Overview
The Sarbanes-Oxley Act (SOX) requires publicly traded companies to maintain effective internal controls over financial reporting. While SOX itself does not prescribe specific IT controls, IT General Controls (ITGCs) underpin the reliability of financial applications and data. External auditors evaluate ITGCs as part of every SOX audit because weaknesses in IT controls can directly impact the integrity of financial statements. This checklist focuses on the four ITGC domains that auditors examine and what your IT and security teams need to have in place.
ITGC Domains
| Domain | Focus | Key Controls |
|---|---|---|
| Access to Programs and Data | Logical security | User access management, authentication, privileged access, periodic access reviews, segregation of duties |
| Change Management | System changes | Change request and approval workflows, testing and validation, segregation of duties between development and production, emergency change procedures |
| Computer Operations | System reliability | Job scheduling, batch processing, backup and recovery, incident management, system monitoring |
| Program Development | Application lifecycle | SDLC methodology, requirements documentation, testing standards, go-live approvals, project governance |
Access Controls Checklist
- Implement formal user access provisioning and deprovisioning procedures for all in-scope applications
- Conduct periodic access reviews (at least quarterly) for in-scope systems with management sign-off
- Implement segregation of duties (SoD) controls preventing individuals from having conflicting access
- Secure privileged and administrative accounts with enhanced authentication and monitoring
- Maintain access control matrices mapping roles to permissions for all financial applications
- Implement automated account disabling for terminated employees aligned with HR processes
- Log and monitor authentication events, failed login attempts, and privileged account activities
- Review and certify service account permissions periodically with documented business justification
Change Management Controls
Every change to in-scope systems must follow a documented process from request through deployment. Changes must be formally requested, reviewed, and approved before implementation. Testing must be completed in a non-production environment with documented results. Segregation of duties must ensure that developers cannot migrate their own code to production. Emergency changes must follow an expedited approval process with after-the-fact documentation and review. All changes must be traceable from the original request through deployment with an auditable trail. Change Advisory Board (CAB) or equivalent review is expected for significant changes to financial systems.
Computer Operations Controls
- Implement automated job scheduling with monitoring for successful completion of critical batch jobs
- Establish backup procedures for all in-scope systems with documented retention schedules and periodic restoration testing
- Deploy system monitoring for critical financial applications with alerting for availability issues
- Document and test disaster recovery procedures for systems supporting financial reporting
- Maintain environmental controls for data centers including power redundancy, fire suppression, and climate controls
- Implement incident management procedures for production issues affecting financial systems
- Conduct capacity planning to ensure system performance meets reporting deadlines
Common Audit Findings
SOX IT audit findings frequently involve the same patterns. Incomplete access reviews where management signs off without actually reviewing individual access rights. Developers with production access that violates segregation of duties. Service accounts with excessive permissions that are never reviewed. Missing or insufficient documentation for changes deployed to production. Backup restoration procedures that have never been tested. Shared accounts or generic credentials used for financial applications. These findings can result in material weaknesses or significant deficiencies that must be disclosed in financial statements.
Frequently Asked Questions
Which systems are in scope for SOX ITGCs?
In-scope systems include financial reporting applications (ERP, GL, billing), databases that store financial data, operating systems hosting those applications, network infrastructure providing access to those systems, and any middleware or integration layer transferring financial data between systems. The scope is determined by the financial audit team based on materiality.
Who is responsible for SOX IT controls?
Ultimately, the CEO and CFO certify the effectiveness of internal controls under SOX Section 302. Day-to-day responsibility typically falls on IT management, the information security team, and internal audit. Most organizations establish a SOX compliance program with dedicated coordination roles.
What is the difference between a material weakness and a significant deficiency?
A material weakness is a deficiency, or combination of deficiencies, where there is a reasonable possibility that a material misstatement to the financial statements will not be prevented or detected. A significant deficiency is less severe but important enough to merit the attention of those responsible for oversight. Material weaknesses must be publicly disclosed.
How do cloud services affect SOX ITGC scope?
Cloud-hosted financial applications remain in scope for SOX. Your organization must obtain and review SOC 1 Type II reports from cloud service providers that host or process financial data. You must also implement complementary user entity controls (CUECs) identified in the SOC 1 report and maintain appropriate access controls for the cloud environment.
How often are SOX ITGCs tested?
External auditors test ITGCs annually as part of the financial statement audit. Management should test ITGCs throughout the year through internal testing programs. Quarterly access reviews, periodic change management walkthroughs, and monthly monitoring of key controls are standard practices.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.