SOX compliance shows why identity controls still matter in finance

At a glance

What this is: This is a SOX compliance explainer that argues financial reporting controls increasingly depend on identity governance, access review, segregation of duties, and audit evidence.

Why it matters: It matters because IAM, NHI, and PAM teams can directly affect SOX control effectiveness through access, logging, and reviewer accountability.

By the numbers:

• 74% of organizations were seeking opportunities to enable automation further.
• Only 25% of SOX activities were tech-enabled in 2021.
• 72% of organizations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read Pathlock's full guide to SOX compliance and internal controls

Context

SOX compliance is about proving that financial reporting is accurate, reviewable, and resistant to tampering. In practice, that means the control environment around finance depends on who can access systems, who can approve changes, and whether those actions leave evidence that auditors can trust.

For identity teams, the relevance is straightforward. Access governance, segregation of duties, session tracking, and review workflows are not side issues in a SOX programme. They are part of the mechanism that makes financial controls operational, especially as reporting systems move into cloud platforms and automation expands.

The article’s starting point is typical for enterprise SOX programmes. The real gap is not the law itself, but the uneven way companies translate it into durable access controls, audit trails, and accountable review processes.

Key questions

Q: How should teams implement SOX controls across finance applications?

A: Start by mapping each control to the specific system and identity that enforces it. Then verify access restrictions, approval steps, log retention, and segregation of duties in the actual applications that create or modify financial data. If a control cannot be demonstrated with evidence, it is not ready for audit.

Q: Why do access reviews matter in SOX compliance?

A: Access reviews matter because they prove that financial system permissions still match business need and control design. In SOX programmes, stale access is not only an operational risk, it is evidence that the control environment may have drifted. Reviews should therefore focus on privileged access, conflicting roles, and undocumented exceptions.

Q: What breaks when segregation of duties is not enforced?

A: When segregation of duties is weak, one identity can create, approve, and conceal the same financial action. That removes a key internal control and makes fraud or error harder to detect. The result is often audit findings, remediation work, and in severe cases restatements or sanctions.

Q: Who is accountable when SOX controls fail?

A: Accountability sits with management, but SOX also makes the identity and control owners responsible for proving that controls worked. CEOs and CFOs certify the statements, auditors attest to the control environment, and technology teams must supply evidence that access and logging controls are operating effectively.

Technical breakdown

Access control evidence for SOX reporting

SOX control effectiveness depends on more than written policy. Auditors look for evidence that access is unique, permissions are role-based, and privileged actions are traceable back to an accountable user or process. In identity terms, that means access governance and logging must be able to show who changed what, when, and under which approval chain. If access reviews exist only as spreadsheets or informal approvals, the control may exist in theory but not in auditable form.

Practical implication: tie financial system access to verifiable identity records, review trails, and session logs that can be produced on demand.

Segregation of duties and application access governance

Segregation of duties prevents one identity from initiating, approving, and recording the same financial action. In practice, this is enforced through application access governance, role modelling, and conflict detection across ERP, finance, and reporting systems. The issue is not only whether a conflict exists, but whether the organisation can detect it before a transaction occurs and explain the remediation path after it is found. That is where governance matures from policy language into operational control.

Practical implication: map SoD rules to actual application roles and recertify the conflicts before users touch critical financial workflows.

Audit trails, logs, and continuous control monitoring

SOX asks companies to retain reliable evidence, and that evidence is only useful if it is complete enough to reconstruct the event path. Audit trails should capture timestamps, identity context, and system changes, while monitoring should surface unusual activity quickly enough to support escalation. Continuous controls monitoring becomes especially relevant where finance workflows are distributed across cloud systems and SaaS applications, because the control signal is otherwise fragmented. Without reliable logs, a company may be compliant in design but not in proof.

Practical implication: standardise log retention, escalate exceptions through tickets, and validate that monitoring can reconstruct material finance events.

Threat narrative

Attacker objective: The objective is to alter or conceal financial information long enough to create misleading reporting, evade detection, or force the organisation into a costly restatement.

1. Entry occurs when a user or service identity gains access to a finance or reporting system without sufficient restriction or review.
2. Escalation follows when the same identity can change, approve, or conceal a transaction because segregation of duties and session visibility are weak.
3. Impact appears as inaccurate reporting, delayed detection of tampering, and audit failure that can trigger penalties, restatements, or market sanctions.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SOX is an identity governance problem as much as a financial reporting problem. The article treats control design, auditability, and executive accountability as accounting disciplines, but each of those outcomes depends on access governance, logging, and approval paths. When identity controls fail, finance controls stop being provable. Practitioners should treat SOX evidence as an IAM and PAM output, not just an audit deliverable.

Segregation of duties is the named control concept that most often decides whether SOX works in practice. SOX assumes that no single identity can create, approve, and conceal the same material transaction. That assumption breaks when application roles, emergency access, or informal exceptions allow a user to span multiple control points. The implication is that SoD is not a policy statement but a live identity design constraint.

Auditability is a control surface, not a reporting afterthought. The article’s emphasis on logs, tickets, reviews, and evidence shows that compliance depends on whether the organisation can reconstruct control decisions after the fact. That requirement extends across human users and non-human identities alike, especially where finance systems are automated. The practitioner conclusion is to govern for evidence quality, not just access entitlement volume.

Automation improves SOX only when it preserves control meaning. Protiviti’s figures on rising costs and growing interest in automation point to a common pattern: manual review cannot scale, but indiscriminate automation can also hide weak approvals and stale exceptions. The challenge is to automate collection and detection without automating accountability away. Practitioners should measure whether automation shortens evidence gathering while keeping decision ownership intact.

SOX and NHI governance now overlap more than many finance teams realise. The article mentions cloud systems, AI-assisted analysis, and security controls around financial data, all of which increase the number of machine identities touching reporting workflows. A service account that can write, post, or reconcile financial records is part of the SOX control environment. Practitioners should extend SOX testing to the identities that move the data, not only the people who sign the reports.

From our research:

• 72% of organizations have experienced or suspect they have experienced a breach of non-human identities, according to 2024 ESG Report: Managing Non-Human Identities.
• A quarter of enterprises have encountered multiple NHI attacks, which shows that repeat exposure is common once machine identities are not governed as a first-class control surface.
• For a broader control lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the access, rotation, and offboarding decisions that keep identity evidence auditable.

What this signals

SOX programmes will keep absorbing more identity work as finance systems and reporting pipelines become more automated. The practical shift is from periodic review to continuous evidence production, especially where machine identities touch close, post, and reconcile workflows. Teams that cannot trace those identities back to owners, approvals, and logs will struggle to defend control effectiveness.

With 72% of organisations reporting or suspecting an NHI breach in our research, machine identities are no longer a background issue for finance control teams. That exposure matters because SOX evidence depends on the very identities that move data between systems, not just on the humans signing the forms.

Control meaning will matter more than control count. The next maturity step is not adding more sign-offs, but making sure each approval, exception, and access grant is traceable, reviewable, and linked to a financial assertion. Practitioners should expect auditors to ask harder questions about evidence quality as automation expands.

For practitioners

• Map access controls to financial control objectives Link every critical finance application to the specific SOX assertion it supports, then verify that the access model can prove who approved, changed, and reviewed the transaction path.
• Enforce segregation of duties in live application roles Detect role combinations that let one identity initiate and approve the same financial activity, then block or formally exception-manage those combinations before period close.
• Treat access reviews as audit evidence production Design review campaigns so they produce searchable evidence, reviewer identity, timestamps, and disposition history that auditors can inspect without manual reconstruction.
• Extend SOX scope to non-human identities Inventory service accounts, API keys, and automation identities that touch reporting data, then apply the same approval, logging, and offboarding controls used for human access.

Key takeaways

• SOX compliance depends on identity controls that can prove who did what, when, and under which approval path.
• The scale is material, with Protiviti citing rising costs, low historic automation, and strong demand for more automation in SOX programmes.
• The strongest SOX programmes extend access reviews, segregation of duties, and logging to both human and non-human identities.

Key terms

• Segregation Of Duties: Segregation of duties is the practice of dividing financial and operational responsibilities so one identity cannot complete a sensitive process from start to finish. In SOX programmes, it reduces fraud opportunity and creates a clearer audit trail for who initiated, approved, recorded, or reconciled an activity.
• Internal Controls Over Financial Reporting: Internal controls over financial reporting are the policies, access rules, reviews, and system checks that keep financial data accurate and tamper resistant. In practice, they depend on identity governance, logging, and accountable approvals so that reporting can be demonstrated as reliable, not merely asserted.
• Audit Trail: An audit trail is the recorded history of a transaction or system change, including timestamps, identity context, and the action taken. For SOX, an audit trail is only useful if it is complete enough to reconstruct material changes and support both internal review and external attestation.
• Non-Human Identity: A non-human identity is a machine-held credential or account used by software, services, automation, or AI components to authenticate and act. In a SOX context, NHIs matter when they can move, transform, or post financial data, because they become part of the control environment and evidence chain.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Pathlock: SOX compliance and internal controls guidance. Read the original.