TL;DR: SOX audits test access controls, segregation of duties, change management, and account activity to confirm financial reporting remains accurate and defensible, according to Zluri. For identity teams, the real issue is not the checklist itself but whether access reviews, evidence collection, and control ownership are reliable enough to survive audit scrutiny.
NHIMG editorial — based on content published by Zluri: Security & Compliance SOX Audit: Step-by-Step Process
Questions worth separating out
Q: How should security teams support SOX audits with identity governance?
A: Security teams should tie SOX controls to concrete identity evidence: who had access, who approved it, when it was reviewed, and whether conflicts were removed.
Q: Why do access reviews matter so much in SOX compliance?
A: Access reviews matter because SOX auditors need proof that entitlements match job function and that sensitive financial systems are not overexposed.
Q: What breaks when segregation of duties is weak in financial systems?
A: When segregation of duties is weak, one identity can influence the full transaction lifecycle, from creation to approval to reporting.
Practitioner guidance
- Map financial reporting paths to identity owners Identify every identity that can create, approve, reconcile, or modify financial reporting data, then assign a named owner for each control boundary and exception path.
- Separate approval and execution rights Review roles so no user or service account can both initiate and validate the same material financial workflow, especially where journal entries or access requests are involved.
- Automate access certification evidence Use an access review workflow that records reviewer decisions, timestamps, and remediation outcomes in one system of record so auditors can trace control execution without manual reconstruction.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step SOX audit process breakdown from risk assessment through control reporting
- Operational detail on access review, segregation of duties, and control documentation workflows
- Examples of how automated access review supports audit evidence collection and certification
- FAQ-style explanations of SOX versus SOC and who typically conducts the audit
👉 Read Zluri's step-by-step guide to SOX audit controls and access reviews →
SOX audit controls: what IAM teams need to tighten now?
Explore further
SOX compliance is an identity governance problem before it is an audit problem. The article treats access controls, account activity, and segregation of duties as audit components, but the operational reality is that these are identity control decisions. If access is not governed at the identity layer, audit evidence becomes a retrospective defence rather than a control outcome. Practitioners should treat SOX as a test of identity operating discipline, not just of financial reporting process.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to our Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable for SOX control failures in IAM and access reviews?
A: Accountability usually sits with the control owner, but IAM, audit, finance, and application teams all share responsibility for the evidence chain. In practice, SOX accountability fails when no one owns the identity-to-control mapping, especially for privileged accounts and third-party access.
👉 Read our full editorial: SOX audit controls expose the IAM gaps in financial reporting