SOX compliance and access reviews: where teams still struggle

TL;DR: SOX programmes often fail where manual access reviews, segregation of duties checks, and audit readiness depend on scarce internal expertise, leaving organisations exposed to errors and remediation delays, according to Zluri. The governance lesson is broader than SOX: identity controls break when review cycles cannot keep pace with operational change.

NHIMG editorial — based on content published by Zluri: Career SOX Compliance Consultants: Critical Skills Required

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should teams improve SOX access reviews when reviews are still manual?

A: They should connect certification to authoritative identity and entitlement data, remove spreadsheet-only review flows, and require reviewer decisions to be backed by current system evidence.

Q: Why do segregation of duties controls fail in SOX programmes?

A: SoD fails when conflicting access is detected too late, when entitlement models do not cover all relevant systems, or when exceptions are handled informally.

Q: What signals show that SOX control remediation is working?

A: Look for reduced time from finding to closure, clear ownership for each issue, and closure evidence that an auditor can trace back to the original deficiency.

Practitioner guidance

• Tie certification to authoritative identity data Replace spreadsheet-only review packets with current entitlement sources, reviewer attestations, and immutable evidence links so each access decision can be traced to the live system state.
• Model SoD as a prevent-and-detect control Test segregation conflicts both before access approval and during periodic review, then document how exceptions are approved, time-boxed, and revalidated.
• Build remediation ownership into every finding Assign one owner, one target date, and one closure artifact for each control deficiency so audit evidence proves the issue was closed rather than merely discussed.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of SOX consultant responsibilities across internal controls, walkthroughs, and remediation oversight.
• The specific skills list Zluri uses to distinguish regulatory knowledge, financial acumen, and audit experience.
• Examples of when organisations should bring in external SOX expertise, including IPO preparation and complex structures.
• How Zluri positions access review automation and SoD controls inside a broader compliance workflow.

👉 Read Zluri's guide to SOX compliance consultant skills and access reviews →

SOX compliance and access reviews: where teams still struggle?

Explore further

View Full Forum →  |  NHI Foundation Course →