Atlas ApexAtlasApex

SOX · Identity Lens

SOX

SOX is where access to financial systems becomes a public-filing risk and weak identity becomes a material weakness.

Back to Thinking
Full name
Sarbanes-Oxley Act (US Public Company Accounting Reform and Investor Protection Act of 2002)
Region
United States (extraterritorial for foreign issuers listed in the US)
Applies to
US-listed public companies and their auditors. Identity controls fall inside the Section 404 internal-control-over-financial-reporting regime — particularly the IT general controls (ITGCs) that auditors test every year.

SOX Section 404 requires management to assess, and the external auditor to opine on, the effectiveness of internal controls over financial reporting (ICFR). In practice the audit work centres on IT general controls — change management, operations, and access control. Identity sits squarely inside the access-control pillar and is consistently the area where SOX deficiencies and material weaknesses originate.

What it asks for

The Identity Lens

The clauses that bite when identity architecture is weak, rewritten in plain English. Authoritative text is linked below.

Logical access (PCAOB AS 2201 and SEC ICFR guidance)

Auditors test how access to financial-reporting applications and the supporting infrastructure is provisioned, modified, and removed. Segregation of duties between initiator, approver, and reviewer is examined at the role and entitlement level.

Privileged access

Database administrator, sysadmin, and emergency access to financial systems must be restricted, logged, and reviewed. Generic 'sa' or 'admin' accounts, shared service-account passwords, and unmonitored privileged sessions are common audit findings.

User access reviews

Periodic recertification of who has access to financial-reporting applications, performed by an appropriate reviewer with evidence retained. Auditors look for the evidence package, not the policy.

Joiner / mover / leaver evidence

Auditors sample new hires, role changes, and terminations to verify that access was provisioned, modified, or revoked promptly. A 30-day deprovisioning lag for a finance user is a finding.

Where teams miss it

Common Misses

Patterns we see again and again — usually because the identity programme runs in parallel to the compliance programme rather than inside it.

Access reviews completed by the wrong reviewer — typically the requester instead of the data owner. Auditors will retest.

Privileged service accounts shared across teams, with no rotation and no individual accountability when used.

Termination evidence proving the AD account was disabled, while the finance application still has a separate local account that lives on.

Excel-based access matrices that drift from the actual entitlements in the system between audits.

What works

Where Design Pays Off

Patterns we have seen survive supervisory review, audit, and the next change.

Identity governance integrated with the financial-reporting applications so reviews use live entitlement data, not point-in-time exports.

Privileged-access management with session recording, just-in-time elevation, and per-session approvals — the same evidence pack satisfies SOX and any concurrent SOC 2 / ISO audit.

Joiner / mover / leaver workflows that produce immutable audit trails consumable by the SOX testing programme without manual reconstruction.

Authoritative sources

Read the source

Every claim above is checkable. Start here.

PCAOB

PCAOB Auditing Standard 2201 — An Audit of Internal Control Over Financial Reporting

U.S. Securities and Exchange Commission

SEC guidance on management's report on ICFR

Related Services

How We Help

IAM Assessment

Identity engagement aligned to SOX.

Okta Workforce Identity

Identity engagement aligned to SOX.

Identity by Design

Identity engagement aligned to SOX.

Need a SOX-ready identity baseline?

We start with an assessment that maps your identity controls to SOX requirements, then design and operate the gaps.

Book a Conversation