Internal controls manager
SOX compliance director
Internal audit director
Chief financial officer
Risk management officer
Governance committee member
This process is used on a quarterly, semi-annual, or annual basis as part of the organization’s internal control certification program — commonly in support of SOX compliance, SOC reporting, or regulatory control frameworks. It applies when each control owner must review their assigned controls, confirm that they have been operating as designed, identify any exceptions or changes, and submit a formal certification to compliance or internal audit. Ideal for publicly traded companies managing SOX compliance, organizations undergoing SOC audits, financial institutions, and any entity with a formal internal control framework.
The control owner certification process typically involves control owners who operate and certify their assigned controls, internal controls or compliance managers who administer the certification campaign, internal audit who reviews certifications and investigates reported exceptions, finance leadership who rely on certifications for financial reporting assurance, and the audit committee or governance body that receives the aggregate certification results.
Documented control effectiveness through formal owner attestation for every control in the organization’s control framework. Early identification of control deficiencies because owners are required to disclose exceptions rather than waiting for audit testing to discover them. Strengthened accountability by requiring each control owner to personally certify that their controls are operating effectively. Audit-ready certification records that demonstrate the organization’s ongoing attention to its control environment between audit cycles. Governance visibility through aggregate reporting on certification completion, disclosed exceptions, and remediation status.
Your version of this process may vary based on roles, systems, data, and approval paths. Moxo’s flow builder can be configured with AI agents, conditional branching, dynamic data references, and sophisticated logic to match how your organization runs this workflow. The steps below illustrate one example.
Certification campaign initiation
The process begins when the internal controls team launches the periodic certification campaign. Each control owner receives a list of their assigned controls along with the certification form requiring them to attest to operating effectiveness, report any exceptions, and confirm that supporting evidence is maintained. An AI Agent can assist by generating the control owner assignments from the control inventory and pre-populating the certification with each owner’s specific controls.
Control owner review and self-assessment
Each control owner reviews the operation of their assigned controls during the certification period. This includes confirming that the control was performed at the required frequency, that evidence of performance exists, and that no material exceptions occurred. If exceptions are identified, the owner documents them in the certification.
Certification submission
The control owner submits the completed certification, attesting to the operating effectiveness of their controls and disclosing any exceptions. The certification captures the owner’s name, certification date, control-by-control attestation, and any exception narratives.
Exception review and investigation
The internal controls team reviews all submitted certifications. Disclosed exceptions are evaluated for severity and root cause. Material exceptions are referred to internal audit for investigation. Remediation plans are developed and tracked. An AI Agent may categorize exceptions by type, severity, and control area to prioritize the review.
Completion tracking and escalation
The controls team tracks certification completions against the campaign deadline. Automated reminders are sent to owners with outstanding certifications. Non-completions are escalated to management as the deadline approaches.
Reporting and governance
Upon campaign completion, the controls team generates an aggregate report showing certification completion rates, exception categories, remediation status, and any areas of concern. The report is presented to finance leadership, the audit committee, or the governance body as applicable.
This process commonly relies on inputs such as the control inventory, control owner assignments, prior period certifications, exception history, and supporting control evidence. It may be triggered by the periodic certification calendar, typically aligned with financial reporting periods. Connected systems often include GRC platforms like ServiceNow GRC, Workiva, or AuditBoard, control inventory databases, and governance reporting tools.
Key decision points include whether each control owner has sufficient evidence to certify that their controls operated effectively, whether disclosed exceptions represent material deficiencies that require immediate remediation, whether non-completions should be escalated and what consequences apply, and how aggregate certification results inform the organization’s assessment of its control environment.
Control owner assignments outdated, resulting in certifications sent to individuals who no longer own the controls. Certifications completed without actual review of control performance, reducing the certification to a rubber-stamp exercise. Exceptions not disclosed by owners who fear negative consequences, undermining the program’s value. Disclosed exceptions not investigated or remediated, leaving known deficiencies in the control environment. Aggregate results not analyzed or reported to governance, missing the opportunity to identify systemic control weaknesses.
Orchestrates the control owner certification campaign from initiation through governance reporting across control owners, compliance, internal audit, and leadership in a single coordinated flow.
AI Agents generate certification assignments from the control inventory and pre-populate each owner’s certification with their specific controls and prior period status.
Engages control owners within the workflow for self-assessment, exception disclosure, and certification submission with clear instructions and deadlines.
Routes disclosed exceptions for investigation within the workflow so the controls team and internal audit can assess severity and assign remediation.
Tracks completion rates in real time with automated reminders and escalation to management for outstanding certifications.
Preserves the complete certification record including owner attestations, exception disclosures, investigation outcomes, and aggregate reporting for SOX, SOC, and governance compliance.
