SOX Compliance: Eleven Essential Controls for SMBsSmall and medium-sized businesses (SMBs) can benefit from implementing control objectives for governance, compliance, and increased security. The Securities and Exchange Commission's (SEC) recent Sarbanes-Oxley (SOX) announcement puts an end to several years of speculation, so SMBs need to keep their control game in check. Executive Summary Sarbanes-Oxley (SOX) is here to stay for small and medium-sized businesses (SMBs), which the Securities and Exchange Commission (SEC) defines as any publicly traded company with less than $75 million in market capitalization . Despite the fact that audit standards have been adapted for smaller organizations, many SMBs still need to prioritize and strengthen internal IT controls that protect information assets. The Information Systems Audit and Control Association (ISACA) is the organization that sets standards for auditing and grants certification to auditors. New studies from ISACA identify the most important superior controls for SMEs. This research note discusses:» The latest SOX developments in the SME space.» Main findings of the ISACA study.» What tactics can SMBs use to satisfy internal IT controls. SMBs need to implement control objectives for compliance and increased security, but have limited means to do so. The ISACA study prioritizes the most important IT controls so SMBs can best manage their control game. The Sarbanes-Oxley (SOX) Optimization Point was adopted in 2002 as an anti-fraud measure in the wake of major accounting scandals such as Enron and WorldCom. Until recently, the Securities and Exchange Commission (SEC) applied the same SOX audit practices to all companies, regardless of their size, infrastructure, level of risk, or available resources. As long as it was publicly traded, regardless of whether the market capitalization was less than $75 million or more than $100 billion, the same rules and auditing standards applied to all companies..