SOX IT Compliance Checklist for Publicly Traded Companies and Their Technology Vendors

SOX IT Compliance Checklist for Publicly Traded Companies and Their Technology Vendors

What SOX IT Compliance Actually Requires—and Why IT Leaders Own More Than They Think

The Sarbanes-Oxley Act is commonly understood as a financial reporting law. That framing causes organizations to underestimate how deeply it reaches into IT infrastructure. Section 302 requires executives to certify the accuracy of financial reports. Section 404 requires management and external auditors to assess the effectiveness of internal controls over financial reporting. Both sections create direct, documented obligations for your IT department.

When financial data flows through enterprise systems—ERP platforms, databases, cloud services, middleware, and reporting tools—the controls governing those systems become SOX controls. That means IT general controls (ITGCs) are not optional additions to your compliance program. They are a core component auditors will test every year.

For compliance managers and executives at publicly traded companies, the practical question is not whether SOX applies to IT. It does. The question is whether your current IT environment can demonstrate compliance under scrutiny. This checklist is designed to help you find out.

The Four ITGC Domains Auditors Focus On

Most SOX IT audits organize their testing around four foundational ITGC domains. Deficiencies in any of these areas can escalate to material weaknesses that require public disclosure.

1. Access Controls

Access control is the most commonly tested and most frequently deficient ITGC domain. Auditors will verify that access to financial systems is limited to authorized personnel, that privileged access is tightly managed, and that terminated employees are removed promptly. This aligns closely with controls in ISO 27001, which provides a useful framework for structuring your access management program even outside formal certification requirements.

2. Change Management

Any change to a system that processes, stores, or transmits financial data must follow a documented, approved process. Auditors look for segregation of duties between developers and those who promote code to production, formal approval workflows, and rollback procedures. Undocumented emergency changes are a persistent audit finding.

3. IT Operations

This domain covers job scheduling, batch processing, monitoring, and incident management for financially relevant systems. Auditors want evidence that production jobs run reliably, that errors are detected and resolved, and that operations logs are retained.

4. Program Development and Implementation

New systems and significant enhancements to existing systems must go through a structured development lifecycle that includes testing, documentation, and formal sign-off before deployment to production environments.

SOX IT Compliance Checklist

Use the following checklist to assess your current posture across the key ITGC categories. Each item represents something auditors either test directly or request as supporting evidence.

Access Control Checklist

  • Maintain a current inventory of all users with access to financially relevant systems, including ERP, financial reporting tools, and supporting databases
  • Enforce role-based access control (RBAC) with access granted on a least-privilege basis
  • Document a formal access provisioning and deprovisioning process, including HR-to-IT notification workflows for terminations
  • Conduct and document periodic access recertification reviews—at minimum quarterly for privileged accounts, annually for standard users
  • Implement multi-factor authentication (MFA) for all administrative and remote access to in-scope systems
  • Segregate duties so that no individual can both initiate and approve financial transactions or system changes
  • Log and monitor privileged account activity, including shared or service accounts
  • Maintain audit trails for all access provisioning, modification, and revocation events

Change Management Checklist

  • Maintain a documented change management policy covering all in-scope systems
  • Require formal change request tickets with business justification, risk assessment, and approvals before implementation
  • Enforce segregation of duties between development, testing, and production environments
  • Prohibit developers from having direct access to production environments
  • Document and test rollback procedures for all significant changes
  • Retain records of all approved and rejected change requests for at least seven years
  • Implement an emergency change process that still requires after-the-fact documentation and approval

IT Operations Checklist

  • Document all batch jobs and scheduled processes that feed financial reporting systems
  • Implement automated monitoring and alerting for job failures or anomalous processing results
  • Maintain documented incident response procedures for financially relevant systems
  • Retain system and application logs sufficient to support audit inquiries—typically a minimum of one year online with longer-term archival
  • Conduct regular backup and recovery testing for all in-scope systems
  • Document and test business continuity procedures for systems supporting financial close processes

Program Development Checklist

  • Implement a formal System Development Life Cycle (SDLC) methodology with defined phases and gate approvals
  • Require user acceptance testing (UAT) with documented sign-off before production deployment
  • Maintain version control for all code affecting financially relevant systems
  • Document all system interfaces and data flows between in-scope applications
  • Conduct security testing as part of the development process, not as an afterthought

SOX IT Compliance Obligations for Technology Vendors

If your organization is a SaaS provider, cloud platform, or technology services company whose systems process data for publicly traded clients, your SOX exposure is real even though you are not publicly traded yourself. Your clients' auditors will assess the controls of any service organization deemed relevant to financial reporting.

The mechanism is typically a SOC 1 Type II report, which provides auditors with evidence that your controls are designed and operating effectively. If you cannot produce a current SOC 1 report, expect your clients to conduct their own complementary user entity control assessments—or worse, to terminate the relationship.

Technology vendors should also pay attention to how contractual obligations flow downstream. Your enterprise clients' SOX programs will often include vendor due diligence requirements, access termination timelines, and security incident notification obligations that must be reflected in your own IT compliance services framework.

How ISO 27001 Supports SOX IT Compliance

Organizations pursuing or maintaining ISO 27001 certification have a meaningful head start on SOX IT compliance. The ISO 27001 Information Security Management System (ISMS) framework addresses access control (Annex A.9), cryptography (Annex A.10), operations security (Annex A.12), and change management (Annex A.12.1) in ways that map directly to ITGC requirements.

ISO 27001 will not replace a SOX audit, but a mature ISMS provides the documented control environment, risk assessment process, and continuous monitoring discipline that SOX auditors want to see. Organizations that treat ISO 27001 as a compliance accelerator rather than a standalone certification exercise tend to perform better across multiple regulatory frameworks simultaneously.

For organizations operating across defense, healthcare, and commercial sectors, this multi-framework efficiency matters. Our compliance program development practice is specifically designed to build programs that address multiple requirements without duplicating effort.

Common SOX IT Findings That Escalate to Material Weaknesses

Understanding where programs most commonly fail helps compliance managers prioritize remediation. The following findings appear most frequently in audit reports and restatements:

  • Terminated user accounts not disabled within defined timeframes—often traceable to a broken HR-to-IT notification process
  • Excessive privileged access—developers or DBAs with production access that is not required for their job function
  • Undocumented emergency changes—changes applied directly to production with no ticket, approval, or post-implementation review
  • Inadequate segregation of duties in ERP configurations—particularly in smaller organizations where headcount creates pressure to consolidate roles
  • Insufficient logging and log retention—especially in cloud environments where default retention settings do not meet audit requirements
  • Failure to test backup and recovery—documentation exists but testing evidence does not

Each of these findings has a straightforward remediation path. The challenge is identifying them before your external auditors do. A structured assessment through our risk assessment services can surface these gaps before they become reportable deficiencies.

Building a Sustainable SOX IT Compliance Program

Sustainable SOX IT compliance is not achieved through a pre-audit scramble. It requires continuous control monitoring, ownership accountability, and documented evidence that accumulates throughout the year. The organizations that perform consistently well in SOX audits share three characteristics:

  1. Defined control ownership—every ITGC has a named owner who is responsible for operation and evidence collection, not just the annual audit response
  2. Automated evidence collection—wherever possible, system-generated reports, access review workflows, and change management tooling produce evidence automatically rather than through manual collection
  3. Integrated risk management—SOX IT risks are tracked in the same risk register as other operational and cyber risks, ensuring that remediation is prioritized and resourced appropriately

Organizations that also need to address cybersecurity frameworks alongside SOX will find value in reviewing how system security plans and plans of action can be structured to support multiple audit requirements simultaneously. Similarly, understanding data loss prevention controls can help organizations address both SOX audit trail requirements and broader data governance obligations in a single program.

For organizations in the financial sector managing both SOX and GLBA obligations, our financial institutions practice provides specialized guidance on meeting overlapping requirements without building redundant programs.

Take the Next Step Toward SOX IT Compliance Confidence

If your organization is preparing for an upcoming SOX audit, responding to a prior year finding, or building an IT compliance program from the ground up, Cleared Systems can help. Our team provides practical, evidence-based compliance support tailored to the real operational constraints your IT and compliance teams face. Request a quote today to discuss your SOX IT compliance needs with an experienced advisor, or explore our regulatory vCISO services to get ongoing compliance leadership without the cost of a full-time hire.

Social Share :


Search Blog

Categories