Notifications
Clear all
Topic starter
12/06/2026 9:03 pm
TL;DR: SOX controls are internal controls for accurate financial reporting, and the article stresses segregation of duties, approvals, reconciliations, access management, and auditability as core patterns for compliance, according to Zluri. The identity lesson is that financial control failures often start with excessive access, weak review discipline, and unmonitored privileged activity, not just accounting process errors.
NHIMG editorial — based on content published by Zluri: What are SOX controls?
Questions worth separating out
Q: How should security teams enforce segregation of duties in financial systems?
A: Break financial workflows into distinct entitlement sets so no single identity can create, approve, post, and reconcile the same transaction.
Q: Why do access reviews matter for SOX compliance?
A: Access reviews matter because SOX depends on proving that only authorised identities can touch regulated financial data and approvals.
Q: What do teams get wrong about automated SOX controls?
A: Teams often assume automation alone creates compliance, but automated controls only work when the underlying roles, rules, and evidence are accurate.
Practitioner guidance
- Separate financial transaction roles Review whether any identity can initiate, approve, post, and reconcile the same regulated transaction.
- Tie approvals to auditable evidence Require logged approval paths for journal entries, access exceptions, and control overrides.
- Run entitlement reviews on regulated systems Prioritise applications that feed financial reporting and verify who can read, change, or approve regulated data.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanations of the main SOX control categories and how each one is applied in practice.
- Examples of preventive, detection, hard, soft, manual, and automated controls in financial governance.
- A deeper walkthrough of access management, audit testing, and control ownership in regulated environments.
👉 Read Zluri's guide to SOX controls and financial reporting governance →
SOX controls and access reviews: what IAM teams are missing?
Explore further
12/06/2026 10:52 pm
SOX control failure is often an identity failure first. The article treats financial reporting as a governance discipline, but the control surface is dominated by access, approvals, and reviewability. When an identity can create, approve, and reconcile the same financial event, the control environment has already collapsed. Practitioners should treat SOX as a signal to tighten financial identity boundaries, not merely a compliance checklist.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when SOX access controls fail?
A: Accountability usually sits with the control owner, the system owner, and the governance function together, because SOX failures are rarely caused by one isolated mistake. If approval design, entitlement scope, and review cadence are all weak, accountability must extend across each layer of the control environment.
👉 Read our full editorial: SOX controls expose the identity governance gap in financial reporting
