Notifications
Clear all
Topic starter
12/06/2026 8:57 pm
TL;DR: SOX IT general controls shape the reliability of financial reporting by governing account creation, access, patching, logging, change management, and backup practices, according to Zluri. For identity teams, the message is clear: financial control failures are often access-control failures first, not reporting problems later.
NHIMG editorial — based on content published by Zluri: Access Management SOX ITGC: Controls That Help Build Reliable Financial System
Questions worth separating out
Q: How should teams control access to financial systems under SOX ITGC?
A: Teams should treat access to financial systems as a high-assurance governance problem.
Q: Why do access controls matter so much for SOX compliance?
A: Because access is where financial control failures often start.
Q: What do organisations get wrong about SOX IT general controls?
A: They often treat ITGC as a documentation exercise instead of an operating discipline.
Practitioner guidance
- Map financial-system access paths end to end Document who can create, approve, and modify access for ERP and other financial applications, then separate those duties where possible so no single role can both grant and abuse access.
- Tighten change approval before production release Require testing evidence, business sign-off, and rollback plans for every configuration change that affects financial reporting systems or connected integrations.
- Review privileged accounts on a fixed cadence Validate administrator and break-glass access against business need, remove stale entitlements, and verify that privileged actions are fully captured in audit logs.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how ITGC maps to account creation, access control, patching, logging, and backups in a SOX environment.
- Practical examples of how access reviews and admin controls are evaluated during SOX audits.
- More detail on the difference between IT general controls and application controls in financial systems.
- Implementation and evaluation timelines for SOX ITGC preparation and review.
👉 Read Zluri's analysis of SOX ITGC access controls for financial systems →
SOX ITGC access controls: what IAM teams need to tighten?
Explore further
12/06/2026 10:42 pm
SOX ITGC is fundamentally an identity governance control set, not just an audit checklist. The article correctly places account creation, user access, and auditability at the centre of financial reliability because those are the points where identity becomes operational risk. For practitioners, the lesson is that financial reporting controls fail first when access governance is weak, not when the spreadsheet is wrong.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when SOX ITGC controls fail?
A: Accountability sits with the programme owners who design, approve, and operate the controls, even if external auditors validate them later. The organisation must be able to show who owns access decisions, who approves changes, and who verifies that audit evidence and recovery processes actually work.
👉 Read our full editorial: SOX ITGC access controls define reliable financial reporting
