Knowledge Center / SOX ITGC
US SEC / PCAOB · United States

SOX IT General Controls (ITGC)

IT general controls supporting Sarbanes-Oxley financial-reporting compliance.

Introduction to SOX IT General Controls (ITGC)

The Sarbanes-Oxley Act of 2002 (SOX) was enacted by the United States Congress in the aftermath of the Enron, WorldCom and Tyco accounting scandals to restore investor confidence in the integrity of financial reporting by publicly listed companies. While SOX is fundamentally a financial-reporting statute, its most far-reaching operational impact on technology and security teams flows from Section 404, which requires management, and the company's external auditors, to assess and attest to the effectiveness of internal control over financial reporting (ICFR). Because virtually every financial figure in a modern enterprise is produced, transformed and stored by information systems, the reliability of those systems becomes a direct precondition for reliable financial statements. IT General Controls, commonly abbreviated ITGC, are the pervasive controls over the IT environment that give assurance that the applications, databases, operating systems and networks underpinning financial reporting operate consistently, completely and accurately over time.

This guide provides an auditor-grade deep dive into SOX ITGC as it is practised today under the supervision of the US Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). It is written for CIOs, CISOs, IT audit leaders, control owners, internal audit functions and the external assurance teams who must demonstrate, evidence and sustain effective general controls. The guidance draws on PCAOB Auditing Standard AS 2201 (An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements), the COSO 2013 Internal Control - Integrated Framework which the SEC recognises as a suitable control framework, and the widely adopted COBIT control objectives. It is intended to be an original, practitioner-oriented reference, not a reproduction of any copyrighted standard text.

Copyright and standards note
SOX is US federal law and is in the public domain, but the frameworks used to design and audit ITGC - notably COSO 2013, COBIT (ISACA) and PCAOB Auditing Standards - are subject to copyright by their respective issuers (COSO, ISACA and the PCAOB). This guide paraphrases and interprets requirements in original language and does not reproduce protected text. Organisations must obtain licensed copies of COSO, COBIT and the PCAOB standards from their publishers to rely on the authoritative wording during a formal assessment or audit.

What is SOX ITGC

IT General Controls are the foundational, pervasive controls that operate across an organisation's IT environment and are relied upon to ensure the continued and proper operation of the automated and IT-dependent controls embedded within financial applications. Unlike application controls, which are specific to a single business process (for example, a three-way match in the accounts-payable module, or an automated credit-limit check in order entry), ITGC apply broadly and support the reliable functioning of many applications and controls simultaneously. If ITGC are weak, an auditor cannot place reliance on any automated control or system-generated report within the affected environment, because the possibility of unauthorised or erroneous change, access or processing cannot be ruled out.

In SOX terminology, ITGC are relevant to financial reporting because they support the completeness, accuracy, validity and restricted access (the CAVR assertions) of data flowing into the financial statements. They are typically organised into four foundational control domains: Access to Programs and Data (logical and physical security); Program Changes (change management); Program Development (acquisition and implementation of new systems); and Computer Operations (job scheduling, backup, incident and batch management). These four domains are the universally accepted pillars of an ITGC framework and are examined in depth throughout this guide.

A key concept is the distinction between the design effectiveness and the operating effectiveness of a control. Design effectiveness asks whether the control, if operating as intended, would prevent or detect a material misstatement. Operating effectiveness asks whether the control actually operated consistently throughout the reporting period. SOX ITGC audits test both, and because SOX requires assurance over a period (not a point in time), sampling across the whole fiscal year is fundamental.

Who must comply

SOX applies to issuers of securities registered with the SEC, and the scope of the ITGC obligation depends on the filer category and, in some cases, on whether the company is newly public. The table below summarises who is caught and to what degree.

Entity categoryApplicability of SOX ITGC
US public companies (accelerated and large accelerated filers)Full Section 404(a) management assessment and Section 404(b) external auditor attestation over ICFR, including ITGC.
Smaller reporting companies / non-accelerated filersSection 404(a) management assessment required; Section 404(b) auditor attestation exempt under the Dodd-Frank permanent exemption.
Emerging growth companies (EGCs) under the JOBS ActSection 404(b) auditor attestation deferred for up to five years or until they cease to be an EGC.
Foreign private issuers listed on US exchangesSubject to SOX 404, with certain accommodations; ITGC over financial systems fully in scope.
Wholly-owned subsidiaries and shared-service centres of issuersIn scope where their systems process financially significant transactions consolidated into the parent's statements.
Third-party service providers (payroll, cloud, hosting, BPO)Not directly regulated, but their controls are assessed via SOC 1 (SSAE 18 / ISAE 3402) reports relied upon by the issuer.
Private companies preparing for IPOIncreasingly adopt SOX ITGC 12-24 months pre-listing to be audit-ready at first 10-K.
  • Chief Financial Officers and Chief Executive Officers who personally certify the financial statements and ICFR under Sections 302 and 906.
  • IT leadership (CIO, CISO, Head of Infrastructure) who own the ITGC control environment.
  • Internal audit and SOX programme management offices who coordinate scoping, testing and remediation.
  • External auditors (registered public accounting firms) who perform the integrated audit under AS 2201.

Structure of SOX ITGC

SOX ITGC are structured around four control domains, each of which is decomposed into control families and individual control activities. The four-domain model is derived from the COBIT and industry consensus IT audit taxonomy, mapped to the COSO 2013 principles. The table below sets out the canonical structure that virtually every SOX programme uses, together with representative control objectives.

DomainControl families and objectives
Access to Programs and Data (APD)User provisioning and de-provisioning; authentication and password policy; privileged / superuser access; segregation of duties; periodic access reviews (user access recertification); direct data access to databases and tables; physical access to data centres.
Program Changes (CHG)Change request and authorisation; development / migration segregation; testing and user acceptance; approval to promote to production; emergency change handling; version control; separation of development, test and production environments.
Program Development (SDLC)Project initiation and approval; requirements and design sign-off; data conversion and migration validation; system and integration testing; go-live approval; post-implementation review; vendor / package acquisition due diligence.
Computer Operations (OPS)Job scheduling and batch monitoring; backup configuration and restore testing; incident and problem management; interface and data-transfer monitoring; disaster recovery and business continuity; capacity and performance monitoring.

Cutting across these four domains, the COSO 2013 framework requires management to demonstrate the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities) and its seventeen underlying principles. Principle 11 in particular directs the organisation to select and develop general control activities over technology to support the achievement of objectives - this is the explicit COSO anchor for ITGC. The subsequent master checklist enumerates each family in full.

Master assessment checklist

This is the core of the guide. It enumerates every ITGC domain and family with a heading and a table listing what an auditor or control owner must verify and the typical evidence expected. No control area is omitted. Each control should be tested for both design and operating effectiveness across the full reporting period.

APD-1: User Provisioning and Access Authorisation

What to verifyTypical evidence
New-user access requests are formally raised, documented and approved by an authorised manager or data owner before access is granted.Access request tickets / forms with approver signatures or workflow approvals; sample of joiners reconciled to HR onboarding records.
Access granted matches what was approved (no scope creep at provisioning).Comparison of approved request to actual system entitlements for a sample of new users.
Role-based access templates are documented and approved so provisioning is standardised.Role catalogue / entitlement matrix; approval of role definitions.
Access to financially significant applications requires business justification.Business justification recorded on the request; data-owner approval evidence.

APD-2: User De-provisioning (Leavers and Movers)

What to verifyTypical evidence
Access for terminated employees is revoked in a timely manner (per SLA, e.g. within 24-48 hours or by termination date).Leaver ticket dates reconciled to HR termination dates and to actual account disable timestamps.
Transfers (movers) have obsolete access removed to prevent accumulation and segregation-of-duties breaches.Mover requests; before/after entitlement comparison; access review flagging residual access.
Dormant / inactive accounts are identified and disabled.Last-login reports; dormant-account exception report and remediation evidence.
Contractor and temporary accounts have defined expiry dates.Account expiry configuration; list of contractor accounts with end dates.

APD-3: Authentication and Password Configuration

What to verifyTypical evidence
Password policy (length, complexity, history, expiry, lockout) meets corporate standard on application, database and OS layers.System configuration screenshots / parameter extracts from application, DB and domain policy.
Multi-factor authentication is enforced for remote and privileged access.MFA policy configuration; VPN / IdP settings; sample of privileged logins requiring MFA.
Default and vendor-supplied credentials have been changed or disabled.Configuration evidence; account listing showing default accounts disabled.
Single sign-on / identity provider is configured consistently with policy.IdP configuration; federation settings; conditional access policies.

APD-4: Privileged and Superuser Access

What to verifyTypical evidence
Administrative / superuser access (application admins, DBA, OS root, domain admin) is restricted to a minimal, justified population.Listing of privileged accounts with role and justification; approval records.
Privileged activity is logged and monitored, ideally via a privileged access management (PAM) tool.PAM session logs; log review evidence; alert configuration.
Firefighter / break-glass access is controlled, time-bound and reviewed after use.Emergency access request; post-use review; PAM check-out records.
Service and generic accounts have owners, are not used interactively, and passwords are vaulted.Service account inventory with owners; vaulting configuration.

APD-5: Periodic User Access Reviews (Recertification)

What to verifyTypical evidence
Access to financially significant systems is recertified at a defined frequency (typically quarterly or half-yearly).Completed access review sign-offs by managers / data owners with dates.
The review population is complete (all users and entitlements included).Reconciliation of reviewed population to full user extract from the system.
Revocations flagged during the review are actioned and evidenced.Change tickets closing out flagged access; follow-up confirmation.
Reviews cover privileged and generic accounts, not only standard users.Review scope documentation showing privileged accounts included.

APD-6: Segregation of Duties (SoD)

What to verifyTypical evidence
A documented SoD conflict matrix exists for financially significant processes (e.g. create vendor vs pay vendor).SoD ruleset / matrix; approval of the ruleset.
Access is analysed against the SoD matrix and conflicts are prevented or mitigated.SoD analysis reports (e.g. from GRC tooling); mitigating control documentation for accepted conflicts.
Mitigating controls for unavoidable conflicts are defined, assigned and operating.Mitigating control descriptions; evidence of their operation (e.g. detective review).
SoD is enforced at both the process and the IT-administration layer (e.g. developer cannot also migrate to production).Change management SoD evidence; environment access segregation.

APD-7: Direct Data Access

What to verifyTypical evidence
Direct access to production databases and financial tables (bypassing the application) is tightly restricted.DB user listing with privileges; restriction of write/update access to production tables.
Any direct data changes (data fixes) follow a controlled, approved and logged process.Data-fix change tickets with approval; script review; execution logs.
Database activity monitoring or auditing is enabled on sensitive schemas.DAM configuration; audit log samples; alerting rules.

APD-8: Physical Access to IT Facilities

What to verifyTypical evidence
Physical access to data centres and server rooms is restricted and approved.Badge access lists; approval records; visitor logs.
Physical access is periodically reviewed and revoked for leavers.Physical access review evidence; leaver revocation confirmation.
For cloud / hosted environments, physical controls are covered by the provider's SOC 2 / ISO 27001.Provider SOC 2 Type II or ISO 27001 certificate; CUEC review.

CHG-1: Change Request and Authorisation

What to verifyTypical evidence
All changes to financially significant applications are logged in a change management system and formally authorised before work begins.Change tickets with requester, description and pre-development approval.
Changes are categorised (standard, normal, emergency) with appropriate authorisation paths.Change policy; ticket categorisation; CAB minutes.
A complete population of production changes can be extracted for testing.System-generated change population reconciled to release / deployment logs.

CHG-2: Testing and User Acceptance

What to verifyTypical evidence
Changes are tested (functional / integration) and evidence retained before promotion.Test plans, test results, defect logs for a sample of changes.
User acceptance testing (UAT) is performed and signed off by business owners for significant changes.UAT sign-off; test scripts and results.
Testing is performed in a non-production environment separate from live data.Environment documentation; evidence tests ran in test/QA.

CHG-3: Approval to Promote to Production

What to verifyTypical evidence
Final approval to deploy to production is granted by an authorised party distinct from the developer.Deployment / release approval on the ticket; approver role verification.
Deployment is performed by someone other than the developer (SoD in change).Deployment logs / CI-CD pipeline records showing separation of build and deploy roles.
Post-implementation verification confirms the change worked as intended.Post-deployment checks; smoke-test evidence.

CHG-4: Emergency and Expedited Changes

What to verifyTypical evidence
Emergency changes follow a defined process with retrospective approval and documentation.Emergency change tickets; retrospective CAB / manager approval within SLA.
Emergency changes are reviewed for appropriateness after the fact.Post-implementation review; periodic emergency-change trend review.

CHG-5: Version Control and Environment Segregation

What to verifyTypical evidence
Source code is under version control with an auditable history.Repository configuration; commit history; branch protection rules.
Developers do not have standing write access to production code / config.Production access listing; pipeline gating evidence.
Development, test and production environments are logically or physically separated.Environment topology; access segregation evidence.

SDLC-1: Project Initiation and Approval

What to verifyTypical evidence
New systems / major implementations are formally initiated, funded and approved by governance.Project charter; steering committee approval; business case.
Financial-reporting impact is assessed at initiation.Impact assessment; SOX scoping input for the new system.

SDLC-2: Requirements, Design and Build

What to verifyTypical evidence
Requirements and design are documented and approved by business and IT.Requirements specification; design documents with sign-off.
Application controls (automated controls) are designed to meet financial-reporting assertions.Control design documentation; configuration decisions.
For purchased packages, vendor due diligence is performed.Vendor evaluation; RFP; SOC report review for SaaS.

SDLC-3: Data Conversion and Migration

What to verifyTypical evidence
Data migrated to the new system is reconciled for completeness and accuracy.Reconciliation of record counts and control totals pre- and post-migration; sign-off.
Data cleansing and validation rules are applied and evidenced.Validation reports; exception handling; approval of go-live data.

SDLC-4: Testing and Go-Live Approval

What to verifyTypical evidence
System, integration and user acceptance testing are completed and defects resolved.Test results; defect closure; UAT sign-off.
A formal go-live / production readiness decision is documented and approved.Go-live approval; cut-over plan; readiness checklist.
A post-implementation review is performed after go-live.PIR report; lessons learned; residual issue tracking.

OPS-1: Batch Job Scheduling and Monitoring

What to verifyTypical evidence
Scheduled financial jobs (interfaces, postings, closes) are defined, monitored and failures are resolved.Scheduler configuration; job failure alerts; failure resolution tickets.
Job changes follow the change management process.Change tickets for schedule modifications.
Job completion is reviewed and exceptions escalated.Daily monitoring logs; escalation evidence.

OPS-2: Backup and Restoration

What to verifyTypical evidence
Backups of financial systems and data are scheduled, successful and monitored.Backup schedule; success/failure reports; alert handling.
Restore capability is periodically tested.Restore test records; results and sign-off.
Backup failures are investigated and remediated.Failure tickets; resolution evidence.

OPS-3: Incident and Problem Management

What to verifyTypical evidence
IT incidents affecting financial systems are logged, prioritised and resolved.Incident tickets; SLA / resolution tracking.
Recurring problems are subject to root-cause analysis.Problem records; RCA documentation.

OPS-4: Interface and Data-Transfer Monitoring

What to verifyTypical evidence
Automated interfaces between financial systems are monitored for completeness and accuracy.Interface reconciliation reports; control totals; error queues.
Interface errors are detected, investigated and cleared.Error logs; exception resolution evidence.

OPS-5: Disaster Recovery and Business Continuity

What to verifyTypical evidence
A disaster recovery plan exists for financially significant systems with defined RTO/RPO.DR plan document; RTO/RPO definitions; approval.
DR is tested periodically and results are documented.DR test plan and results; remediation of gaps.

OPS-6: Third-Party / Sub-Service Organisation Controls

What to verifyTypical evidence
SOC 1 (SSAE 18) reports for outsourced financial services are obtained and reviewed.SOC 1 Type II reports; bridge letters covering the period.
Complementary User Entity Controls (CUECs) from the SOC report are identified and operating at the company.CUEC mapping to internal controls; evidence of their operation.
Exceptions noted in the service organisation's SOC report are assessed for impact.SOC exception review; impact assessment and mitigation.

Scoping

Scoping is the process of determining which systems, applications, databases and control layers are in scope for SOX ITGC testing. Over-scoping wastes effort; under-scoping creates audit risk. The recommended approach is top-down and risk-based, consistent with PCAOB AS 2201, starting from material financial statement accounts and disclosures and tracing down to the systems and controls that matter.

  1. Identify material financial statement line items, disclosures and relevant assertions (completeness, accuracy, validity, existence, valuation, presentation).
  2. Map significant business processes and transaction flows (e.g. order-to-cash, procure-to-pay, payroll, financial close) to the applications that process them.
  3. Identify financially significant applications and their supporting layers: application, database, operating system and, where relevant, network and job scheduler.
  4. Determine which automated controls, IT-dependent manual controls and system-generated reports the audit will rely upon - these drive which ITGC are relied upon.
  5. Scope in the ITGC for each supporting layer of each in-scope application (a database and OS supporting an in-scope ERP are themselves in scope).
  6. Assess service organisations and cloud providers; determine reliance on SOC 1 reports and identify CUECs.
  7. Document scoping rationale, including systems considered and excluded, for auditor review and rationalise scope annually as the environment changes.
Reliance drives scope
An application is in scope for ITGC not merely because it touches finance, but because the audit relies on an automated control, an IT-dependent manual control, or a system-generated report within it. If reliance is removed (for example, a report is independently reconciled manually), the associated ITGC reliance may reduce - but this must be documented and agreed with the external auditor.

Implementation approach

A SOX ITGC programme is best delivered in phases. The following five-phase approach takes an organisation from initial scoping to a sustainable, audit-ready control environment. Each phase lists key activities and the deliverables an auditor would expect to see.

Phase 1: Scoping and Risk Assessment

  • Activities: perform the top-down risk-based scoping described above; build the application-to-process-to-account matrix; identify in-scope layers and service organisations.
  • Activities: assess IT risk and materiality; agree scope with internal and external audit.
  • Deliverables: SOX IT scoping memo, in-scope system inventory, control reliance map, service organisation inventory.

Phase 2: Control Design and Documentation

  • Activities: document the ITGC control matrix (RCM) across the four domains; define control owners, frequency, and evidence expectations; design SoD ruleset.
  • Activities: create process narratives and flowcharts; map controls to COSO principles and to financial assertions.
  • Deliverables: risk and control matrix (RCM), process narratives, control descriptions, SoD matrix, evidence catalogue.

Phase 3: Remediation and Control Build

  • Activities: perform a design gap assessment against the RCM; remediate missing or weak controls (e.g. implement access reviews, tighten change approvals, deploy PAM).
  • Activities: implement tooling for access certification, change tracking and log monitoring; establish evidence-collection routines.
  • Deliverables: remediation plan and tracker, updated configurations, deployed control tooling, evidence repository.

Phase 4: Testing and Validation

  • Activities: perform management (first / second line) testing of design and operating effectiveness across the period; sample changes, access reviews, provisioning and de-provisioning.
  • Activities: log deficiencies, evaluate severity (deficiency, significant deficiency, material weakness), and remediate.
  • Deliverables: test workpapers, deficiency log, severity assessment, remediation evidence, control effectiveness conclusions.

Phase 5: Sustainment and Continuous Monitoring

  • Activities: embed controls into BAU; automate evidence capture; run continuous monitoring on access, changes and SoD; refresh scoping annually.
  • Activities: prepare for external auditor walkthroughs and testing; maintain a management assertion / sub-certification process.
  • Deliverables: continuous monitoring dashboards, annual scoping refresh, management assertion pack, audit-ready evidence library.

Maturity / capability model

Organisations can benchmark their ITGC environment against a five-level maturity model derived from the COBIT / CMMI capability scale. Higher maturity reduces the cost of compliance and increases audit reliance through automation and monitoring.

Maturity levelCharacteristics
Level 1 - Initial / Ad hocControls are informal, undocumented and reactive; heavy reliance on individuals; evidence gathered only at audit time; frequent deficiencies.
Level 2 - RepeatableBasic controls documented for key systems; access reviews and change approvals exist but are manual and inconsistently evidenced.
Level 3 - DefinedStandardised ITGC across all in-scope systems; a formal RCM, defined owners and consistent evidence; testing performed regularly by management.
Level 4 - Managed / MeasuredControls are metric-driven; KPIs tracked; partial automation of provisioning, access certification and change tracking; deficiencies trended and root-caused.
Level 5 - OptimisedContinuous control monitoring; automated evidence and SoD analytics; near-real-time exception detection; controls integrated into DevOps and identity platforms; minimal audit friction.

Assessment and audit approach

The following steps describe how an integrated SOX ITGC assessment is executed by internal SOX teams and external auditors under PCAOB AS 2201.

  1. Understand the environment: obtain the in-scope system inventory, architecture, and the RCM; confirm which controls the financial-statement audit relies upon.
  2. Perform walkthroughs: trace one instance of each control end to end to confirm the control is designed appropriately (design effectiveness).
  3. Assess design effectiveness: determine whether the control, as designed, would prevent or detect a material misstatement on a timely basis.
  4. Obtain the complete population: extract full populations of changes, new users, leavers, access reviews and jobs for the period, and validate completeness and accuracy of the population itself.
  5. Select samples: use appropriate sample sizes based on control frequency (e.g. more samples for daily controls, fewer for annual) to test operating effectiveness across the period.
  6. Test operating effectiveness: re-perform or inspect evidence for each sampled item; confirm approvals, timeliness and segregation.
  7. Evaluate exceptions: investigate any deviation, extend testing if needed, and determine whether it is an isolated exception or a control failure.
  8. Classify deficiencies: rate each as a control deficiency, significant deficiency or material weakness based on likelihood and magnitude of potential misstatement.
  9. Conclude and report: aggregate findings, assess compensating controls, form a conclusion on ITGC, and feed into management's Section 404(a) assessment and the auditor's opinion.

Evidence request list

The following categorised list represents the artefacts typically requested during a SOX ITGC audit. Assembling these in advance in a well-organised evidence library dramatically reduces audit friction.

  • Governance and scoping: SOX scoping memo, in-scope application inventory, RCM, process narratives, organisation charts, IT policies (access, change, backup, SDLC).
  • Access to programs and data: full user listings per system/DB/OS, joiner/leaver/mover tickets, access review sign-offs, privileged account listings, password/MFA configurations, SoD ruleset and analysis, physical access lists.
  • Program changes: complete change population, sampled change tickets with approvals and test evidence, emergency change records, deployment logs, developer production-access listings.
  • Program development: project charters, requirements/design sign-offs, migration reconciliations, UAT and go-live approvals, post-implementation reviews.
  • Computer operations: job schedules and failure logs, backup success reports and restore tests, incident/problem records, interface reconciliations, DR plan and test results.
  • Third parties: SOC 1 Type II reports and bridge letters, CUEC mappings, cloud provider SOC 2 / ISO 27001 certificates.
  • Management testing: test workpapers, deficiency log with severity ratings, remediation evidence, and management's Section 302 sub-certifications.

Roles and responsibilities

RoleSOX ITGC responsibilities
CEO / CFOCertify financial statements and ICFR effectiveness under Sections 302 and 906; accountable for the overall control environment.
CIO / CISOOwn the IT control environment; ensure ITGC are designed, implemented and operating across all in-scope systems.
IT control ownersPerform and evidence day-to-day controls (access reviews, change approvals, backups, monitoring).
SOX / IA programme officeScope, coordinate, document the RCM, perform management testing, track deficiencies and remediation.
Internal auditProvide independent assurance over ITGC design and operating effectiveness; report to the audit committee.
Application / business process ownersApprove access, perform UAT sign-offs, own automated controls within their applications.
External auditorPerform the integrated audit under AS 2201; test ITGC to support reliance on automated controls and reports; opine on ICFR (for 404(b) filers).
Audit committeeOversee the integrity of financial reporting, internal control and the external audit; receive deficiency reporting.

KPIs to track

  • Percentage of access reviews completed on time across in-scope systems.
  • Number and ageing of terminated-user accounts not disabled within SLA.
  • Percentage of production changes with complete, pre-approval and testing evidence.
  • Number of emergency changes as a proportion of total changes (trend).
  • Number of unresolved segregation-of-duties conflicts without mitigating controls.
  • Backup success rate and number of successful restore tests per period.
  • Mean time to detect and resolve interface / job failures affecting financial data.
  • Number of open ITGC deficiencies by severity (deficiency / significant deficiency / material weakness) and their ageing.
  • Percentage of controls with automated evidence capture (automation coverage).
  • SOC 1 report coverage: percentage of in-scope service organisations with current Type II reports and reviewed CUECs.

Readiness checklist

  • Top-down risk-based scoping is documented and agreed with the external auditor.
  • A complete risk and control matrix covers all four ITGC domains for every in-scope system, database and OS layer.
  • Joiner / mover / leaver processes are evidenced and de-provisioning meets SLA.
  • Periodic access reviews cover the complete population, including privileged and generic accounts, and revocations are actioned.
  • A documented SoD matrix exists and conflicts are prevented or have operating mitigating controls.
  • All production changes are logged, tested, approved and deployed with developer/deployer segregation.
  • Emergency-change and data-fix processes have retrospective approval and review.
  • Backups are monitored and restore tests are performed and evidenced.
  • A DR plan with RTO/RPO exists and has been tested within the period.
  • SOC 1 Type II reports for all in-scope service organisations are obtained, cover the period, and CUECs are mapped and operating.
  • Management has performed testing across the full period and remediated deficiencies before year-end.
  • An organised, audit-ready evidence library exists with complete populations available for sampling.

Common gaps

  • Terminated-user access not revoked timely, or leaver population not reconciled to HR data.
  • Access reviews performed on an incomplete population, or flagged revocations never actioned.
  • Developers holding standing write access to production, breaking change-management segregation.
  • Changes deployed without evidence of testing or pre-deployment approval, especially for 'minor' or configuration changes.
  • Emergency changes used to bypass normal controls, with no retrospective approval or trend review.
  • Direct data fixes to production databases performed without approved, logged change tickets.
  • Segregation-of-duties conflicts identified but left without mitigating controls or accepted without documentation.
  • Backups monitored but restore capability never tested, so recoverability is unproven.
  • SOC 1 reports obtained but CUECs never mapped to internal controls or evidenced as operating.
  • Incomplete or inaccurate control populations (change / user extracts) that cannot support reliable sampling.
  • Reliance on system-generated reports without validating the completeness and accuracy of the report itself (the IPE / benchmarking issue).
  • Cloud and SaaS financial systems scoped superficially, missing database, configuration and identity controls.

SOX ITGC mapped to other frameworks

ITGC concepts overlap substantially with other control and security frameworks. This mapping helps organisations rationalise a single control set across multiple compliance obligations.

SOX ITGC domainCorresponding areas in other frameworks
Access to Programs and DataCOSO Principle 11; COBIT DSS05 (Managed Security Services) and DSS06; ISO/IEC 27001 Annex A.5/A.8 (access control, identity); NIST 800-53 AC family; PCI DSS Requirements 7 and 8; SOC 2 Logical Access criteria.
Program ChangesCOBIT BAI06 (Managed IT Changes); ISO/IEC 27001 A.8.32 (change management); NIST 800-53 CM family; ITIL Change Enablement; SOC 2 Change Management criteria.
Program DevelopmentCOBIT BAI03 (Managed Solutions Identification and Build); ISO/IEC 27001 A.8.25-A.8.31 (secure development); NIST 800-53 SA family.
Computer OperationsCOBIT DSS01/DSS03/DSS04 (Operations, Problems, Continuity); ISO/IEC 27001 A.8.13/A.8.14/A.5.29-A.5.30 (backup, availability, continuity); NIST 800-53 CP and SI families; SOC 2 Availability criteria.
Overall control frameworkCOSO 2013 Internal Control - Integrated Framework (5 components, 17 principles); COBIT 2019 governance and management objectives.
How CyberSigma helps
CyberSigma provides end-to-end SOX ITGC support: top-down risk-based scoping aligned to your material accounts, design and documentation of a four-domain risk and control matrix, remediation of access, change and operations gaps, and management testing across the full reporting period. Our CERT-In empanelled and QSA-qualified auditors run readiness assessments, build SoD and access-certification analytics, review your service organisations' SOC 1 reports and CUECs, and prepare an audit-ready evidence library that stands up to your external auditor's integrated audit under PCAOB AS 2201 - reducing deficiencies, audit friction and the total cost of compliance. Contact CyberSigma to make your next 10-K ITGC assessment smooth, defensible and sustainable.

Frequently asked questions

What is the difference between ITGC and application controls?
ITGC are pervasive IT controls (access, change, operations) that support the reliability of specific automated application controls used in financial reporting.
Official documents

Need help with SOX ITGC?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.