Article
Brochure
Executive Resource
Insight Hub
Video
Ext. PublicationSecond Line Ready: When to Rebuild, When to Rightsize
Never miss a thing.
Sign up to receive our insights newsletter.
Some SOX and internal audit (IA) programs need to be built — or rebuilt — from the ground up. Others are structurally sound but suffer from bloat, inefficiency or inconsistent execution.
The challenge for senior leaders? It’s knowing which category your program falls into and taking action before the next audit cycle locks you into another year of frustration, fire drills or wasted effort.
For anyone charged with governing SOX and IA programs, such as chief financial officers (CFOs), chief accounting officers (CAOs), controllers, internal audit leaders and compliance professionals, perhaps you’ve wondered, “Why does this take so much time?” or “Am I even getting what I want out of this?” You’re not alone.
Whether you need a fresh start or a smarter path forward, the key is recognizing what kind of problem you’re solving.
The Real Decision: Rebuild or Rightsize
SOX and IA programs often fall into one of two camps:
- Nonexistent or fundamentally broken: There’s no cohesive program, ownership is unclear, controls aren’t designed around the business or the external auditor is effectively running the show. These situations require a rebuild, whether it’s a first-time, standup or a ground-up reset after years of dysfunction.
- Overbuilt or poorly executed: The program technically exists, but it’s bloated, manual, inconsistent or overly complex. Also, you’re testing too much, documenting inefficiently or chasing findings that don’t actually reduce risk. These programs don’t need to be rebuilt. They need to be rightsized around clarity, efficiency and accountability.
Many programs include pieces from both categories. However, knowing where the core problem lives — structure or execution — is the difference between improvement and wasted effort.
Rebuild: When the Foundation Isn’t There
Rebuilding doesn’t always mean starting from zero. It does mean facing the reality that what exists today can’t carry you forward. This category includes first-time builds, post spinout standups or major overhauls where design and ownership are misaligned from the start. In this situation, it’s important to:
- Start with the business, not the risk universe
- Set expectations around materiality and effort
- Treat control ownership as a leadership decision
- Reset the relationship with your external auditor
- Don’t replicate what didn’t work
A rebuild isn’t just about structure. It’s about credibility with your team, your auditors and the business. If you can do this right, execution gets easier from day one.
Rightsize: When the Program Exists but Isn’t Working
Plenty of programs don’t need a rebuild. Instead, they need a reset. These are programs with real structure but flawed delivery. In this situation, organizations should:
- Rightsize what’s grown out of proportion or was never a fit
- Fix the root causes not just the pain points
- Make expectations unmistakably clear
- Refocus on business alignment not box checking
- Streamline your testing and evidence strategy
Rightsizing isn’t about being lean for its own sake. It’s about making the program sustainable, respected and useful to the people running it. That means not focusing on doing less, but on doing what matters with purpose, clarity and pride.
How to Know Where You Stand
Before rebuilding or rightsizing, you need a clear picture of where things stand presently. While there’s no perfect checklist, these questions can help you quickly surface what’s working and what’s not:
- If we had to justify every control to the CFO, would we keep them all?
- Do our control owners actually understand their responsibilities?
- Are we confident in our foundation, or are we just managing around the gaps?
- Do we spend more time managing findings than managing the program?
- Is the current level of effort proportionate to the risk it addresses?
Final Thoughts
The best SOX and IA programs don’t just pass audits. They create confidence in processes, people and the financials that leadership approves every quarter. That confidence can be built and rebuilt if you’re honest about what’s broken, what’s bloated and what’s no longer necessary.
If you’re a CFO, ask, “Is this program giving me what I actually want?” If the answer is no, then the fix isn’t always more effort — it’s smarter structure and better alignment. A strong program should deliver more than just a clean opinion. It should provide fewer surprises, clearer risk visibility, smoother auditor relationships and a team that solves problems before they escalate.
Have you ever looked at your program and quietly wondered, “Are we doing too much?” That’s not a red flag but a leadership instinct. It’s also just as important to ask: “Are we focused on doing the right things and doing them well?” Knowing when to rebuild and when to rightsize isn’t about choosing the right playbook. It’s about leading with intention with your business, your risk and your people top of mind.
Ready to rebuild or rightsize your SOX or internal audit program? Contact us. Weaver can help you create a stronger, more sustainable path forward.
©2025
Second Line Ready Series
This article is part of a series for professionals who govern, oversee or operate the second line — whether that means leading internal audit or SOX, owning key risks or serving as a strategic partner in finance or compliance. From CFOs and controllers to audit directors and risk managers, this series delivers practical strategies, emerging risk insights and real-world guidance to strengthen oversight, improve existing programs and position the second line as a value-added function within the business.
