Client Portal
UNDER ATTACK?

Sarbanes–Oxley Act (SOX) Compliance Explained for Public Companies & Service Providers

  • Home
  • Sarbanes–Oxley Act (SOX) Compliance Explained for Public Companies & Service Providers

What Is SOX and Why It Matters

The Sarbanes–Oxley Act (SOX) is a U.S. federal law designed to protect investors by ensuring the accuracy, integrity, and reliability of financial reporting for publicly traded companies.

SOX was enacted in response to major corporate scandals and focuses heavily on internal controls, accountability, and auditability. While often viewed as a finance or accounting regulation, SOX compliance depends heavily on IT systems, cybersecurity controls, and access governance.

If financial data flows through your systems, IT is part of your SOX control environment.

Who SOX Applies To

SOX applies to:

Public Companies

  • U.S. publicly traded companies

  • Foreign companies listed on U.S. exchanges

  • Subsidiaries whose financials roll up into public filings

Organizations Supporting Public Companies

SOX also affects:

  • SaaS and technology vendors

  • ERP and financial system providers

  • MSPs and IT providers

  • Payroll, billing, and accounting platforms

  • Cloud service providers

  • Third parties with access to financial systems or data

If your organization hosts, processes, or supports systems involved in financial reporting, you are part of the SOX risk chain.

What Information and Systems Are In Scope for SOX

SOX focuses on financial reporting and the systems that support it, including:

  • General ledger systems

  • ERP platforms

  • Accounting and payroll systems

  • Revenue recognition tools

  • Financial reporting databases

  • Data warehouses and integrations

  • Change management and deployment systems

  • User access to financial systems

From an IT perspective, SOX is about preventing unauthorized changes, errors, or manipulation of financial data.

Key SOX Sections That Impact IT

While SOX includes many provisions, two sections drive most IT and cybersecurity requirements:

Section 302 – Executive Accountability

Requires executives to certify that:

  • Internal controls are effective

  • Financial reports are accurate

  • Deficiencies are disclosed

This places pressure on IT controls that support reporting accuracy.

 

Section 404 – Internal Controls Over Financial Reporting (ICFR)

Requires organizations to:

  • Design and maintain effective internal controls

  • Test control effectiveness

  • Document and remediate deficiencies

Most SOX IT work exists under Section 404.

What SOX Requires From an IT & Cybersecurity Perspective

SOX does not prescribe specific technologies, but it requires strong, auditable controls around systems that impact financial reporting.

Key IT control areas include:

 

Access Controls & Identity Management

  • Role-based access to financial systems

  • Least-privilege permissions

  • Segregation of duties

  • Formal user provisioning and deprovisioning

  • Regular access reviews

Unauthorized access is a major SOX risk.

 

Change Management Controls

  • Formal change approval processes

  • Testing before production changes

  • Separation between developers and production access

  • Logging of system and configuration changes

Uncontrolled changes can directly impact financial integrity.

 

Logging, Monitoring & Audit Trails

  • System activity logging

  • User access logging

  • Change logs

  • Retention of audit evidence

Auditors must be able to trace financial data back to controlled systems.

 

Data Integrity & Backup Controls

  • Protection against unauthorized data modification

  • Secure backups

  • Recovery testing

  • Controls to ensure completeness and accuracy

 

Vendor & Third-Party Risk Management

SOX requires organizations to:

  • Understand vendor access to financial systems

  • Ensure third parties follow control requirements

  • Monitor outsourced processes

Outsourced systems are still your responsibility.

Why SOX Compliance Is Challenging for SMBs and Growing Companies

SOX compliance often breaks down due to:

  • Overly broad system access

  • Poorly documented controls

  • Gaps between policy and reality

  • Manual processes that don’t scale

  • Inadequate coordination between IT and finance

As companies grow, what worked informally no longer holds up under audit scrutiny.

How SOX Fits Into Broader Cyber Risk Management

SOX aligns closely with:

  • COSO Internal Control Framework

  • NIST Cybersecurity Framework (CSF)

  • ISO 27001

  • SOC 1 (financial reporting controls)

  • SOC 2 (security and availability)

Organizations that manage cyber risk well typically have strong SOX outcomes, because the same fundamentals apply.

The Reality of SOX Compliance

Here’s the key takeaway:

SOX compliance is not about perfection—it’s about control, visibility, and accountability.

Most SOX deficiencies stem from:

  • Weak access governance

  • Poor change control

  • Missing documentation

  • Lack of coordination between IT and finance

Strong fundamentals prevent most issues.

How We Help With SOX (and Financial Controls)

Our cyber risk and compliance assessments help organizations:

  • Identify SOX-relevant IT systems

  • Evaluate access and change controls

  • Close documentation and control gaps

  • Improve audit readiness

  • Align IT and finance around shared risk

We focus on controls that actually hold up under audit, not theoretical compliance.

How SMBs and Public Companies Can Prepare for SOX Compliance

Here is a practical, high-impact roadmap.

Step 1: Identify Financially Relevant Systems


Document:

  • Systems supporting financial reporting
  • Data flows between systems
  • Users and roles
  • Vendors with access

    • Step 2: Define and Document IT Controls


    Ensure controls exist for:

  • Access management
  • Change management
  • Incident handling
  • Backup and recovery
  • Logging and monitoring

    • Controls must be documented and repeatable.

    Step 3: Test Control Effectiveness


    Validate:

  • Controls operate as designed
  • Evidence can be produced
  • Exceptions are tracked and remediated

    • Testing is central to SOX.

    Step 4: Address Segregation of Duties


    Ensure:

  • No single user can create, approve, and post transactions
  • Administrative access is limited and monitored
  • Compensating controls exist where separation isn’t possible

    • Step 5: Manage Vendors and Outsourced Systems


    Confirm:

  • Vendor responsibilities are clear
  • Controls are tested
  • Reports (SOC 1/SOC 2) are reviewed

    • Start My Risk Assessment

    Trigger Question Answers

    Lorem ipsum dolor sit amet, consectetur adipiscing elit.
    Get In Touch
    Lorem ipsum dolor sit amet, consectetur adipiscing elit.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

    Take Control of Your SOX Risk

    SOX compliance is not just an annual audit—it’s an ongoing control environment.

    Know where your systems create risk, fix what matters most, and walk into audits with confidence.

    Start My Risk Assessment

    Talk to an Executive Advisor Today

    Client Portal
    UNDER ATTACK?