Notifications
Clear all
Topic starter
10/06/2026 9:13 pm
TL;DR: SOX 404(a) applies to all SOX registrants while 404(b) adds external auditor attestation for large accelerated and accelerated filers, changing both cost and control evidence requirements according to Zluri. For IAM teams, the practical issue is not the label on the control but whether identity, access, and privileged change evidence is audit-ready at the pace external review demands.
NHIMG editorial — based on content published by Zluri: Best Practices 404(a) vs 404(b) In SOX Compliance - 6 Key Differences
Questions worth separating out
Q: How should identity teams support SOX 404(a) controls?
A: Identity teams should document how access approvals, recertifications, privileged changes, and offboarding support financial reporting controls.
Q: Why does SOX 404(b) create more work for IAM and PAM teams?
A: SOX 404(b) adds external auditor testing, so IAM and PAM teams must produce evidence that can be sampled and independently verified.
Q: What do organisations get wrong about SOX control evidence?
A: The most common mistake is treating control operation and control evidence as the same thing.
Practitioner guidance
- Classify SOX 404 scope by filer status Confirm whether the organisation falls under 404(a) alone or also 404(b), then align IAM, IGA, and PAM evidence requirements to that scope.
- Standardise access review evidence Use one repeatable format for access certifications, reviewer sign-off, exception handling, and remediation tracking.
- Tighten privileged access traceability Ensure elevated access requests, approvals, and revocations are time-stamped and linked to accountable owners.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- A plain-language breakdown of how 404(a) and 404(b) apply to different filer categories
- The compliance cost implications of external auditor involvement versus management-only assessment
- The article's own control checklist for teams preparing SOX evidence
- The source's summary of reporting obligations and audit expectations
👉 Read Zluri's breakdown of SOX 404(a) vs 404(b) compliance →
SOX 404 control differences: what identity teams need to know?
Explore further
10/06/2026 10:04 pm
SOX 404 compliance becomes an identity governance problem as soon as access controls feed financial reporting. The article presents 404(a) and 404(b) as reporting distinctions, but the practitioner reality is that identity evidence is often what auditors inspect first. When access grants, recertification records, and privileged changes are incomplete, the compliance gap is not abstract. The implication is that identity controls must be designed as audit evidence, not just operational safeguards.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity evidence is often incomplete when auditors ask for it.
A question worth separating out:
Q: Who is accountable when SOX access controls fail an audit?
A: Accountability usually sits with the control owner, but audit failure often reflects shared weakness across finance, IAM, PAM, and system owners. The practical answer is to define who can explain the control, who can fix it, and who can attest that it worked during the reporting period.
👉 Read our full editorial: SOX 404(a) vs 404(b): control obligations for identity teams
