Notifications
Clear all
Topic starter
12/06/2026 8:57 pm
TL;DR: SOX compliance depends on controlling who and what can access financial systems, because access reviews, segregation of duties, logging, and timely offboarding are the practical controls that keep reporting defensible, according to Zluri. The underlying governance problem is that access creep and weak review cycles can turn compliance into a paperwork exercise rather than an operating control.
NHIMG editorial — based on content published by Zluri: SOX Compliance, a comprehensive guide to access controls and user access reviews
Questions worth separating out
Q: What breaks when access reviews are not tied to current job roles?
A: When access reviews are disconnected from role changes, they confirm stale entitlements instead of current need.
Q: Why do user access reviews matter for SOX compliance?
A: User access reviews matter because they create evidence that financial system access is limited, appropriate, and periodically validated.
Q: What do security teams get wrong about segregation of duties?
A: Teams often treat segregation of duties as a role design exercise only, then stop there.
Practitioner guidance
- Map financial-system entitlements to named owners Require every privileged and report-impacting entitlement to have a business owner who can approve, review, and revoke it.
- Tie access reviews to lifecycle events Trigger recertification when a user changes role, joins finance, leaves the company, or gains access to a reporting system.
- Separate conflicting financial duties in IAM Block role combinations that let one identity request, approve, and post the same transaction or change control state without independent oversight.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step user access review workflows for finance systems, including how to structure review campaigns
- Practical examples of segregation-of-duties checks across onboarding, role changes, and leaver processing
- Automation patterns for logging, audit evidence, and recurring access certification in SOX environments
- Detailed walkthroughs of how Zluri positions access review automation for compliance operations
👉 Read Zluri's full guide to SOX compliance and user access review →
SOX compliance and user access reviews: where controls fail?
Explore further
12/06/2026 10:41 pm
SOX is really a lifecycle control problem, not just a reporting requirement. The article repeatedly comes back to onboarding, role change, and leaver removal because those are the moments when access drifts away from intent. That is exactly where identity governance succeeds or fails: when entitlements outlive the business reason they were granted. Practitioners should read SOX as a demand for continuous lifecycle control, not periodic paperwork.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which makes SOX-style access review evidence difficult to trust across hybrid environments.
A question worth separating out:
Q: Who is accountable when access controls fail in SOX-scoped systems?
A: Accountability usually sits with the business owner of the system, the identity team that governs entitlement lifecycle, and the control owners who sign off on review evidence. SOX makes shared accountability unavoidable because compliance depends on both correct access design and proof that revocation, logging, and review actually happened.
👉 Read our full editorial: SOX compliance exposes access control gaps in financial reporting
