Notifications
Clear all
Topic starter
11/06/2026 11:39 pm
TL;DR: SOX walkthroughs test whether internal controls are designed and operating effectively, but the article shows that documentation gaps, limited historical evidence, and weak data acquisition can undermine SOX compliance, according to Zluri. The practical takeaway is that financial control testing now depends on identity, access, and evidence governance as much as on audit procedure.
NHIMG editorial — based on content published by Zluri: Security & Compliance SOX Walkthrough: Challenges & Best Practices
By the numbers:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should teams make SOX walkthrough evidence audit-ready?
A: They should define a single evidence standard for each control, then collect the control description, owner, approval trail, exception handling, and remediation record in one place.
Q: Why do access reviews matter in SOX control testing?
A: Access reviews matter because financially relevant controls often depend on who could change data, approve transactions, or maintain systems.
Q: What breaks when documentation standards are inconsistent across teams?
A: Control traceability breaks.
Practitioner guidance
- Standardise control evidence packs Bundle risk control matrices, flowcharts, approval records, and remediation notes into a single audit-ready evidence set for each SOX control.
- Tie access reviews to financial controls Map every financially relevant system and privileged account to a named control owner, review cadence, and documented approval path.
- Track control drift continuously Monitor overdue reviews, missing approvals, and unresolved exceptions throughout the year so the walkthrough does not become a reconstruction exercise.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step SOX walkthrough preparation across IT, finance, audit, and compliance stakeholders.
- Document templates and review questions for risk control matrices, flowcharts, and supporting evidence.
- Practical guidance for using access review outputs as audit-ready proof.
- How Zluri frames access automation in the context of compliance operations.
👉 Read Zluri's SOX walkthrough guide for compliance and control testing detail →
SOX walkthroughs and identity governance gaps in financial controls?
Explore further
12/06/2026 8:25 am
SOX walkthroughs fail first as an evidence problem, not a policy problem. The article shows that control design, supporting documents, and review discipline matter because auditors need proof that controls operated as intended. In identity programmes, the same failure appears when access evidence is scattered across systems, spreadsheets, and manual approvals. The practitioner conclusion is that control assurance depends on traceable identity evidence, not on policy wording alone.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who should own SOX evidence when IT and finance both touch the process?
A: Ownership should sit with the control owner, but evidence collection should be coordinated across IT, finance, and compliance. Each team contributes different proof points, yet auditors need one coherent record. If ownership is vague, accountability fragments and the walkthrough becomes harder to defend.
👉 Read our full editorial: SOX walkthroughs expose identity governance gaps in financial controls
