The congress of the United States passed the Sarbanes-Oxley act (SOA) in 2002 to regulate the accounting and auditing practises of publicly traded companies in the United States. A major component of the SOA is the establishment of a new entity, the public corporation accounting overview board (PCAOB) to set public accounting standard and to oversee individual public accounting companies. The SOA requires that each annual financial report contains an internal control report, which states the responsibilities of the management for establishing and maintaining an adequate internal control structure and procedures as well as an evaluation of the effectiveness of these controls form an independent auditor. The companies need to define the internal control in their organisations to be able to evaluate their control system and to determine how to improve them. This research paper is focusing on a public company originating from the United States. As a public company, it has to fulfil the new internal control requirements. The studied company defines its internal control by the definition of the committee of sponsoring organisations (COSO). The research has been delimited to the shared service centre (SSC) of the company located in Europe. The SSC is a financial service provider for the company’s entities in Europe, Middle East, and Africa (EMEA) region. The aim of the research paper is to describe the change of internal control caused by the SOA in the company and to enhance the understanding of it. The authors have used qualitative methods to fulfil the aim of the research. Together eight research interviews and one informant interview were conducted in the SSC of the company. With the help of theories of change process, institutionalisation, ethics, trust, subcultures and the organisation described as a metaphor the authors have analysed the empirical results. The results of the research show that the resources put into the implementation process were underestimated in terms of time and people. Furthermore, the information has been directed only to the management and team leader level of the organisation. This has prevented the implementation of internal control change. However, the management and team leader level share a common understanding of the vision of the change and the institutionalisation process has already started in the higher level of the organisation. The lack of information for the team members has further caused the controlling need to the operational level. This is because the values behind the change have not yet been institutionalised. Segregation of duties has increased bureaucracy in the organisation. Moreover, increased bureaucracy has caused a heavy workload for the managers in the form of approvals. This can be seen as a risk for the good controls, because the managers are lack of time reviewing all the documents. In addition the attention might concentrate on the controls instead of the business. The entities of the company which are in scope of the SOA are more aware of the new internal control requirement than the entities which are not in scope. The different level of knowledge can cause problems in the cooperation between the SSC and the entities and prevent implementation of the change in the whole company. The company has done efforts to institutionalise ethics in its organisation in various ways. This has raised the level of understanding of ethical values and supports the implementation of the internal control change and its institutionalisation. Furthermore, there is an understanding of the benefits of the SOA requirements among the employees, which has helped the transformation process of the internal control.