Introducing SOX-in-a-Box: Alyne's Internal Control over Financial Reporting (ICFR)

We are very excited to introduce Alyne's new Internal Control over Financial Reporting (ICFR) Control Set, which further expands on Alyne's extensive Library of Financial Controls. In this article, you will gain insight into how Alyne's out-of-the-box ICFR Capabilities can provide your organisation with an extensive health check for SOX and SOC 1 compliance.

This new capability will enable you to implement and assess the design effectiveness of internal Controls and through preconfigured ICFR Assessments, perform regular 'health checks' of your organisation's financial integrity – internally and across your vendor base. Alyne’s Control Set covers the Internal Control over Financial Reporting (ICFR) requirements of the U.S. Sarbanes-Oxley Act (SOX) "Management assessment of internal controls”, and the System and Organisation Controls 1 (SOC 1) framework, defined as “Reporting on an Examination of Controls at a Service Organisation Relevant to User Entities’ Internal Control Over Financial Reporting.” Alyne's Library of Business and Financial Controls, an out-of-the-box ICFR Assessment with predefined maturity levels, and detailed reporting capabilties, will support organisations in preparing for audit against SOX and SOC 1 compliance.


Major accounting scandals in the past lead to the adoption of the Sarbanes-Oxley Act (SOX) almost 20 years ago. As a result, Section 4 of the act, commonly known as SOX 404, requires listed companies to implement and maintain adequate Internal Control over Financial Reporting (ICFR) Controls, which guarantees fair financial reporting practices in accordance with Generally Accepted Accounting Principles (GAAP). External auditors must attest to the effectiveness of Internal Control over Financial Reporting and the accuracy of their financial statements. 

Although it seems like a rather fair and straightforward request, SOX requirements have been widely condemned due to it being rather vague in nature. SOX requires organisations to create Controls that cover a large scope of IT and financial requirements, all tailored to their unique organisational structure. This is typically the part where expensive consultants are hired to spend time within the organisation, designing and implementing these tailored Controls and testing their effectiveness for audit. By default, auditors only verify a certain amount of transactions, including supporting evidence that those transactions in question have occurred over a specific period of time. The scope of an audit is constrained by time and budget, as is any other corporate function in executing its duties; this is where “reasonable assurance” comes into play. Both internal and external audit functions, to a certain extent, have to trust the information provided by their counterparts.

“Reasonable assurance” – a term that speaks to both external and internal auditors. In a nutshell, both professions follow this concept when evaluating the effectiveness of Internal Controls.

To deal better with the ambiguity of SOX requirements, professional institutions issue standards that contain best practices and guidance for how to position your organisation in terms of Internal Controls and Risk Management. For example, the use of self-assessments to help to assess maturity, proper identification of shortcomings, and deriving the appropriate countermeasures to mitigate and prepare for upcoming audits and ICFR certifications. 

Another cornerstone of a successful business relationship is vendor Assessments. Achieving reasonable assurance through vendor assessments, however, seems a bit far-fetched. Yet, audit work and self-assessments share trust as their common denominator. Trust alone, however, only goes so far. Critical additional steps are usually required to substantiate claims made, such as employing sample testing or data analytics. Evidence obtained through the course of a self-assessment should be subject to a critical review to assess the design effectiveness of Controls in place at the vendor, too. This is where Alyne can help.


Alyne's ICFR Control Set provides an extensive health check for SOX and SOC 1 Compliance

The Internal Control over Financial Reporting (SOX, SOC 1) Control Set further leverages on Alyne’s extensive Library of Financial Controls, focusing on the financial integrity of an enterprise and also covers relevant Business Controls, with IT and information security related topics. This new capability will enable you to implement and assess the design effectiveness of internal Controls and better prepare for audit against SOX and SOC 1 compliance.


Supporting Financial and Business Controls in Alyne

Entity Level Controls 

Begin your organisation-wide, top-down Risk Assessment by assessing the tone at the top and categorising those risks in order to streamline audit efforts. Examples of supporting Controls within Alyne include: 

  • Compliance Management
  • Corporate Governance
  • Fraud Prevention

Process Level Controls 

Controls that help to identify key risk business processes and associated material accounts, to facilitate risk-based SOX testing. Examples of supporting Controls within Alyne include: 

  • Financial Reporting and Accounting
  • Procurement
  • Order to Cash
  • Treasury
  • Outsourcing

IT General & Application Controls 

Identify key risks within your IT and information processes, in accordance with the CIA. Examples of supporting Controls within Alyne include: 

  • Application Governance
  • Identity and Access Management
  • Physical Security

Out-of-the-box ICFR Assessment: A health check for SOX / SOC 1 audit 

Alyne offers an "Out-of-the-Box" ICFR Assessment Template with preconfigured maturity levels to serve as a financial integrity ‘health check’ for your company, as well as for your vendor base. In an interconnected world, Financial Controls rely heavily on a secure, properly functioning IT infrastructure. The ability to follow your finances requires full transparency and assurance of where and how your data flows. If your organisation’s financial integrity partly relies on the services provided by a third party, you want to make sure that their Controls are up to par too. Alyne’s Assessments functionality can help you achieve that. In Alyne, Assessments are customisable and are able to be performed at scale, with deep insights, intuitively and visually captured within Alyne's various reporting features. 

Contact our sales team at to learn how Alyne can help your organisation, or schedule a meeting with an expert to experience Alyne's full capabilities.
Frederick Geyer

Related Posts

Library Update: ACSC Essential Eight 2021

The Alyne Library has recently been updated with a Control Set covering the July 2021 version of the Essential Eight Maturity Model issued by the Australian Cyber Security Centre (ACSC). The standard allows self-assessments based on the highest maturity level provided within the Essential Eight Maturity Models.
Read more

Library Update: TISAX VDA ISA Version 5.0.4

The Alyne Library has recently been updated with a Control Set covering version 5.0.4 of the Information Security Assessment (ISA) issued by the Verband der Automobilindustrie (VDA). The ISA allows for self-assessments, audits and health checks in accordance with the Trusted Information Security Assessment Exchange (TISAX).
Read more

Library Update: UK GDPR

The Alyne Library has recently been updated with a Control Set covering the United Kingdom General Data Protection Regulation (UK GDPR). It explains the general data protection regime that applies to most UK businesses and organisations, and covers the UK GDPR, tailored by the Data Protection Act 2018.
Read more