Section 404 of the Sarbanes-Oxley Act requires listed companies to assess, document, and report on the effectiveness of their internal controls over financial reporting. For most organisations, the IT component of this assessment is the most resource-intensive element — and frequently the element where weaknesses are identified that affect the overall SOX opinion.
Yet many technology teams approach their SOX IT audit obligations with limited understanding of what external auditors are actually examining, and why. The result is reactive preparation, last-minute evidence scrambles, and findings that could have been avoided with earlier and better-structured attention to the underlying controls.
The Logic of SOX IT Audit
SOX Section 404 is concerned with the reliability of financial reporting. The logic connecting IT controls to financial reporting reliability runs as follows: financial statements are produced by systems that process financial data. If those systems are poorly controlled — if access is inadequate, if changes are made without proper oversight, if processing jobs are not monitored — then the data the systems produce may be inaccurate or incomplete. If the data is unreliable, the financial statements built on it are unreliable.
IT general controls are the foundational controls that underpin the reliability of IT-processed financial data. When external auditors assess SOX Section 404 compliance, they rely on ITGCs as the basis for their reliance on IT-processed data. Where ITGCs are weak or have deficiencies, auditors must extend their substantive testing — and may be required to report material weaknesses or significant deficiencies.
What the External Auditor Examines
External auditors conducting a SOX IT audit are not conducting a general cybersecurity review. They are specifically examining whether the IT controls relevant to financial reporting are designed and operating effectively. Their scope is typically limited to:
Systems that are in scope for financial reporting — financial ERP systems, consolidation tools, payroll systems, revenue recognition systems, and the infrastructure that supports them. Systems that are out of scope for financial reporting (HR systems with no financial components, customer service platforms, development environments) are typically not examined in a SOX IT audit.
IT general controls in the four standard domains: access management, change management, IT operations (particularly job scheduling and monitoring), and system acquisition/development. Within these domains, auditors focus on the controls that are most relevant to financial data integrity — specifically, access controls over financial data, change management for financial systems, and the completeness and accuracy of financial processing runs.
The Most Common SOX IT Findings
Based on experience across multiple sectors and organisations, the most frequently identified SOX IT findings involve: excessive privileged access to financial systems and databases (developers with production access, shared admin accounts, former employees with active access); inadequate segregation of duties in access provisioning for financial systems; change management processes that allow changes to financial systems without complete testing and authorisation documentation; and monitoring gaps where financial processing failures are not detected and resolved systematically.
A less obvious but frequently found weakness is the access review. Many organisations conduct annual access reviews for their financial systems — but the access review process itself is weakly controlled. If the review output is not documented, if the reviewer is not independent from the access owner, or if access is not removed promptly following review, the control does not operate effectively even if it nominally exists.
Preparing Effectively for SOX IT Audit
The organisations that navigate their SOX IT audit most effectively are those that prepare continuously rather than reactively. Their ITGC documentation is current and retrievable. Their access review processes produce documented, dated evidence. Their change management records are complete and consistent. Their privileged access is managed and monitored.
Organisations that prepare only in the weeks before the audit window spend significant effort reconstructing evidence and addressing gaps under time pressure. Some gaps cannot be remediated in time — a privileged access problem discovered in October for a November audit cannot be evidenced as an operating control for the full year. Historical control failures cannot be undone; they can only be disclosed and explained.
At Bitsecura, our IT audit team has extensive experience supporting organisations through SOX IT audit cycles — both in preparing for external auditor review and in conducting independent ITGC assessments that identify weaknesses before the external auditors find them. If you want to understand the state of your SOX IT controls, talk to us here.
Bitsecura provides IT audit, IT general controls review, and cybersecurity assurance services. Learn more about our IT audit services.