SOX Audit in India: What UK Companies Need to Know

Introduction

UK companies listed on US exchanges face a compliance blind spot that carries real consequences: their Indian subsidiaries are not exempt from Sarbanes-Oxley Act (SOX) obligations. Many UK finance teams overlook the extraterritorial reach of SOX when establishing India operations, assuming UK Corporate Governance Code compliance is sufficient. It isn't.

The challenge intensifies because India has no domestic SOX law, yet subsidiaries whose financials consolidate into a US-listed parent's SEC filings fall squarely within SOX scope. This creates a dual-compliance burden: Indian entities must satisfy both local Internal Financial Controls (IFC) mandates under the Companies Act 2013 and US SOX requirements simultaneously.

In practice, that means navigating limited access to PCAOB-registered auditors and documentation standards that Indian finance teams are rarely set up to meet from day one.

This article clarifies when SOX applies to UK companies operating in India, how India's IFC framework compares to SOX, and the practical steps UK finance and compliance leaders must take to prepare Indian operations for audit scrutiny.

TLDR

  • UK companies listed on US exchanges must include Indian subsidiaries in SOX scope when those financials consolidate into SEC filings
  • India's Companies Act 2013 mandates Internal Financial Controls (IFC), a parallel framework to SOX Section 404
  • Sections 302 and 404 require CEO/CFO certifications and annual internal control assessments — non-negotiable for listed entities
  • UK companies must engage PCAOB-registered auditors; most Indian CA firms cannot issue opinions for US SEC filings
  • Starting readiness assessments early — before gaps become audit findings — is the most effective way to avoid material weaknesses

What is SOX and Why Do UK Companies Need to Know About It?

The Sarbanes-Oxley Act of 2002 is a US federal law requiring publicly traded companies to maintain strong internal controls over financial reporting (ICFR). Sections 302 and 404 are the core enforcement provisions: CEOs and CFOs must personally certify the accuracy of financial statements, and management must annually assess the effectiveness of ICFR, with external auditors attesting to that assessment.

The UK Connection

SOX is not limited to US-headquartered companies. Any company—including UK firms—whose securities are registered with the SEC or listed on a major US exchange must comply. This includes:

  • Ordinary shares listed on NYSE or NASDAQ
  • American Depositary Receipts (ADRs)
  • Other registered securities activity in the US

UK companies qualify as Foreign Private Issuers (FPIs) under SEC rules, which means they file annual reports on Form 20-F and may report under IFRS rather than US GAAP. However, FPIs must still comply with SOX Sections 302 and 404, including management certifications and auditor attestations of ICFR effectiveness.

For UK companies with Indian operations, this has a direct consequence: wholly-owned Indian subsidiaries fall in scope for SOX when their financials consolidate into the parent's US SEC filings.

UK Reforms Are Legally Distinct

The UK's recent governance reforms—including FRC Provision 29 of the UK Corporate Governance Code (effective 1 January 2026)—require boards to evaluate and disclose the effectiveness of risk management and internal controls.

This framework covers operational, compliance, and conduct risks, making it broader in scope than US SOX, which focuses specifically on financial reporting controls.

Critically, UK governance compliance does not satisfy US SOX obligations. UK companies listed on US exchanges must comply with both regimes separately.

Is SOX Applicable to Operations in India?

The Direct Answer

India has no domestic SOX law. The US SEC and PCAOB have no direct regulatory jurisdiction inside India. However, a UK company's Indian subsidiary still falls under SOX if the parent entity is subject to SOX as a US-listed company.

This extraterritorial mechanism works through consolidation: if the Indian entity's financials are consolidated into the parent's US SEC filings, that entity must maintain and demonstrate adequate ICFR.

What "In-Scope Indian Operations" Means

Any Indian entity whose financials consolidate into the parent's US SEC filings is in scope, including:

  • Wholly Owned Subsidiaries (WOS)
  • Liaison Offices (if financially significant)
  • Branch Offices
  • Joint Ventures where the parent exercises control

The Materiality Test

Not all Indian subsidiaries automatically require full SOX testing. The parent's auditors apply a materiality threshold to determine whether the Indian entity is a "significant location" warranting SOX scoping.

PCAOB Auditing Standard AS 2101 governs multi-location scoping. Auditors assess seven factors, including:

  1. Nature and amount of assets, liabilities, and transactions
  2. Materiality of the location
  3. Specific risks of material misstatement
  4. How centralised or dispersed the entity's records are
  5. Effectiveness of the control environment
  6. Frequency and scope of monitoring activities

Six PCAOB AS 2101 factors determining SOX materiality for Indian subsidiary scoping

There is no fixed percentage threshold—materiality is a matter of auditor professional judgement. Common practice references (for example, a location contributing 10-20% of consolidated revenue) are benchmarks, not statutory rules.

What Happens During a SOX Audit Involving India

The parent company's external auditors—who must be PCAOB-registered—will either:

  • Audit the Indian operations directly, or
  • Rely on the work of a PCAOB-registered component auditor in India

As of 2025, the PCAOB registered firms database lists a limited pool of firms operating in India. The PCAOB's 2025 Annual Report shows total registered firms worldwide declined from 1,544 at end-2024 to approximately 1,453 by mid-2025, a 6% drop.

The major PCAOB-registered firms in India are Big Four affiliates:

  • S.R. Batliboi & Co. LLP (EY network)
  • Price Waterhouse entities (PwC network)
  • Deloitte Haskins & Sells LLP
  • BSR & Co. LLP (KPMG network)

These firms operate primarily in Mumbai, Delhi/NCR, and Bengaluru. Subsidiaries based outside these Tier-1 cities often face logistical delays in securing a qualifying component auditor.

A Common Misconception

Some UK companies assume engaging a reputable Indian Chartered Accountant (CA) firm is sufficient. It is not.

Section 102(a) of the Sarbanes-Oxley Act requires firms that prepare or issue audit reports for issuers to be registered with the PCAOB. An Indian CA firm not registered with the PCAOB cannot issue an audit opinion used in a US SEC filing, no matter how skilled or experienced.

India's Own SOX Equivalent: Internal Financial Controls (IFC) Under the Companies Act 2013

India has a parallel internal controls framework that mirrors the structure of SOX Section 404.

The IFC Framework

Section 134(5)(e) of the Companies Act 2013 requires the board of directors of applicable Indian companies to confirm in the Directors' Report that:

  • Internal financial controls have been laid down
  • Such controls are adequate
  • Such controls were operating effectively

Section 143(3)(i) requires the statutory auditor to report on the adequacy and operating effectiveness of these internal financial controls.

The Companies Act defines IFC as "the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company's policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information."

IFC vs. SOX: Side-by-Side Comparison

Dimension India IFC US SOX Section 404
Management assertion Section 134(5)(e): Directors state IFC laid down, adequate, operating effectively Section 404(a): Management assesses ICFR effectiveness annually
External auditor attestation Section 143(3)(i): Statutory auditor reports on IFC adequacy and effectiveness Section 404(b): PCAOB-registered firm attests to ICFR
Certification frequency Annual only (within Directors' Report) Quarterly (Section 302 with each 10-Q/20-F for FPIs)
Scope Broader: orderly conduct, asset safeguarding, fraud prevention, accuracy Focused on financial reporting reliability
Framework reference COSO referenced in ICAI Guidance Note (not statutory) COSO widely used; SEC allows "suitable, recognised" framework
Regulator NFRA (India) PCAOB (US)

India IFC versus US SOX Section 404 side-by-side compliance framework comparison infographic

Key divergence: India's IFC framework does not require quarterly certifications equivalent to SOX Section 302. The IFC obligation is discharged through the annual Directors' Report and statutory auditor's report.

Applicability Thresholds

IFC requirements apply to all companies under the Companies Act 2013, with specific exemptions for certain private companies:

  • One Person Companies (OPC)
  • Small Companies (paid-up capital ≤ INR 4 crore AND turnover ≤ INR 40 crore)
  • Companies with turnover < INR 50 crore AND aggregate borrowings < INR 25 crore

Indian subsidiaries of UK-listed companies with significant operations typically exceed these thresholds and are subject to full IFC reporting.

Leveraging IFC Compliance for SOX Purposes

If an Indian subsidiary already has a robust IFC programme in place, much of the documentation, control testing, and risk assessment can be mapped and reused during the SOX audit, reducing duplication and cost.

Both frameworks align on the COSO Internal Control—Integrated Framework, which defines five components of internal control:

  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information and Communication
  5. Monitoring

The ICAI Guidance Note on Audit of Internal Financial Controls (November 2014) explicitly references COSO and narrows the IFC definition to "internal financial controls over financial reporting" (IFC-FR) for auditor reporting purposes, closely mirroring SOX's focus. That said, gaps frequently appear in IT General Controls (ITGCs) and documentation granularity, where PCAOB auditors apply stricter evidentiary standards than their Indian counterparts.

The Role of NFRA

The National Financial Reporting Authority (NFRA) was established on 1 October 2018 under Section 132 of the Companies Act 2013. NFRA oversees auditors of companies listed in India or those exceeding specified thresholds (e.g., paid-up capital ≥ INR 500 crore).

For UK companies with US SEC filing obligations, one distinction carries practical weight:

  • NFRA governs statutory audits under the Companies Act 2013 — a separate, independent body with no jurisdiction over US filings
  • PCAOB governs audits for US SEC purposes — a statutory audit filed with NFRA does not satisfy PCAOB requirements

For SEC filings, audits must be performed by a PCAOB-registered firm in accordance with PCAOB auditing standards. The two regulators operate under entirely different legal frameworks, and compliance with one does not substitute for the other.

Key SOX Audit Requirements for UK Companies' Indian Subsidiaries

Section 302 Obligations in the Indian Context

CEOs and CFOs of the UK parent must certify the accuracy of consolidated financials that include Indian operations. This means Indian finance leads must supply accurate, timely data and sign-off on sub-certifications.

Sub-certification process typically involves:

  • Indian CFO or Finance Director signing a representation letter
  • Certifying the accuracy of financial data submitted to the parent
  • Confirming the adequacy of ICFR within the Indian entity
  • Disclosing any material weaknesses or significant deficiencies
  • Establishing clear accountability within the Indian entity

Establishing this chain of responsibility early is critical—it ensures the parent's CEO/CFO can rely on Indian operations when making their own certifications under penalty of criminal prosecution.

Once the sub-certification chain is in place, the next layer of compliance focuses on how management evaluates the controls themselves.

Section 404 Obligations for India

Management must assess the effectiveness of ICFR over Indian operations and include the results in the annual report. For Indian subsidiaries—particularly those undergoing SOX compliance for the first time—this assessment uses the five components of the COSO framework as the standard evaluation structure recognised by PCAOB-registered auditors:

  1. Control Environment: Tone at the top, ethics, competence, organisational structure
  2. Risk Assessment: Identifying and analysing risks specific to the Indian entity's financial reporting processes
  3. Control Activities: Policies and procedures that ensure management directives are carried out (approvals, authorisations, verifications, reconciliations)
  4. Information and Communication: Systems that capture and exchange information needed to conduct and control operations
  5. Monitoring: Ongoing evaluations of control performance — particularly important where Indian entities report into a UK parent on quarterly cycles

Five COSO framework components for SOX Section 404 internal controls assessment process flow

IT General Controls (ITGCs) Specific to Indian Operations

UK companies often run ERP systems (SAP, Oracle) across their global entities, but Indian subsidiaries may use localised systems or hybrid configurations.

SOX ITGC testing must cover Indian systems handling financially significant data, including:

  • Access controls: User provisioning, password policies, segregation of duties
  • Change management: Development, testing, approval, and migration of system changes
  • Data backup and recovery: Business continuity and disaster recovery procedures

Even if systems are partially managed from the UK, controls must be tested where data is processed and stored—including Indian servers and cloud environments.

Deloitte's 2024 analysis found that 61% of companies disclosing material weaknesses had a technology component, with ITGC failures (specifically access and change management) among the most common categories.

Documentation Standards Expected During a SOX Audit

PCAOB-registered auditors require comprehensive, granular evidence:

  • Process narratives: Detailed walkthroughs of key financial processes
  • Risk-control matrices (RCMs): Mapping of risks to control activities
  • Evidence of control testing: Screenshots, system logs, approval records, reconciliations
  • Management's remediation logs: Tracking of identified deficiencies and corrective actions

Documentation gaps are the most common audit finding for first-year SOX programmes in Indian entities. The same Deloitte analysis found that 98% of material weaknesses disclosed in the past 12 months had a documentation component—making this the single highest-risk area for Indian subsidiaries building their SOX programme from scratch.

Common Challenges UK Companies Face with SOX Compliance in India

Auditor Availability Problem

The pool of PCAOB-registered audit firms with India offices is small and geographically concentrated. UK companies sometimes face delays sourcing a suitable component auditor, especially outside major metros.

Identify and engage a PCAOB-registered component auditor 6-9 months before your first SOX audit cycle. The PCAOB registered firms database lets you filter by "Country: India" to identify available firms.

Dual-Compliance Burden

Indian entities must simultaneously satisfy:

  • Indian statutory audit requirements (Companies Act 2013 and Income Tax Act)
  • IFC requirements (Sections 134 and 143)
  • SOX requirements (Sections 302 and 404)

Your compliance team will likely find itself managing overlapping frameworks with different timelines and evidence standards — a genuine strain on resources.

Build a unified compliance calendar that synchronises Indian statutory deadlines (typically 30 September for annual filings) with the parent's SOX timeline (typically tied to the US fiscal year-end). This single step eliminates many last-minute scrambles.

Communication and Time-Zone Coordination Challenges

Misalignment on documentation formats, terminology differences (for example, "materiality" thresholds interpreted differently), and delayed sign-off cycles frequently cause bottlenecks.

Establish a dedicated India-side SOX coordinator role — a senior finance or compliance professional responsible for:

  • Liaising between the Indian entity and UK parent
  • Managing documentation and control testing schedules
  • Coordinating with component auditors
  • Ensuring timely sub-certifications

Staffing Challenges

KPMG data shows that 64% of material weaknesses involve inadequate personnel operating controls. Indian subsidiaries often lack SOX-experienced staff, particularly in ITGC and technical accounting areas.

Invest in training or hire personnel with prior SOX experience well before the audit cycle begins — this is consistently one of the highest-impact steps UK parent companies can take.

How to Prepare Your Indian Operations for a SOX Audit

Practical Readiness Checklist

  1. Identify in-scope Indian entities using the materiality threshold early (consult with your PCAOB-registered auditor)
  2. Map existing IFC controls to SOX requirements—leverage the COSO framework overlap
  3. Appoint a PCAOB-registered component auditor at least 6-9 months in advance
  4. Establish a sub-certification process with clear accountabilities for Indian finance leads
  5. Create a unified compliance calendar synchronising Indian statutory deadlines with the parent's SOX timeline
  6. Document key financial processes with narratives, flowcharts, risk-control matrices, and process owners
  7. Test ITGCs covering access, change management, and data backup for Indian systems

Seven-step SOX audit readiness checklist for UK companies Indian subsidiary operations

The Value of a Pre-Audit Gap Assessment

Before the formal SOX audit begins, UK companies should commission an internal readiness review of their Indian operations—assessing:

  • Maturity of controls (design and operating effectiveness)
  • Quality and granularity of documentation
  • ITGC coverage (access controls, change management, backups)
  • Availability of trained personnel
  • Gaps between IFC and SOX requirements

Companies can then remediate deficiencies before external auditors arrive—avoiding the material weakness findings that carry the heaviest reputational and regulatory consequences.

Moss Adams found that material weakness rates spiked to over 26% of filers in 2021-2022, and that over 60% of all adverse reports come from repeat filers—underscoring the importance of proactive remediation.

How VJM Global Can Help

Those repeat-filer statistics make one thing clear: remediation needs to happen before auditors arrive, not after. VJM Global works alongside UK finance teams to make that possible, providing:

  • Gap assessments of Indian entities against PCAOB evidentiary standards
  • Align IFC and SOX frameworks to reduce duplication
  • Document financial processes and controls to PCAOB evidentiary standards
  • Liaise with PCAOB-registered auditors and coordinate multi-location audits
  • Train Indian finance teams on SOX requirements and sub-certification accountability

With 30+ years of India-specific experience and 250+ UK businesses served, VJM Global gives UK finance teams a local expert who already knows the terrain.

Frequently Asked Questions

Is a SOX audit applicable in India?

India does not enforce SOX domestically—the PCAOB has no direct jurisdiction inside India. However, Indian subsidiaries of UK companies listed on US exchanges fall within the SOX scope of the parent's consolidated audit, making SOX compliance obligations practically applicable to those Indian operations.

What is the equivalent of SOX in India?

India's Internal Financial Controls (IFC) framework under Sections 134(5)(e) and 143(3)(i) of the Companies Act 2013 is the closest domestic equivalent. It mandates board-level assertions and external auditor reporting on the adequacy and operating effectiveness of internal financial controls.

What is SOX compliance for financial reporting?

SOX compliance requires companies to implement, document, test, and annually certify effective internal controls over financial reporting (ICFR). This ensures that financial statements filed with the US SEC are accurate, complete, and free of material misstatement.

What is the difference between SOX 302 and 404 certification?

Section 302 requires CEOs and CFOs to personally certify the accuracy of each quarterly and annual financial report. Section 404 requires an annual management assessment and external auditor attestation of the effectiveness of internal controls over financial reporting.

Is a SOX certification worth it in India?

For Indian entities in scope, SOX compliance is a legal obligation with real consequences for non-compliance. Beyond the regulatory requirement, the discipline it builds—stronger controls, cleaner documentation, and reduced fraud risk—delivers measurable operational and governance value.

Who signs a SOX certification?

The CEO and CFO of the publicly listed parent company are required to sign SOX certifications under Sections 302 and 404. Indian subsidiary finance leads typically provide supporting sub-certifications that feed into the parent's formal sign-off.

Ready to prepare your Indian operations for SOX compliance? VJM Global's experienced team can assess your readiness, align your controls, and reduce your audit risk. Contact us at info@vjmglobal.com or call +91 9213397070 to schedule a consultation.