Establishment; Administrative Provisions

SOX Section 101 is the “establishment; administrative provisions” requirement that created the PCAOB to oversee audits of public companies subject to U.S. securities laws (Public Law 107-204). To operationalize it, you must ensure your issuer uses a PCAOB-registered audit firm, your audit committee and finance team support PCAOB-compliant audits, and you can evidence auditor independence, engagement governance, and PCAOB-facing readiness.

Key takeaways:

• Your practical obligation is indirect but real: hire and oversee a PCAOB-registered auditor and run audit governance as if PCAOB inspection could happen.
• Evidence centers on auditor selection, independence confirmations, audit committee oversight, and documentation retention discipline.
• Execution succeeds when ownership is clear: audit committee + CFO/Controller + CCO/GRC + procurement/TPRM for third-party controls.

“Establishment; Administrative Provisions” in SOX Section 101 is short statutory text with a large operational footprint. It does not read like a checklist requirement for issuers, but it creates the regulator that sets expectations for your external audit quality, auditor conduct, and inspection risk posture: the Public Company Accounting Oversight Board (PCAOB) (Public Law 107-204). For a Compliance Officer, CCO, or GRC lead, the job is to translate that structural requirement into repeatable controls around auditor appointment, auditor independence, audit committee oversight, and readiness for PCAOB-driven audit standards that your external auditor must follow.

The fastest way to operationalize SOX 101 is to treat the audit firm as a high-impact third party and formalize how your organization selects, contracts with, oversees, and documents that relationship. The exam mindset to adopt: “Show me the governance.” Auditors and regulators look for clarity of roles, decisions made at the right level (especially the audit committee), and a clean evidence trail. If you can produce those artifacts quickly and consistently, SOX 101 becomes manageable.

Regulatory text

Excerpt (SOX Section 101): “There is established the Public Company Accounting Oversight Board to oversee the audit of companies subject to securities laws.” (Public Law 107-204)

What that means for operators

This text establishes the PCAOB as the oversight body for audits of issuers (public companies) and the audit firms that audit them (Public Law 107-204). While SOX 101 does not list issuer controls in the statute excerpt, it changes your operating environment: your external auditor is subject to PCAOB oversight, and your audit process must work within PCAOB standards and inspection reality. Practically, you need governance and evidence that:

• your auditor is eligible (PCAOB-registered),
• your auditor remains independent,
• the audit committee performs effective oversight,
• management supports audit quality through documentation, access, and timely remediation.

Plain-English interpretation (requirement-level)

For an issuer: use a qualified, PCAOB-eligible external auditor and run audit governance that stands up to PCAOB oversight expectations. That translates into repeatable processes for auditor selection/retention, independence management, audit committee reporting, and documentation retention.

For a registered public accounting firm: registration and compliance with PCAOB oversight are direct obligations. As an issuer, you still need to confirm your audit firm’s status and ensure your engagement doesn’t create independence or scope problems.

Who it applies to

In scope entities

• Public Companies (Issuers) subject to U.S. securities laws (Public Law 107-204).
• Registered Public Accounting Firms that audit issuers (Public Law 107-204).

Operational context where this shows up

• External auditor selection, appointment, and annual re-appointment workflow.
• Audit committee oversight activities (agenda, minutes, approvals, challenge).
• Auditor independence controls (services approvals, conflict checks, annual confirmations).
• SOX ICFR program coordination with external audit (testing plans, remediation, evidence).
• Third-party governance for the audit firm (contracting, SLAs for deliverables, access, confidentiality).

What you actually need to do (step-by-step)

1) Assign ownership and define your audit-governance RACI

Owner set to implement: Corporate Secretary (committee mechanics), CFO/Controller (audit execution), CCO/GRC lead (control design/evidence), Procurement/TPRM (third-party onboarding), Audit Committee Chair (oversight).

Minimum outputs

• RACI for: auditor appointment, fee approval, non-audit service approvals, independence violations handling, audit issue escalation, and audit plan approval.
• Audit committee annual calendar that includes the audit lifecycle.

Operational tip: If responsibilities live “in everyone’s head,” you will lose time during close and during any investigation.

2) Verify the auditor’s PCAOB eligibility and lock it into onboarding

Even though SOX 101 is the PCAOB’s creation clause, your operational dependency is auditor eligibility (Public Law 107-204).

Actions

• Confirm your external auditor is a PCAOB-registered public accounting firm (document the verification step in your onboarding checklist).
• Require your auditor to provide written confirmation of registration status and any changes that could affect eligibility.

Evidence

• Auditor onboarding checklist with PCAOB registration verification step completed.
• Auditor attestation/representation letter (registration and eligibility).

3) Implement an auditor independence control set (and tie it to purchase approvals)

Independence failures are where many programs get surprised. Keep it procedural and evidence-driven.

Actions

• Maintain an “Auditor Independence & Services” procedure:
  • what counts as audit vs. non-audit service,
  • who can request services,
  • who approves (audit committee or delegated authority consistent with your governance),
  • how conflicts are tracked and resolved.
• Route any engagement with the audit firm (including advisory projects) through a central intake. If your company uses procurement tooling, tag the audit firm as a restricted third party requiring additional approvals.

Evidence

• Independence policy/procedure.
• Non-audit services register and approval records.
• Annual independence confirmations from the audit firm and key engagement personnel.
• Audit committee minutes showing approvals and oversight topics.

4) Formalize audit committee oversight as an auditable process

The audit committee is your governance “control plane.” You need provable oversight.

Actions

• Standardize audit committee materials:
  • external audit plan review package,
  • audit results package,
  • independence and services approvals summary,
  • management’s significant judgments and estimates memo (where applicable),
  • remediation tracking summary for control issues.
• Require minutes to capture decisions and challenges, not just attendance.

Evidence

• Audit committee charter (current version) and annual review evidence.
• Meeting agendas, minutes, and board packages.
• Annual evaluation of the audit firm performance (structured questionnaire and results).

5) Run your SOX/ICFR program with “PCAOB inspection mindset”

Your external auditor must conduct the audit under PCAOB oversight (Public Law 107-204). Your job is to keep management’s side inspection-ready.

Actions

• Maintain a single system of record for:
  • control design documentation,
  • test plans and sampling rationale (even if internal),
  • evidence requests and fulfillment,
  • remediation plans and retesting.
• Implement a “PBC (Provided By Client) discipline”:
  • version control for evidence,
  • standardized naming conventions,
  • clear owners and due dates,
  • retained evidence for re-performance.

Evidence

• SOX control matrix and narratives.
• Evidence request log (PBC list) with timestamps and owners.
• Remediation tracker with approvals and closure evidence.

6) Treat the audit firm as a high-impact third party in your TPRM program

Even if your TPRM program focuses on security and privacy, your external auditor is still a third party with business-critical impact.

Actions

• Classify the audit firm as “critical” (or your highest tier) in third-party inventory.
• Require contract hygiene:
  • scope and deliverables,
  • confidentiality provisions,
  • audit committee fee approval evidence,
  • engagement letter storage and renewal workflow.
• Align procurement controls so no one can “side buy” services from the auditor without independence review.

Evidence

• Third-party inventory entry and risk tier rationale.
• Executed engagement letter and amendments.
• Procurement approval workflow logs.

7) Build a lightweight “PCAOB-ready” evidence binder

You may never hand it to the PCAOB, but the discipline keeps your audit defensible.

Include

• Auditor eligibility and independence packet.
• Audit committee governance packet.
• Current-year audit timeline and key communications log.
• SOX/ICFR program index and remediation summary.

Required evidence and artifacts to retain (operator checklist)

Maintain these in a controlled repository with retention aligned to your corporate records schedule:

• Auditor appointment and engagement letter, including fee approvals.
• PCAOB registration verification record and annual auditor representation.
• Independence confirmations; non-audit services approvals and register.
• Audit committee charter, annual calendar, agendas, minutes, and materials.
• SOX/ICFR documentation: control matrix, narratives, testing evidence, deficiency evaluation, remediation plans, closure evidence.
• Communications log for significant audit matters (who raised it, decision taken, follow-up).

Common exam/audit questions and hangups

• “How do you confirm the external auditor is eligible to audit an issuer?” Auditors expect a repeatable verification step and documentation.
• “Show me how you prevent prohibited or risky non-audit services.” The hangup is usually decentralized purchasing and unclear approvals.
• “Where is audit committee oversight evidenced?” Minutes that lack decisions and approvals create gaps.
• “How do you track and close control deficiencies?” Teams often have trackers, but not closure evidence or clear owners.

Frequent implementation mistakes (and how to avoid them)

1. Treating SOX 101 as “not applicable” because it establishes the PCAOB.
   Fix: Map it to your external audit governance controls and evidence pack (Public Law 107-204).

2. Letting procurement bypass independence controls.
   Fix: Put the audit firm on a restricted third-party list that triggers CCO/GRC review and audit committee approval workflow.

3. Storing audit committee artifacts in email threads.
   Fix: Use a controlled repository with standardized naming and versioning.

4. Weak minutes.
   Fix: Train the minute-taker to capture approvals, challenges, and outcomes. If it wasn’t written down, it will be treated as if it didn’t happen.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not summarize specific actions. Practically, your risk is indirect: failures in external audit governance and independence controls can escalate into financial reporting risk, restatement risk, and regulator scrutiny. The safest operational posture is to assume your audit engagement and audit committee records will need to stand on their own under review, with clear evidence of oversight and independence management (Public Law 107-204).

Practical 30/60/90-day execution plan

First 30 days (stabilize governance and eligibility)

• Assign a single owner for external audit third-party governance (often the Controller with CCO/GRC support).
• Document the RACI for audit firm appointment, independence approvals, and audit committee reporting.
• Confirm and document auditor PCAOB registration status; store in the audit governance folder (Public Law 107-204).
• Create (or clean up) the audit committee evidence structure: charter, calendar, minutes repository.

Days 31–60 (operationalize independence and oversight)

• Publish the auditor independence and services procedure; implement central intake for any auditor-related spend.
• Stand up the non-audit services register with required approvals.
• Standardize audit committee packets for audit plan, results, and independence.
• Build your “PCAOB-ready” binder structure and start populating it for the current audit cycle.

Days 61–90 (prove it works; drill for readiness)

• Run a tabletop: pick one non-audit services request and walk it end-to-end through approvals and documentation.
• Perform an internal evidence pull test: can you produce your required artifacts quickly, complete, and consistent?
• Review last cycle’s deficiencies and remediation closure evidence; ensure the tracker is auditable.
• If you manage third parties in Daydream, configure the audit firm record with restricted approvals, required documents, and renewal reminders so the governance stays consistent year over year.

Frequently Asked Questions

Does SOX Section 101 create direct control requirements for issuers?

The excerpt provided establishes the PCAOB and its oversight role (Public Law 107-204). For issuers, the practical requirement is to operate within that oversight environment by appointing an eligible auditor and maintaining strong audit governance and independence controls.

What evidence should I have ready if someone asks, “How do you know your auditor is PCAOB-registered?”

Keep a documented verification step in your auditor onboarding and annual renewal process, plus a written confirmation from the audit firm. Store it with the engagement letter and audit committee approval artifacts.

Where do teams usually fail on “administrative provisions” requirements like this?

They treat it as abstract and skip operational mapping. The miss shows up later as weak auditor independence controls, scattered approvals, and incomplete audit committee records.

How should TPRM interact with the external audit relationship?

Treat the audit firm as a critical third party: controlled onboarding, restricted purchasing paths, and contract/document governance. TPRM can own the workflow while Finance and the audit committee own the decisions.

What should audit committee minutes include to support this requirement?

Capture approvals (auditor appointment, fees, non-audit services), key questions raised, and follow-ups assigned. Minutes that only list attendees and generic topics create audit gaps.

Can I centralize all this in one place without building a new system?

Yes. Start with a controlled repository and a simple intake/approval workflow for any auditor-related services. If you already run third-party governance in Daydream, use it to enforce required documents, approvals, and renewal timing.