TL;DR: Pre-IPO companies need 12 months of quarterly SOX access review evidence, because Big 4 auditors test completeness, remediation proof, and management attestation across financial systems, including service accounts and infrastructure access, according to Zluri. Manual spreadsheets fail the evidence bar; the control problem is governance before visibility, not review frequency alone.
At a glance
What this is: This is a SOX access review analysis showing why pre-IPO teams need 12 months of audit-ready evidence, not just a quarterly review process.
Why it matters: It matters because IAM, IGA, and PAM teams must prove complete scope, remediation, and attestation across human and non-human access before auditors and investors do.
👉 Read Zluri’s guidance on SOX access reviews before IPO
Context
SOX access reviews are not just a compliance calendar item. They are an evidence problem: auditors want proof that every in-scope user, entitlement, service account, and system path was reviewed, decisions were recorded, and revocations actually happened.
For pre-IPO organisations, the governance gap usually starts with visibility. If teams cannot identify the complete financial access surface across applications, databases, cloud infrastructure, and automated accounts, quarterly reviews become incomplete by design rather than by execution.
Key questions
Q: What breaks when SOX access reviews are run from spreadsheets?
A: Spreadsheets usually fail because they cannot prove completeness, preserve immutable evidence, or demonstrate that remediation actually happened. Auditors want system-generated logs, reviewer identity, timestamps, and post-change proof. A manual export can support a review process, but it rarely satisfies operating-effectiveness testing on its own.
Q: Why do service accounts increase SOX access review risk?
A: Service accounts often bypass normal user review paths while still touching financial data through integrations, batch jobs, and automations. If they are excluded, the review scope is incomplete even when employee access looks clean. That creates hidden access paths that auditors can treat as a control deficiency.
Q: How do security teams know whether SOX scope is complete?
A: Scope is complete when the team can trace every financial data flow and show that all identities with access to those paths were reviewed. That includes application users, database access, cloud infrastructure, and automated accounts. If the scoping method starts from a system list instead of a data-flow map, it will usually miss something.
Q: Who is accountable when quarterly access reviews are missed after IPO?
A: Management remains accountable because SOX ties control effectiveness to executive certification, not just IT execution. Missed reviews can become a disclosed control deficiency, trigger more auditor scrutiny, and create disclosure obligations. The accountable response is to document the failure, remediate the process, and prove sustained operation in later quarters.
Technical breakdown
Why Excel-based SOX reviews fail audit scrutiny
Spreadsheet-based reviews break down because they cannot prove completeness, reviewer identity, or unaltered evidence. Big 4 auditors look for system-generated logs, timestamped decisions, and before-and-after state changes that show the review was both performed and enforced. A manually compiled export can be accurate on the day it is created and still fail if the source data changed before approval or if remediation was never completed. The technical issue is not formatting. It is evidentiary integrity.
Practical implication: Use an access review workflow that captures immutable evidence from source systems rather than relying on exported spreadsheets.
Why financial scope extends beyond the ERP
SOX scope is driven by data flow, not by the application label on the dashboard. Financial reporting access often includes general ledger systems, databases, cloud infrastructure, Active Directory groups, and service accounts that move or transform financial data. If a DBA can query the ledger directly or a batch account posts journal entries, those identities are in scope even if they never log into the ERP. Auditors test whether the scoping method finds every path to financial data, not just the obvious application users.
Practical implication: Build a documented scoping method that traces financial data paths and includes non-obvious human and non-human access paths.
How remediation evidence closes the operating effectiveness gap
A SOX review is not successful when violations are found. It is successful when approved revocations are executed within the review cycle and backed by before-and-after evidence. That means the review record, the revocation action, and the post-change entitlement state must line up. If remediation sits in a ticket queue for weeks, the control may exist in policy but not in practice. Auditors interpret that as a failure of operating effectiveness, not a minor delay.
Practical implication: Tie every approval to an executed change record and verify post-remediation state before the quarter closes.
NHI Mgmt Group analysis
Governance before visibility is the real pre-IPO failure mode. SOX access reviews do not start with the review itself, they start with knowing the full population of identities and systems that can affect financial reporting. When that inventory is incomplete, quarterly review programmes produce false comfort and incomplete evidence. The practitioner conclusion is simple: completeness has to be established before controls can be certified.
Service accounts are not a side issue in SOX, they are part of the control boundary. Automated accounts, integration credentials, and batch jobs can move or alter financial data without a human logging into the core application. That means the governance model has to cover human and non-human access together wherever financial reporting is affected. The practitioner conclusion is that review scope must follow data flow, not organisational convenience.
Immutable evidence is now the control, not the spreadsheet process. Auditors are testing whether access review decisions can be trusted after the fact, which makes the evidence chain as important as the review decision itself. The control assumption that a manually assembled report is enough for audit has already collapsed under modern assurance expectations. The practitioner conclusion is that review artefacts must be system-generated and tamper-evident.
12 months of quarterly evidence is a lifecycle requirement, not a project task. Pre-IPO teams that treat SOX as a one-time launch often miss the point that the control has to operate repeatedly before it can be relied on. Quarterly cadence only matters if the whole cycle, scope, decision, remediation, attestation, repeats without gaps. The practitioner conclusion is to plan for evidence accumulation, not just process go-live.
SOX review quality now depends on identity governance maturity across multiple actor types. The same review programme that handles employees must also account for DBAs, infrastructure access, and service accounts with financial-system reach. That is where access governance becomes an enterprise discipline rather than a compliance checklist. The practitioner conclusion is that audit readiness is a lifecycle and scope problem, not an isolated finance control.
From our research:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
- The governance lesson carries forward into access reviews and lifecycle controls, which are covered in NHI Lifecycle Management Guide.
What this signals
Fragmented identity evidence quickly becomes a governance problem. When access lives across multiple systems, review evidence becomes harder to centralise, harder to prove, and easier to dispute. That is why pre-IPO teams need a single source of truth for reviewer actions, scope, and remediation outcomes before the audit cycle starts.
With 6 distinct secrets manager instances on average in one recent NHI study, fragmentation is already the norm in identity-adjacent operations, and SOX programmes face the same structural pressure when access data is split across business systems and infrastructure layers.
The practical signal is that access governance is moving from periodic review to evidence engineering. Teams that cannot produce complete, tamper-evident records for human and non-human access will keep failing audit tests even if their policy language looks mature.
For practitioners
- Map the full SOX access boundary Trace every path that can store, change, or transmit financial data, including ERP users, database administrators, cloud infrastructure access, Active Directory groups, and service accounts.
- Replace spreadsheet evidence with system-generated audit trails Capture reviewer identity, timestamp, decision rationale, and post-remediation state directly from the review platform so auditors can test evidence integrity without manual reconstruction.
- Create a quarterly remediation closure check Verify that every approved revocation or access change is executed before the quarter closes and that the post-change entitlement state matches the review decision.
- Include service accounts in the same review cadence List all non-human identities that touch financial systems, assign owners, and ensure they are reviewed with the same evidence standard as employee access.
- Start the evidence clock early Treat the 12-month review window as a prerequisite for IPO readiness and begin collection well before the planned filing timeline.
Key takeaways
- SOX access reviews fail when teams cannot prove complete scope, not just when they miss a deadline.
- Service accounts, database access, and infrastructure permissions belong in the same evidence model as employee access.
- The control objective is immutable audit evidence across 12 months of quarterly cycles, because that is what auditors actually test.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SOX scope depends on controlling access to financial systems and identities. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Service accounts and secrets in financial workflows need governance and review. |
| NIST CSF 2.0 | GV.RM-01 | Pre-IPO teams need risk decisions tied to control evidence and audit timing. |
Inventory non-human identities in financial paths and enforce review and ownership controls.
Key terms
- SOX access review: A SOX access review is a recurring control check that confirms only appropriate identities can access systems affecting financial reporting. In practice, it must produce evidence that reviewers saw the full scope, made documented decisions, and that required changes were executed before the cycle closed.
- Operating effectiveness: Operating effectiveness is the ability of a control to work as designed over time, not just exist on paper. For access reviews, auditors test whether the process consistently finds the right access, records defensible decisions, and results in actual remediation with evidence that cannot be rewritten later.
- Service account: A service account is a non-human identity used by applications, integrations, scripts, or batch jobs to perform automated tasks. In SOX environments, it matters because it can move or alter financial data outside normal employee workflows, which makes ownership, scope, and review discipline essential.
- Immutable audit trail: An immutable audit trail is a record of review actions that cannot be changed without detection. For access governance, it captures who reviewed what, when they acted, and what changed afterward, giving auditors confidence that the evidence reflects the actual control operation rather than a reconstructed story.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The practical walkthrough for building quarterly SOX access review evidence from discovery through remediation.
- The auditor testing questions teams should expect when proving completeness across financial systems and service accounts.
- The implementation timeline for moving from manual review processes to auditable access governance workflows.
- The article's examples of how pre-IPO teams structure evidence collection before filing timelines tighten.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-11-14.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org