Risk & Control Matrix from that ground truth, and prioritise the processes tied to the parent's most significant accounts first, so the highest-risk areas are documented and tested with enough runway left in the fiscal year, even if lower-priority processes are completed slightly later in the cycle.
How does PNPC stay current on SOX and PCAOB standard changes given this is fundamentally a US regulatory framework?
We track PCAOB standard updates, SEC rule changes, and COSO framework guidance relevant to ICFR through our professional research resources and direct coordination with the US-side external auditors and SOX PMOs we work alongside on client engagements — since our engagement design has to remain consistent with whatever methodology the parent's actual attesting auditor is using. Where a specific interpretive question arises that is genuinely a matter for US securities law or PCAOB standard interpretation, we defer that specific point to the parent's US counsel or the external auditor rather than offering an opinion outside PNPC's jurisdiction of practice.
Why should we engage PNPC rather than a US-based SOX consulting firm's India office or a Big 4 firm?
A US-based SOX consultancy's India office often applies a standardised global methodology with limited flexibility for the specific realities of Indian statutory compliance, local process nuance, or a UAE component of the same group. A Big 4 firm brings scale but frequently at a premium fee with a rotating junior team on the engagement. PNPC combines nearly four decades of hands-on Indian and UAE Chartered Accountancy practice — including the statutory audit, tax, and IFC context that SOX findings inevitably intersect with locally — with a senior-partner-led engagement model, direct availability to your finance team and the external auditor, and coordinated coverage across our Chennai, Bangalore, Hyderabad, and Dubai offices.
What does the full PNPC SOX Compliance Support package include, end to end?
Scoping alignment with the parent's SOX PMO; process narrative documentation and walkthroughs for all in-scope processes; Risk & Control Matrix build or refresh mapped to COSO 2013; ITGC scoping and documentation for locally-managed systems; test-of-design evaluation; interim management self-testing of operating effectiveness; deficiency evaluation and severity classification; remediation design support and independent re-testing; year-end roll-forward testing; a complete, audit-ready evidence package; direct liaison with the parent's external audit team during fieldwork; and a post-cycle debrief with next-year planning.
Is our SOX testing data and evidence package confidential, or does it go to the SEC?
The detailed process narratives, RCM, and testing workpapers PNPC prepares are internal management-support documents, shared with your finance leadership, the parent's SOX PMO, and the parent's external auditor as part of their attestation work — they are not filed with the SEC directly. What ultimately becomes public is limited to the parent's own disclosures in its 10-K/10-Q filings — principally the CEO/CFO Section 302 certifications and the Section 404 management assessment (and, where applicable, the auditor's attestation report) — which are high-level conclusions, not the underlying location-level workpapers themselves.
What is a 'non-accelerated filer' or 'smaller reporting company,' and why does it matter for the depth of our SOX programme?
US securities rules classify SEC filers into categories — including large accelerated filer, accelerated filer, non-accelerated filer, and smaller reporting company — based primarily on public float and revenue thresholds set by the SEC. The classification matters because non-accelerated filers and smaller reporting companies are generally exempt, under the Dodd-Frank Act, from the requirement that the external auditor separately attest to management's ICFR assessment under Section 404(b) — management's own Section 404(a) assessment and the Section 302 certifications still apply, but the absence of the auditor attestation materially changes the scope, rigour, and cost of the local testing programme needed to support it.
What role does the Audit Committee play in our location's SOX programme, and will we ever present to them directly?
The parent's Audit Committee has overall Board-level oversight of the SOX 404 programme and typically receives periodic updates on testing status, deficiencies, and remediation progress across all significant locations, usually consolidated and presented by the parent's SOX PMO or CFO rather than location by location. It is uncommon for an India/UAE location's local support team to present directly to the US parent's Audit Committee, though a material weakness or a significant, unresolved deficiency at your location can certainly become a specific agenda item the Committee discusses, sometimes with the local finance lead or PNPC engagement team dialling in to answer questions.
Our fiscal year does not align with the calendar year. Does that change how PNPC schedules the SOX testing cycle?
Yes — we build the entire testing calendar (interim testing window, remediation deadlines, roll-forward period, and external audit fieldwork support) around your specific parent company's fiscal year-end, not a generic calendar-year assumption. A parent with, for example, a June fiscal year-end needs interim testing completed well before December, with roll-forward testing and fieldwork support timed to a May/June close — a materially different internal calendar than a December year-end company, even though the underlying testing methodology is identical.
| Feature | US SOX Consultancy's India Office | Big 4 / Large Firm | PNPC Global |
|---|---|---|---|
| Local regulatory grounding | Global methodology applied uniformly, often with limited India/UAE-specific nuance | Strong technically, but engagement typically led by junior staff day-to-day | Deep India/UAE CA practice grounding, connecting SOX findings to local statutory audit, tax, and FEMA context |
| Engagement continuity | Variable — dependent on the consultancy's India staffing model | Frequent staff rotation across the engagement lifecycle, particularly at fieldwork time | Same engagement team from scoping through external audit fieldwork support and follow-up |
| Coordination across Indian statutory audit and SOX | Rarely combined — separate providers, duplicated evidence requests | Available but often siloed between the assurance line and any advisory-side SOX support | Combined evidence approach where the same underlying documentation supports both Indian IFC and parent SOX testing |
| India-UAE dual-jurisdiction coverage | Uncommon — most US-focused consultancies have limited or no UAE presence | Available but often via separate country teams with limited coordination | Single coordinated engagement across Chennai, Bangalore, Hyderabad, and Dubai offices |
| Cost structure | Global rate cards, often priced at US or regional-hub rates regardless of local delivery | Premium fee structure, often disproportionate for a single subsidiary's local SOX scope | Right-sized, locally-priced scope for the actual documentation and testing effort required |
| External auditor liaison during fieldwork | Handled by the consultancy but with limited authority to speak to broader local context | Often delegated to a senior manager rather than a partner | Engagement partner and senior team directly available to the external audit team throughout fieldwork |
| Independence handling | Formal but standardised, may not account for India-specific statutory audit relationships | Formal but process-heavy for a subsidiary-level engagement | Independence considerations raised proactively at scoping, tailored to your actual India/UAE structure |
| Ongoing relationship beyond SOX | Project-based, engagement ends when the SOX contract ends | Engagement-by-engagement, re-scoped each cycle | Long-term advisory relationship spanning statutory audit, tax, IFC, and cross-border needs since 1986 |
What the PNPC package includes
- 01
Scoping alignment call with your US parent's SOX PMO and external audit team to confirm exactly what your location is required to deliver
- 02
Process narrative documentation and walkthrough testing for every in-scope process — order-to-cash, procure-to-pay, record-to-report, payroll, fixed assets, and more
- 03
Risk & Control Matrix (RCM) build or refresh, mapped to COSO 2013 Internal Control – Integrated Framework components
- 04
IT General Controls (ITGC) scoping and documentation for locally-managed financial systems and access provisioning
- 05
Test-of-design evaluation before any operating-effectiveness testing begins
- 06
Interim (mid-year) management self-testing of key control operating effectiveness, using sample sizes consistent with your parent's methodology
- 07
Deficiency evaluation and severity classification, with clearly documented rationale
- 08
Remediation design support and independent re-testing, with sufficient runway built in before year-end
- 09
Year-end roll-forward testing aligned to your parent's fiscal close calendar
- 10
Complete, audit-ready evidence package organised to your parent's external auditor's expected format
- 11
Direct liaison with the PCAOB-registered external audit team during fieldwork at your India/UAE location
- 12
Combined evidence approach with your Indian statutory audit / IFC testing to minimise duplicated requests on your finance team
- 13
India-UAE coordinated coverage from Chennai, Bangalore, Hyderabad, and Dubai offices for group structures spanning both jurisdictions
- 14
Direct access to your engagement partner — by phone and WhatsApp — between formal testing cycles
Give your US parent's SOX PMO and external auditor an India/UAE control environment they can rely on without a scramble. Speak with a PNPC engagement partner — a practising Chartered Accountant who understands both the Indian/UAE operating reality on the ground and the documentation standard a PCAOB-registered auditor actually expects.