SOX COMPLIANCE CHECKLIST

SOX Background, Relevance to Pre-IPO and Newly

Public Companies and Compliance Testing Phases

Many pre-IPO and newly public companies struggle to meet the complex, costly and time-con-
suming challenges of preparing to apply or applying the requirements of The Sarbanes-Oxley
Act of 2002 (SOX) properly to their company.In response to this challenge, we at RyanSharkey
developed this SOX Compliance Checklist as a reference guide that companies may use to bet-
ter understand the steps necessary for establishing a successful SOX compliance program.

www.ryansharkey.com
SOX is a U.S law that sets requirements for all U.S. public company boards, management and public accounting firms. It was
designed for the express purpose of restoring public confidence in corporate financial statements. Prior to the enactment of SOX,
investors suffered significant losses due to corporate failures brought on by financial malfeasance.

SOX covers the responsibilities of a public corporations board of directors, adds criminal penalties for certain defined misconduct,
and requires the Securities and Exchange Commission (SEC) to create regulations defining how public corporations are to comply
with the law. It is intended to address issues of accounting fraud by attempting to improve both the accuracy and reliability of
corporate disclosures. It also increases the accountability of company executives and members of the board of directors relative to
pre-SOX requirements.

At its highest level, SOX establishes the following four key objectives:

Make management accountable

Enhance disclosure
Conduct regular reviews by the SEC
Make external auditors accountable (establishment of the Public Company Accounting Oversight Board (PCAOB))

The main objective of SOX is to restore investor confidence in management and the reliability of financial results and other non-
financial information disclosed by public companies. The legislation requires that CEOs, CFOs and independent external auditors of
public companies include the following in the companies quarterly SEC filings (i.e., 10-Q and 10-K):

Certify the effectiveness of disclosure controls and procedures and disclose any changes in internal control in the financial
statements
Certify the effectiveness of Internal Controls Over Financial Reporting (ICFR) (applicable to the annual 10-K filing only)
Where required, include an external auditors attestation on the effectiveness of the companys ICFR (applicable to the annual 10-K
filing only)

Disclose all deficiencies in design or operation of disclosure controls and procedures and/or ICFR that could have a material
impact on the financial statements

SOX helps to ensure that there are checks and balances between the board of directors, CEO, CFO, the entire operational execu-
tive leadership team, and employees of a company. Additionally, it promotes transparency in the financial and operating results of a
company, as well as other disclosures to its investors.

SOX compliance is mandatory for public companies. Therefore, this SOX Compliance Checklist is intended as a broad overview of the
steps required for SOX compliance. It includes five broad phases:

Phase #1: Initial Steps Establish Project Participants and Plans

Phase #2: Choose a SOX Compliance Partner
Phase #3: Plan Your SOX Project
Phase #4: Perform Interim Testing and Roll-Forward Testing
Phase #5: Finalize the Project and Report Results

Please note that the application of an individual SOX framework will vary depending on the nature of a companys SOX compliance
objectives and needs.

We hope you find this checklist useful, and we welcome the opportunity to discuss your SOX compliance requirements in detail.

2 | SOX COMPLIANCE CHECKLIST

OVERVIEW OF SOX COMPONENTS AND KEY PROVISIONS
Before addressing each phase, its important to outline the components of SOX, address its
key provisions, and highlight the importance of the Public Company Accounting Oversight
Boards (PCAOB) role in SOX compliance.

SOX Components SOX Key Provisions

Establishment of the PCAOB Auditor Independence Section 302: Disclosure controls
Corporate Responsibility Section 303: Improper influence on conduct of audits
Enhanced Financial Disclosures Section 401: Disclosures in periodic reports (off-balance
Analyst Conflicts of Interest sheet items)

Commission Resources and Authority Section 404: Assessment of ICFR

Studies and Reports Section 802: Criminal penalties for influencing U.S. agency
investigation/proper administration
Corporate and Criminal Fraud Accountability
Section 906: Certification of financial statements and
White-Collar Crime Penalty Enhancement
criminal penalties for non-compliance
Corporate Tax Returns Section 1107: Criminal penalties for retaliation against
Corporate Fraud Accountability whistleblowers

3 | SOX COMPLIANCE CHECKLIST

Material discussed in this editorial is meant to provide general information and should not be acted on without professional advice tailored to your firms individual needs.
Two key provisions of SOX in particular have the greatest impact to U.S. public companies: Sections 302 and 404. A brief summary of
these sections is included below.

Section 302
Section 302 requires the CEO and CFO of every U.S. publicly traded company to certify in its 10-Q and 10-K filings the appropriate-
ness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures
fairly present, in all material respects, the operations and financial condition of the issuer. This includes not only the standard
financial statements, but also the disclosures and qualitative analysis included with the financial statements that provide investors
insight into the business and are utilized in setting investor expectations.

Section 404
Section 404 directs that management and auditors work in tandem to report and assess the companys system of ICFR. Under SOX
Section 404, annual reports (10-K) must disclose:

The responsibility of management for establishing and maintaining an adequate internal control structure and procedures for
financial reporting
An assessment of the effectiveness of the ICFR and company procedures for financial reporting
Where applicable, the external auditor attestation on the effectiveness of the ICFR

Its important to distinguish between 404(a) (managements disclosure) and 404(b) (independent auditors assessment). Section 404(a)
requires management to report on the effectiveness of ICFR, while Section 404(b) requires an auditor attestation with respect to an
issuers ICFR. Section 404(b) does not need to be implemented until the second fiscal year after a company becomes public. Further-
more, the Jumpstart our Business Startups Act (JOBS Act) was signed into law in 2012. This law would generally exempt a new public
company from compliance with Section 404(b) for the first five years it is a public company, as long as it does not exceed certain
market capitalization or revenue thresholds.

Understanding the PCAOBs Role in SOX Compliance

The PCAOB is a nonprofit corporation established by Congress to oversee the audits of public companies and other issuers in order
to protect investors and the public interest by promoting informative, accurate and independent audit reports. The PCAOB also
oversees the audits of brokers and dealers, including compliance reports filed pursuant to federal securities laws, to promote investor
protection.

SOX requires that auditors of U.S. public companies be subject to external and independent oversight. Previously, the profession was
self-regulated. Therefore, the PCAOB was created as a result of SOXessentially to audit the auditors.

4 | SOX COMPLIANCE CHECKLIST

SOX COMPLIANCE CHECKLIST PHASE #1:
INITIAL STEPS ESTABLISH PROJECT PARTICIPANTS AND PLANS

Participants:
Identify project sponsor
Identify SOX compliance assessment team members
Identify roles, responsibilities and resources

Plans:
Define key milestones and checkpoints
Validate the approach with external auditors
Identify significant accounts, disclosures, and associated business processes and information systems
Determine materiality
Assess significant accounts as high, medium or low risk
Identify/assess significant business processes and business units/locations
Identify final scope and work plan

For specific guidance on and assistance with SOX compliance, please contact Christian Heffron at 703.652.0240,
email [email protected] or visit www.ryansharkey.com.

5 | SOX COMPLIANCE CHECKLIST

SOX COMPLIANCE CHECKLIST PHASE #2:
CHOOSE A SOX COMPLIANCE PARTNER
Tips for Selecting the Right Internal Audit Partner, Structuring the Relationship and Ensuring a
Cost-Efficient Process
At RyanSharkey, we believe a capable SOX compliance partner possesses the following qualities and traits:

They possess experience in the companys industry and extensive experience working on SOX compliance projects with the
companys external auditor
They are knowledgeable and experienced with the latest PCAOB requirements
They are based in proximity to the companys headquarters location and possess resources located in remote locations that are
in-scope for SOX compliance
They are positioned at the right price point for the company
They implement SOX frameworks in alignment with the companys status after going public. For example, if a company is an
emerging growth company, then control requirements would be aligned with the companys status
They need to understand and effectively address emerging requirements required by external auditors and the PCAOB
They have the depth and breadth of experience and expertise to advise clients on the full range of SOX issues, including
implementation and maintenance of sustainable SOX 404 compliance programs (e.g., readiness assessments; documentation
and testing assistance; and training to support a successful SOX 404 compliance program)
They offer comprehensive risk assessment, including identifying processes, entity-level controls, business controls, information
technology (IT) general controls and any missing controls
They can properly identify and document financial reporting processes, including testing key controls and documenting results
They can effectively and promptly identify control gaps and assist management in remediating the gaps
They have the experience, intellectual curiosity and persistence necessary to gain valuable insight on the ways in which risks
correlate to executive management decisions
They apply best-in-practice strategies for managing risks through ICFR
They devise and implement year-on-year SOX 404 compliance improvements that can drive down costs and maximize SOX 404
compliance efforts
They must have the interpersonal skills necessary to effectively interact with your employees, management and board, includ-
ing your Audit Committee

For specific guidance on and assistance with SOX compliance, please contact Christian Heffron at 703.652.0240,
email [email protected] or visit www.ryansharkey.com.

6 | SOX COMPLIANCE CHECKLIST

SOX COMPLIANCE CHECKLIST PHASE #3:
PLAN YOUR SOX COMPLIANCE PROJECT
At RyanSharkey, we recommend a series of strategic steps to plan your SOX compliance
project. We have included these steps below, as well as additional details where appropriate.

HOLD KICK-OFF MEETING Ideally, this should be scheduled at least one week before testing and include key process owners and
executive management. During the meeting, the SOX compliance assessment team should confirm the period, scope, timeline and
budget; identify key process owners and systems; and address documentation requests and scheduling/logistics.

PREPARE AND FINALIZE RISK ASSESSMENT For this step, we recommend referencing PCAOB Audit Standard 5 Role of Risk
Assessment. Risk assessment underlies the entire audit process described by this standard, including the determination of significant
accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary
for a given control.

A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the companys
internal control over financial reporting and the amount of audit attention that should be devoted to that area. Additionally, the risk
that a companys ICFR will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent
or detect an error. The SOX compliance assessment team should focus more of its attention on the areas of highest risk. On the other
hand, it is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to
the financial statements.

Additional steps in preparing and finalizing risk assessment include:

1. Analyzing financial line items and disclosures in order to identify material items
2. Establishing a materiality threshold
3. Obtaining the most recent trial balance for entity

7 | SOX COMPLIANCE CHECKLIST

 4. Identifying material accounts for the trial balance, as well as the following inherent risk factors: fraud susceptibility; nature of the
account; complexity of the account; and changes in the account from the prior period
5. Applying quantitative (i.e., materiality) and qualitative (i.e., inherent risk) assessments to determine whether the account is
in-scope
6. Reconciling items from step 5 back to items from step 1

PREPARE AND FINALIZE RISK AND CONTROL MATRIX (RACM) The RACM reconciles the audit risks identified in the risk assess-
ment with the controls subject to the audit review. It also identifies the financial statement accounts that correspond to the control and
the applicable financial statement assertions.

Financial statement assertions are potential sources of financial misstatement and must be considered:

Existence or occurrence
Completeness
Valuation or allocation
Rights and obligations
Presentation and disclosure

ANALYZE DOCUMENTATION The SOX compliance assessment team must identify sufficient, reliable, relevant and useful information
to achieve the projects objectives. Additionally, sufficient information must be factual, adequate and convincing so that a prudent,
informed person would reach the same conclusions as the team.

Reviewing previously completed narratives and other work papers helps the SOX compliance assessment team understand the risks,
controls and processes associated with the audit area.Analysis of this documentation will assist in identifying (i) key controls that may be
selected for testing; and (ii) potential controls issues.

SCHEDULE AND CONDUCT INTERVIEWS The SOX compliance assessment team must base conclusions and engagement results on
appropriate analyses and evaluations.

Duringthe planning phase, the team should conduct interviews with all key client personnel involved in the subject assessed.The team
should also make an effort to interview an adequate number of key personnel so that information gathered can be appropriately cor-
roborated with other documentation gathered during the testing phase. The interviewswill enable the team to confirm, and/or identify
gaps in, the clients practices, procedures and/or controls.

COMPLETE OR UPDATE NARRATIVES AND/OR FLOWCHARTS The SOX compliance assessment team should complete or update
narratives and/or flowcharts to document the key processes being reviewed.These documents should depict all the key activities in a
process (from beginning to end), show the sequence of tasks for each activity, and provide detailed information on the design of each
control (i.e., wording must reconcile to RACM).The narratives and/or flowcharts should be sufficient in substance to allow a reader to
easily understand the key elements of the processes and controls examined.

REQUEST MEETINGS AND DOCUMENTS Upon completion of planning and prior to the commencement of testing, the SOX compli-
ance assessment team should send management a preliminary request of meetings and documents that will be required to complete
tests of design. The team should provide management with adequate time to respond to the information request. The team should also
inquire of the status of the information request list on a regular basis and escalate the request to the Chief Financial Officer, if necessary.

UPDATE REPOSITORY FILE The SOX compliance assessment team should include all documents applicable to the planning phase in a
standard and secure repository file prior to proceeding to testing activities. Additionally, the team must document a detailed test plan in
the file. The audit manager must approve all steps and documents applicable to planning prior to starting testing.

8 | SOX COMPLIANCE CHECKLIST

SOX COMPLIANCE CHECKLIST PHASE #4:
PERFORM INTERIM TESTING AND ROLL-FORWARD TESTING
Key activities in this phase include:

PERFORM TESTS OF DESIGN In accordance with PCAOB Audit Standard 5 Testing Design Effectiveness, the SOX compliance
assessment team should test the design effectiveness of controls by determining whether the companys controls, if they are operated as
prescribed by persons possessing the necessary authority and competence to perform the controls effectively, satisfy the companys con-
trol objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.

Procedures the team performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the
companys operations, and inspection of relevant documentation.

Notes:

Tests of design are typically performed once per year per key control
The design of any updated or remediated control should be tested in the year as soon as the control is updated or remedi-
ated. The wording of the updated or remediated control should be updated in corresponding documentation (e.g., RACM,
narrative, and tests)
If, through a test of design, a control is concluded as not effectively designed, testing the operating effectiveness of the
control should not be performed until the control design is re-tested and determined to be remediated
Testing should be documented consistently

The test of design should document a walkthrough (i.e., inquiry) of the control design with control owner (including the date and
summary of the interview). It should also identify tests performed (i.e., inspection) on supporting control documentation.

PERFORM TESTS OF OPERATING EFFECTIVENESS In accordance with PCAOB Audit Standard 5 Testing Operating Effective-
ness, the SOX compliance assessment team should test the operating effectiveness of a control by determining whether the control is
operating as designed and whether the person performing the control possesses the necessary authority and competence to perform
the control effectively.

Procedures the team performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the
companys operations, inspection of relevant documentation, and re-performance of the control.

Notes:

Controls must be tested and concluded as appropriately designed before testing operating effectiveness
If management provides a population of transactions or controls to test, the population must be tested to gain assurance over
the populations completeness and accuracy. A standard template for testing populations must be followed
If sample size guidelines are provided by the external auditor, then these guidelines must by followed. Otherwise, company-
specific sample size guidelines must be followed
The sampling methodology should be documented and follow the companys sampling methodology
Tests of operating effectiveness should be documented consistently
Supporting evidence for each sample item should be included in the work papers

9 | SOX COMPLIANCE CHECKLIST

TEST ENTITY-LEVEL CONTROLS According to PCAOB Audit Standard 5 Identifying Entity-Level Controls, the SOX compliance
assessment team must test those entity-level controls that are important to the conclusion about whether the company has effective
internal control over financial reporting. The teams evaluation of entity-level controls can result in increasing or decreasing the testing
that the team otherwise would have performed on other controls.

Some notes to consider regarding entity-level controls:

Some entity-level controls have an important, but indirect, effect on the likelihood that a misstatement is present. These
controls may impact the nature of lower-level controls selected for testing
Some entity-level controls monitor the effectiveness of other controls. These controls may allow the team to reduce testing of
lower-level controls
Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a
timely basis misstatements to one or more relevant assertions. These controls may allow the team to eliminate testing of lower-
level controls relating to the risk

Additionally, entity-level controls should be tested by leveraging a standard framework (such as COSO 2013) for testing these
controls. Note: Only entity-level controls that are applicable to financial reporting should be tested.

TEST MANAGEMENT REVIEW CONTROLS According to PCAOB Alert 11 Testing Management Review Controls, SOX compli-
ance assessment teams often select and test management review controls in assessments of internal control. These review controls
typically involve comparing recorded financial statement amounts to expected amounts and investigating significant differences from
expectations.

As with other types of controls, the team should perform procedures to obtain evidence about how a management review control is
designed and operates to prevent or detect misstatements. Verifying that a review was signed off provides little or no evidence by
itself about the controls effectiveness.

Many management review controls are entity-level controls, so testing those review controls can be an appropriate part of a top-
down approach. Auditing Standard No. 5 provides that entity-level controls vary in nature and precision, and that some entity-level
controls might operate at a level of precision that would adequately prevent or detect misstatements on a timely basis. Other
entity-level controls, by themselves, might not operate with the necessary level of precision, but might be effective in combination
with other controls in addressing the assessed risk of material misstatement. Thus, the main consideration in assessing the level of
precision is whether the control is designed and operating to prevent or detect on a timely basis misstatements that could cause the
financial statements to be materially misstated.

TEST SYSTEM GENERATED DATA AND REPORTS According to PCAOB Alert 11 - In an audit of internal control, if the auditor se-
lects an IT-dependent control for testing, the auditor should test the IT-dependent controls and the IT controls on which the selected
control relies to support a conclusion about whether those controls address the risks of material misstatement. For example, if a con-
trol selected for testing uses system-generated data or reports, the effectiveness of the control depends in part on the controls over
the accuracy and completeness of the system-generated data or reports. In those situations, supporting a conclusion on the effective-
ness of the selected control involves testing both the selected control and the controls over the system-generated data and reports.

Often system generated data and reports are referred to as Information Prepared by Entity or IPE. The SOX compliance assessment
team should identify any applicable system generated data (e.g., data used for identifying populations of transactions from which
samples are selected for testing) or system generated reports (e.g., reports used in conjunction with management review controls).
The SOX compliance assessment team should confirm with the external audit team the approach that should be used to assess the
completeness and accuracy of the system generated data and reports. The testing should be performed in conjunction with the
applicable tests of design of tests of operating effectiveness.

10 | SOX COMPLIANCE CHECKLIST

TEST APPLICATION CONTROLS These preventive controls are implemented through configuration or security of information
systems. Testing should include both positive/negative testing, as well as reviewing the associated system configuration or security
settings.

The population of application controls can be identified by referring to the RACM.

COMMUNICATE WITH MANAGEMENT/EXTERNAL AUDITOR The SOX compliance assessment team should communicate and
meet with company management on a frequent and continuous basis during the compliance assessment. Communication should
occur on both a formal and informal basis. This communication should include periodic status meetings to provide updates on the
assessments progress, follow-up discussions on outstanding information requests, and discussions to validate preliminary exceptions.

The team should also communicate and meet with the external audit team on a frequent and continuous basis. This communication
should include periodic status meetings to provide updates on the assessments progress and preliminary exceptions.

VALIDATE/ASSESS TESTING EXCEPTIONS The SOX compliance assessment team will conclude on the design or operating
effectiveness of controls. When performing evaluations, the team should consider (i) discussions with management; (ii) analysis of
corroborating evidence; (iii) mitigating controls (and related testing results, where applicable); and (iv) recent changes to the control
environment (where applicable).If the team determines that a situation exists where a control or group of controls are not designed
or operating effectively, then an exception will need to be documented. Additionally, the team should discuss testing exceptions with
management and the external auditors in a timely manner, but no later than the meetings held at conclusions of the SOX compliance
assessment testing phases. Proactive and early discussion of testing exceptions is strongly encouraged.

Notes:

For this step, it is instructive to reference PCAOB AU 325 Communications About Control Deficiencies. Specifically, in an audit of
financial statements, the team may identify deficiencies in the companys internal control over financial reporting. A control deficiency
exists when the design or operation of a control does not allow management or employees, in the normal course of performing their
assigned functions, to prevent or detect misstatements on a timely basis.

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting, that is less severe than
a material weakness, yet important enough to merit attention by those responsible for oversight of the companys financial reporting.

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a
reasonable possibility that a material misstatement of the companys annual or interim financial statements will not be prevented or
detected on a timely basis.

DOCUMENT TESTING EXCEPTIONS All testing exceptions must be documented in a common document.The SOX compliance
assessment team should document the classification of the testing exceptions (i.e., material weakness, significant deficiency, control
deficiency, or process improvement) and the rationale for the classification.

PERFORM ROLL-FORWARD TESTING For SOX audits, there are typically two testing phasesinterim and roll-forward. The interim
and roll-forward phases may include controls (e.g., annual frequency) that are not tested in the other phase.

For specific guidance on and assistance with SOX compliance, please contact Christian Heffron at 703.652.0240,
email [email protected] or visit www.ryansharkey.com.

11 | SOX COMPLIANCE CHECKLIST

SOX COMPLIANCE CHECKLIST PHASE #5:
FINALIZE THE PROJECT AND REPORT RESULTS
Your process of finalizing the project and reporting results should be designed to meet the following objectives:

Communicate the review results

Finalize work papers

Key activities in this phase include:

FINALIZE DRAFT REPORT The draft report should be updated to include any updates received on the test exceptions between
the time the testing was performed and the closing meeting date. Additionally, a rationale for exception classifications should be
discussed and agreed with management and the external audit team. A separate document identifying compensating controls should
be prepared for each exception (where applicable) classified as a control deficiency, significant deficiency, or material weakness.

HOLD THE CLOSING MEETING A closing meeting should be held to discuss and finalize the report. Attendees should include all
personnel involved in the assessment. The SOX compliance assessment team should finalize the draft report by taking into consider-
ation any comments or concerns provided by client management during the closing meeting. If substantial modifications are made to
the report after the closing meeting, the team should redistribute the report to all closing meeting attendees.

ISSUE FINAL REPORT Once all the necessary internal quality assurance procedures have been completed, the final SOX compli-
ance assessment report should be distributed to management.

If after final distribution, the team determines that the report contains significant errors and/or omissions, then the team must send a
corrected report to all of the original recipients.

FINALIZE AUDIT COMMITTEE MATERIALS AND DISTRIBUTE The Audit Committee presentation (where applicable) summarizing
the plans, status and/or results of the SOX compliance assessment should be distributed to management for review prior to the Audit
Committee meeting.

DELIVER WORK PAPERS TO THE EXTERNAL AUDITOR Work papers should be provided to the external auditor in the format and
according to the timing agreed to with the external auditor.

12 | SOX COMPLIANCE CHECKLIST

About RyanSharkey Risk Advisory Services for SOX Compliance
RyanSharkey SOX professionals advise clients on the full range of SOX issues. Our services include:

Implementation and maintenance of sustainable SOX compliance programs, including:

Readiness assessments
Documentation and testing assistance
Training to support a successful SOX compliance program
SOX documentation of internal controls, including:
Comprehensive risk assessment, including:
Identifying processes
Entity-level controls
Financial reporting controls, and information technology (IT) general controls
Identifying key and missing controls
Identifying and documenting financial reporting processes, including:
Testing key controls and documenting results
SOX risk testing in order to minimize waste and cost while ensuring compliance
Developing a customized SOX process based on unique requirements
Remediation of control gaps; testing is distinct and separate from identifying/documenting control gaps

With RyanSharkeys Risk Advisory Services, clients can:

Leverage leading-edge processes, practices and insights in order to devise and implement a customized and cost-effective
approach to SOX compliance
Decrease documentation and testing time
Gain valuable insight on the ways in which risks correlate to executive management decisions
Obtain best-in-practice strategies for managing risks through ICFR
Devise and implement year-on-year SOX compliance improvements that can drive down costs and maximize SOX compliance
efforts

For specific guidance on and assistance with SOX compliance, please contact Christian Heffron at 703.652.0240,
email [email protected] or visit www.ryansharkey.com.

13 | SOX COMPLIANCE CHECKLIST

About RyanSharkey
Christian Heffron, ACA, CISA
RyanSharkey, LLP is a leading accounting and consulting firm in
Assurance Partner
the Washington, D.C. region that delivers accounting, audit, tax
and consulting services for a diverse group of clients. Guided (703) 652-0240
by a unique corporate culture, RyanSharkeys team of advisors is [email protected]
known for their personalized insights, forward-thinking solutions
and innovative strategies.

Learn more at www.ryansharkey.com.

14 | SOX COMPLIANCE CHECKLIST