SOX Reconciliation Requirements: What Finance Teams Need to Know

Most finance teams operating under SOX compliance know they need to reconcile accounts. What's less clear — until an auditor flags a deficiency — is the specific evidence standards those reconciliations must meet. A reconciliation that satisfies the controller is not necessarily a reconciliation that satisfies an auditor reviewing for SOX Section 302 or 404 compliance. The gap between the two is where material weaknesses get born.

This article covers the evidence standards, frequency rules, and documentation requirements that SOX-compliant reconciliation actually demands. If you're currently SOX-compliant and want to stress-test your process, or if you're preparing for your first SOX audit, these are the specifics that matter.

What SOX Actually Requires for Account Reconciliation

SOX itself — the Sarbanes-Oxley Act of 2002 — doesn't prescribe a specific reconciliation format. What it requires is an effective internal control over financial reporting (ICFR) environment that management can assess and certify (Section 302, quarterly) and that auditors can test (Section 404, annually for accelerated filers).

Account reconciliation is typically identified as a key control — meaning it's one of the controls that management relies on to prevent or detect material misstatements. For a control to be effective under SOX, it needs to be designed to address the relevant financial reporting risk AND operating as designed, consistently, throughout the period.

That second requirement — operating as designed, consistently — is where most deficiencies originate. A company can have a well-designed reconciliation control that still produces a deficiency finding because the control didn't operate in all three months of the quarter, or because it operated without proper review, or because exceptions weren't followed up to resolution.

The Five Elements of a SOX-Compliant Reconciliation

Audit firms and PCAOB inspection guidance generally expect SOX-compliant account reconciliations to demonstrate five elements:

1. Completeness: The reconciliation covers the full account balance for the period. Partial reconciliations — covering only certain transaction types or only high-dollar items — require explicit documentation of scope and a separate control for what's excluded.
2. Accuracy: Balances tie to source systems. The ending GL balance reconciles to the subledger or external statement within the defined materiality threshold. Any reconciling items are identified and explained.
3. Explanation of reconciling items: Every item in the reconciling section must be explained. "Unknown" is not an acceptable description. Even an item that's been sitting unresolved for 60 days needs an explanation of what it represents and the current resolution status.
4. Timely preparation: The reconciliation is prepared within the period defined by the company's control documentation. If your control says reconciliations are prepared within 5 business days of period close, an 8-day lag is a control failure — regardless of whether the numbers are correct.
5. Documented review: A second person — typically the controller or finance manager — reviews and approves the reconciliation. The review must be evidenced by a dated signature or approval timestamp. An undocumented review is an unevidenced control, which auditors treat as equivalent to no review at all.

Reconciliation Frequency: What the Standard Requires

SOX doesn't mandate monthly reconciliation for every account. What it requires is that the frequency of a control matches the risk it's designed to address. In practice, this means:

• Monthly (minimum) for significant accounts: Cash, AR, AP, payroll liabilities, short-term debt, deferred revenue, and any account with a balance that could produce a material misstatement if misstated. These accounts need monthly reconciliation, and that standard should be documented in your control documentation.
• Quarterly may be acceptable for lower-risk accounts: Long-term assets with minimal activity, prepaid balances with predictable amortization, certain equity accounts. But "quarterly" still means reconciled and reviewed within the quarter — not assembled at year-end.
• Annual is rarely adequate for anything material: An annual-only reconciliation leaves 11 months of potential misstatement detection gap. Auditors scrutinize annual-frequency controls closely.

The frequency must be documented in your control matrix. If your control documentation says "monthly" but your reconciliations are done every 5–6 weeks because close runs long, that's a design-to-operation gap — a deficiency waiting to be found.

The Review Standard: What Makes It Meaningful

The SOX review requirement for reconciliations gets misunderstood in two directions. Some teams over-implement — requiring a VP-level sign-off on every $5,000 bank account reconciliation, creating a bottleneck that delays close and adds no real control value. Others under-implement — the "review" consists of the controller glancing at the reconciliation and signing without examining the reconciling items.

A meaningful review, from an audit perspective, means the reviewer:

• Verified that the ending balance ties to source (GL or external statement)
• Examined and assessed each reconciling item — not just acknowledged their existence
• Confirmed that aging reconciling items are being followed up appropriately
• Applied professional judgment about whether unexplained items could represent a misstatement

The reviewer should be someone at a different level from the preparer — not a peer review, but an actual supervisor or manager review. For most mid-market finance teams, this means staff accountants prepare, and the controller or senior accountant reviews. That hierarchy should be consistent in your documentation.

A practical note: if your reconciliation review is happening in under 2 minutes per account, it's probably not meeting the meaningful review standard. Complex accounts deserve 5–15 minutes of actual examination.

Reconciling Item Aging: The Most Common Finding

Of all the SOX reconciliation deficiencies we've seen documented in external audit findings, the most common is stale reconciling items — items that appear in the reconciling section for multiple consecutive periods without resolution or a documented explanation for why they remain open.

Auditors look at this as a failure of the review control. If the same $14,000 unexplained item has been in the reconciling section for four months and the reviewer has been signing off each month, either the reviewer isn't examining the items carefully, or the company lacks the process to escalate and resolve exceptions. Either reading is a control deficiency.

The fix is an aging threshold policy: reconciling items that remain open beyond a defined threshold (typically 30–60 days for significant items) automatically trigger an escalation to the controller and a documented resolution plan. The policy doesn't have to be complicated. It does have to be enforced consistently, with evidence.

SOX Documentation: What Auditors Actually Pull

When an external auditor or internal audit team tests your reconciliation control, they'll typically request a sample of reconciliations from the test period — often 3 to 5 per account type, selected randomly or based on risk. For each sampled reconciliation, they'll examine:

• The completed reconciliation workpaper or system output
• Evidence that the balance ties to the source system (GL report or external statement)
• Explanation for each reconciling item
• Preparer identification and date
• Reviewer signature/approval and date
• For items marked as resolved: resolution documentation showing how the item was cleared

If any of these elements is missing from a sampled reconciliation, the control test has an exception. Multiple exceptions can result in a significant deficiency or material weakness finding, depending on the nature and dollar amount of the accounts affected.

This is why assembling the close package after the fact is a risk. If reconciliation evidence isn't captured at the time of preparation and review, reconstructing it months later for an auditor is both difficult and unconvincing. Auditors are trained to distinguish contemporaneous documentation from retroactive reconstruction.

Preparing for a First-Time SOX Audit

If your company is approaching its first formal SOX audit — whether because you've gone public, are preparing to, or have a new investor requiring SOX-readiness — the reconciliation controls are usually one of the first areas internal audit or your external auditor will assess.

The preparation work is not complicated, but it requires lead time. Start 6–9 months before the audit period with a self-assessment: for every account on your chart of accounts, document the current reconciliation frequency, preparer, reviewer, and storage location of evidence. Then compare that documentation against the five elements listed above.

Almost every self-assessment surfaces gaps — accounts that are being reconciled but not reviewed, reconciling items with incomplete explanations, frequency that doesn't match the documented control. Those gaps are far easier to remediate when you find them 6 months before the auditor does.

SOX compliance for reconciliation isn't about building an elaborate system. It's about executing a defined process consistently, every period, with evidence that it ran as designed. The controls that work are the ones that have been operating long enough for the evidence to be deep — not assembled quickly in the month before an audit.