Sarbanes-Oxley internal controls and ITGCs: what teams need now

TL;DR: Sarbanes-Oxley internal controls work best when preventive, detective, and corrective controls are orchestrated across entity-level, process-level, and ITGC domains, according to SafePaaS. The practical shift is from annual audit scramble to continuous control visibility, with segregation of duties and access review discipline becoming operational rather than periodic.

NHIMG editorial — based on content published by SafePaaS: Sarbanes-Oxley internal controls, ITGCs, and segregation of duties

Questions worth separating out

Q: How should teams design SOX controls across IAM, PAM, and ERP systems?

A: Start with the business process, then assign one preventive, one detective, and one corrective control to each high-risk step.

Q: Why do segregation of duties failures still happen in mature finance programmes?

A: They happen because SoD is often enforced in one layer while access exceptions, temporary elevation, and application logic live in others.

Q: How do organisations know whether detective controls are actually working?

A: Detective controls are working when they find exceptions early, route them to accountable owners, and produce consistent remediation evidence.

Practitioner guidance

• Map SOX workflows to control owners Assign every high-risk financial workflow to a named preventive, detective, and corrective control owner so responsibility is clear before audit season starts.
• Test segregation of duties at the application layer Validate that ERP roles, approval thresholds, and emergency access cannot be combined to create and approve the same transaction path.
• Centralise access evidence across systems Pull access data from IAM, PAM, and ERP platforms into one review cycle so recertification reflects the real entitlement picture, not one system at a time.

What's in the full article

SafePaaS's full article covers the operational detail this post intentionally leaves for the source:

• A control-by-control breakdown of preventive, detective, and corrective SOX patterns across ERP environments
• Examples of segregation of duties enforcement across finance workflows and access models
• Operational detail on continuous controls monitoring and alerting for high-risk transactions
• A platform view of how access reviews and remediation workflows are centralised in practice

👉 Read SafePaaS's analysis of Sarbanes-Oxley internal controls and ITGCs →

Sarbanes-Oxley internal controls and ITGCs: what teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →