Notifications
Clear all
Topic starter
11/06/2026 10:36 pm
TL;DR: SOX compliance costs are rising, with Protiviti reporting that many companies now spend $1 million or more annually and that internal audit teams devote 5,000 to 10,000 hours to SOX work, much of it administrative. That makes access review automation and entitlement hygiene relevant to IAM programmes, but they do not remove the underlying governance burden.
NHIMG editorial — based on content published by Zluri: The Cost Of SOX Compliance In 2026
By the numbers:
- Protiviti's 2023 report says that over half of companies reported increased time requirements for achieving SOX compliance compared to previous years.
Questions worth separating out
Q: How can organisations reduce SOX compliance costs without weakening control quality?
A: Focus on evidence quality, not just audit staffing.
Q: Why do access reviews matter so much in SOX programmes?
A: Because they prove that access to financial systems is appropriate, approved, and periodically revalidated.
Q: What breaks when SOX access evidence still lives in spreadsheets?
A: Spreadsheets break traceability.
Practitioner guidance
- Map SOX controls to identity evidence sources Identify which access reviews, approvals, remediation records, and reviewer attestations are needed for each in-scope application.
- Cut spreadsheet dependency in review workflows Replace spreadsheet-based certification with workflow-based access review so timestamps, reviewer decisions, and exceptions are recorded automatically.
- Rationalise excessive entitlements before the next audit cycle Use past review findings to identify the roles, accounts, and applications that repeatedly generate exceptions.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step recommendations for reducing SOX review overhead through access review tooling and workflow automation
- Detailed breakdown of where administrative time is spent across SOX programmes and how that changes cost modelling
- Specific examples of how access review reporting supports audit readiness for financial controls
- Practical guidance on aligning remediation workflows with access certification outcomes
👉 Read Zluri's analysis of SOX compliance costs and access review automation →
SOX compliance costs and access reviews: where identity controls fit?
Explore further
12/06/2026 6:50 am
SOX cost inflation is often an identity governance problem disguised as an audit problem. The article shows that a large share of compliance spend comes from repetitive evidence collection, reviewer coordination, and manual reconciliation. That is exactly where identity governance, access review, and privilege control either compress or amplify programme cost. The practitioner conclusion is simple: if identity evidence is not machine-readable, SOX will remain labour-heavy.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when SOX remediation keeps recurring every quarter?
A: Accountability sits with the control owners, not just the auditors. If the same access exceptions keep returning, the programme has not fixed the upstream entitlement, lifecycle, or approval issue. Frameworks such as the NIST Cybersecurity Framework 2.0 support that accountability by tying control ownership to repeatable governance outcomes.
👉 Read our full editorial: SOX compliance costs expose the limits of access review automation
