SOX IT Compliance for Financial Services

Sarbanes-Oxley compliance extends far beyond the accounting department. Section 404 requires that management assess and report on the effectiveness of internal controls over financial reporting (ICFR) — and in modern organizations, nearly every financial process runs through IT systems. That makes IT General Controls (ITGC) a critical component of SOX compliance.

For IT teams at financial services firms, accounting practices, and any publicly traded company, SOX means your access controls, change management processes, backup procedures, and system operations are subject to external audit every year. This guide explains what auditors expect and how to build sustainable ITGC practices.

Understanding ITGC in the SOX Context

IT General Controls are the foundation that supports the reliability of automated financial processes and reports. Without effective ITGC, auditors cannot rely on any system-generated financial data — which means they'll need to test everything manually (expensive) or issue a material weakness finding (very expensive).

ITGC is organized into four domains:

1. Access to Programs and Data — Who can access financial systems and data, and how is access managed?
2. Program Changes — How are changes to financial applications and systems controlled?
3. Program Development — How are new systems and major changes developed and implemented?
4. Computer Operations — How are systems operated, monitored, and maintained?

Domain 1: Access to Programs and Data

Access controls are the most heavily tested ITGC domain. Auditors want to see that only authorized individuals can access, modify, or delete financial data.

User Access Management

• Provisioning: Documented process for granting access. Access requests must be approved by the data owner (not just IT). Approval records must be retained.
• Role-based access: Access should be granted based on job function, following the principle of least privilege. Document role definitions and the access each role receives.
• Segregation of duties (SoD): No single person should be able to initiate and approve a financial transaction. Map SoD conflicts across all financial systems and implement preventive controls.
• Periodic access reviews: Conduct formal reviews of all user access to financially significant systems. Quarterly is the standard for high-risk systems, semi-annual for others.
• Termination procedures: Access must be revoked promptly when employees leave or change roles. Document the process and evidence that it's followed. Same-day revocation is expected.
• Privileged access: Admin and elevated access must be strictly limited and monitored. Privileged access should require additional approval and be reviewed more frequently.

What auditors sample: New hires from the audit period — did they have approved access requests? Terminated employees — was access revoked on time? Current access lists — do they match approved roles? Privileged accounts — are they justified and monitored?

Governed execution automates access control evidence by logging every provisioning event with the requester, approver, timestamp, and access granted — exactly the evidence auditors need.

Authentication Controls

• Password policy: Minimum complexity requirements, rotation schedule (if applicable), lockout after failed attempts.
• Multi-factor authentication: Required for remote access and all admin/privileged accounts. Increasingly expected for all access to financial systems.
• Service accounts: Application-to-application accounts must have strong passwords, documented ownership, and regular credential rotation.

Domain 2: Program Changes (Change Management)

Change management controls ensure that modifications to financial systems are authorized, tested, and properly implemented. This prevents unauthorized changes that could affect the integrity of financial data.

• Change request process: All changes to in-scope systems must be formally requested, with a description of the change, business justification, and risk assessment.
• Approval workflow: Changes must be approved by both a business owner and IT management before implementation. Emergency changes need post-implementation approval.
• Testing requirements: Changes must be tested in a non-production environment. Test results must be documented and approved before production deployment.
• Separation of environments: Development, testing, and production environments must be separate. Developers should not have direct access to production systems.
• Deployment controls: Production deployments must be performed by personnel who did not develop the change (separation of duties). Deployment records must include who deployed what and when.
• Rollback procedures: Every change must have a documented rollback plan in case the change causes problems.

What auditors sample: A selection of changes from the audit period. For each: Is there a request? Was it approved before implementation? Was it tested? Who deployed it? Is there evidence of post-deployment verification?

Domain 3: Program Development

When new systems are implemented or major changes are made, additional controls apply:

• Requirements documentation: Business requirements must be documented and approved.
• Design review: System design should be reviewed for security, compliance, and business alignment.
• User acceptance testing: Business users must formally test and accept the system before go-live.
• Data migration controls: If data is migrated, reconciliation must verify completeness and accuracy.
• Go-live approval: Final approval from business and IT leadership before the system goes into production.

Domain 4: Computer Operations

Operational controls ensure that financial systems are reliable, available, and recoverable.

• Backup and recovery: Financial data must be backed up regularly. Backup success/failure must be monitored. Restore tests must be performed and documented (quarterly recommended).
• Job scheduling: Automated batch jobs (financial report generation, data feeds, reconciliations) must be monitored. Failures must be investigated and resolved.
• Incident management: IT incidents affecting financial systems must be tracked, resolved, and documented. Root cause analysis should be performed for significant incidents.
• Physical and environmental controls: Server rooms must have appropriate access controls, fire suppression, temperature monitoring, and power backup.
• Disaster recovery: DR plans must exist for all financially significant systems. Plans must be tested annually.

Scoping: Which Systems Are In-Scope?

Not every IT system falls under SOX ITGC. In-scope systems are those that:

• Process financial transactions (ERP, billing, accounts payable/receivable)
• Generate financial reports (reporting tools, data warehouses)
• Store financial data (databases, file systems, cloud storage)
• Control access to any of the above (Active Directory, identity providers, VPN)
• Support the IT infrastructure underlying financial systems (operating systems, databases, networks)

Common in-scope systems: ERP (QuickBooks, NetSuite, SAP), billing platforms, banking portals, payroll systems, tax preparation software, CRM (if tied to revenue recognition), email (if used for financial approvals), Active Directory, cloud identity providers.

Common SOX ITGC Deficiencies

Based on PCAOB inspection reports and industry experience, these are the most common findings:

1. Incomplete access reviews — Reviews that don't cover all in-scope systems, or reviews where identified issues weren't remediated.
2. SoD conflicts — Users who can both create and approve transactions, or developers with production access.
3. Inadequate change management evidence — Changes deployed without documented approval or testing.
4. Stale accounts — Active accounts belonging to terminated employees or unused service accounts.
5. Missing backup test evidence — Backups run but restore tests aren't performed or documented.
6. Generic/shared accounts — Accounts used by multiple people, destroying individual accountability.

Building Sustainable ITGC Practices

The key to sustainable SOX compliance is automation. Manual processes are error-prone, expensive, and don't scale. Focus on:

• Automated access provisioning and deprovisioning — Tie access management to HR systems. When someone is hired, transferred, or terminated, access changes should flow automatically.
• Automated access reviews — Generate access reports automatically and route them to managers for review. Track remediation of identified issues.
• Automated change tracking — Use tools that automatically log code deployments, configuration changes, and system updates.
• Continuous monitoring — Instead of point-in-time testing, implement continuous monitoring of key controls. Flag exceptions in real time rather than discovering them during annual audit.

TechManager AI's compliance dashboard provides continuous monitoring of ITGC controls across your in-scope systems. Every IT action flows through governed execution, creating automatic evidence of access controls, change management, and operational procedures. The result: audit preparation drops from weeks to hours.

Next Steps

Start by identifying your in-scope systems and mapping current ITGC controls to each domain. Prioritize gaps by audit risk — access control deficiencies are the most commonly cited and should be addressed first. If you're in financial services, book a demo to see how TechManager AI automates ITGC evidence collection and continuous monitoring.