Skip to main content

Skillber v1.0 is here!

Learn more

SOX Compliance

Checking access...

The Sarbanes-Oxley Act of 2002 (SOX) was enacted in response to major corporate accounting scandals (Enron, WorldCom, Tyco). SOX requires public companies to establish, document, test, and maintain internal controls over financial reporting — and IAM controls are a critical component of those internal controls.

SOX Sections Relevant to IAM

Section 302 — Corporate Responsibility for Financial Reports

CEOs and CFOs must certify quarterly and annually that financial reports are accurate and that they are responsible for establishing and maintaining internal controls. This creates personal liability for executives, making them direct stakeholders in IAM effectiveness.

IAM implications:

  • Financial system access must be tightly controlled and reviewed
  • Executives must have visibility into who has access to financial data
  • Access control deficiencies must be reported to the audit committee
  • Certifying officers must be notified of IAM control failures in a timely manner

Section 404 — Management Assessment of Internal Controls

The most significant section for IAM. Management must assess and report on the effectiveness of internal controls over financial reporting, and the external auditor must attest to this assessment.

IAM controls that typically fall under Section 404:

Control AreaExample ControlTesting Approach
User access provisioningOnly authorised users receive access to financial systemsTest user creation against authorised request documentation
Access terminationAccess revoked within 24 hours of terminationTest terminated user accounts for active access
Access certificationQuarterly recertification of financial system accessTest certification completion rate and remediation
Segregation of dutiesSoD controls prevent conflicting access combinationsTest for toxic combinations in financial systems
Privileged accessPrivileged access to financial systems is logged and reviewedTest privileged activity logs for review completion
Password controlsPassword policies meet minimum standardsTest password complexity, rotation, lockout settings

Section 409 — Real-Time Issuer Disclosures

Material changes in financial condition must be disclosed on a rapid and current basis. For IAM, this means that material access control failures (e.g., an unauthorised user with access to the general ledger) must be disclosed if they could affect financial reporting.

IAM Controls for Financial Systems

ERP Application Access

Enterprise Resource Planning (ERP) systems like SAP, Oracle EBS, and Microsoft Dynamics contain the core financial data. IAM controls for ERPs include:

┌──────────────────────────────────────────────┐
│ ERP Financial Modules │
├──────────┬──────────┬──────────┬──────────────┤
│ General │ Accounts │ Accounts │ Fixed │
│ Ledger │ Payable │ Receivable│ Assets │
├──────────┴──────────┴──────────┴──────────────┤
│ IAM Control Layer │
├──────────────────────────────────────────────┤
│ Provisioning │ SoD │ Cert. │ PAM │ Logging │
└──────────────────────────────────────────────┘

Critical ERP IAM controls:

ControlSAPOracle EBSMicrosoft Dynamics
User provisioningSU01 / SU10FND_USERSystem Users
Role assignmentPFCG rolesResponsibility mappingSecurity roles
SoD analysisGRC Access ControlAdvanced Access ControlsDynamics SoD tools
Critical accessSensitive authorisationsFunction-level accessPrivileged permissions

Segregation of Duties in Financial Processes

SoD is the cornerstone of SOX IAM compliance. The following are common toxic combinations that must be prevented in financial systems:

Toxic CombinationRiskTypical Dual Roles
Create vendor + Process invoicesCreate fake vendor, approve fake invoicesAP Clerk + AP Manager
Create PO + Receive goodsCreate purchase orders, receive goods without verificationBuyer + Warehouse
Create customer + Process refundCreate fake customer, process fraudulent refundsSales Rep + Credit Clerk
Approve timesheet + Process payrollApprove inflated hours, process to payrollSupervisor + Payroll Clerk
Create journal entry + Approve entryPost fraudulent adjustments without reviewStaff Accountant + GL Manager
Change vendor bank + Process paymentRedirect vendor payments to personal accountAP Clerk + Treasury

Segregation of Duties Remediation

When a toxic combination is detected, organisations typically:

  1. Analyse the conflict — Determine if the SoD violation is actual or theoretical
  2. Assess mitigating controls — Identify existing compensating controls (e.g., manager approval, transaction limits, audit review)
  3. Document mitigation — Formally document the mitigating control and how it addresses the risk
  4. Implement remediation — Reassign conflicting roles, add approval workflows, or implement real-time SoD enforcement
  5. Monitor and re-certify — Regularly re-verify that SoD controls remain effective

Caution

SoD conflicts should NEVER be accepted without documented compensating controls. SOX auditors will flag undocumented SoD acceptances as control deficiencies. Every exception must have a mitigating control, a defined owner, periodic re-validation, and a target date for remediation.

SOX Access Certification

Access certification (recertification) is the process of periodically verifying that users have appropriate access to financial systems.

Certification Best Practices

PracticeRecommendationAuditor Expectation
FrequencyQuarterly for financial systems, annually for non-financialAt least annually for all systems
ReviewerSystem owners / data owners with business knowledgeReviewer must understand the access being reviewed
ScopeAll users with access to financial systemsFull population, no sampling
EvidenceComplete certification reports with signature/digital approvalDated evidence of certification completion
RemediationRemove flagged access within 30 daysDocumented remediation with dates
Non-responseEscalate after 3 reminders, auto-remove after 5 business daysClear policy for non-response handling

Access Certification Workflow

  1. Define scope — Identify financial systems, applications, and critical data stores to be included in the certification campaign
  2. Generate certification list — Extract current user entitlements from each target system and organise by reviewing owner
  3. Distribute to reviewers — Send certification tasks to data owners with clear instructions on what to review and the criteria for approval/revocation
  4. Reviewer completes analysis — Reviewer examines each user’s access against their job function and designates access as “approved,” “revoked,” or “needs modification”
  5. Escalate non-responses — Automated reminder sequence and management escalation for reviewers who have not completed their certification within the allowed timeframe
  6. Implement changes — Access changes (revocations, modifications) are executed in the target systems with change documentation
  7. Report and archive — Generate completion report with metrics (completion rate, changes made, non-responsive reviewers) and archive for auditor access

Common SOX IAM Audit Findings

FindingRoot CauseRemediation
Users with inappropriate access to financial systemsWeak provisioning controls, no access recertificationImplement RBAC with quarterly certification
Terminated users still active in financial systemsManual deprovisioning, no automated integrationImplement automated deprovisioning with HRIS integration
Excessive privileged access to financial systemsNo privileged access managementImplement PAM with JIT access for financial systems
SoD conflicts in financial applicationsNo SoD analysis tool, manual review onlyDeploy automated SoD analysis and enforcement
Generic/shared accounts in financial systemsNo unique user IDs for service accountsEliminate shared accounts, implement service account management
Incomplete access certification evidenceNo systematic certification campaignsImplement IGA with automated certification campaigns

Key Takeaways

  • SOX Section 404 is the primary driver for IAM controls over financial reporting — companies must document, test, and maintain internal controls over financial reporting
  • The most critical IAM controls for SOX are: user provisioning/termination, access certification, segregation of duties, privileged access management, and audit logging
  • Segregation of Duties (SoD) is the cornerstone control — common toxic combinations in ERP systems (create vendor + process invoices, create PO + receive goods) must be prevented or mitigated with documented compensating controls
  • Access certification (quarterly for financial systems) with proper reviewer selection, escalation, and evidence retention is a fundamental SOX requirement
  • Common SOX audit findings include inappropriate access, orphaned accounts, excessive privileges, unresolved SoD conflicts, shared accounts, and incomplete certification evidence — all addressable with a mature IAM program
  • SOX creates personal liability for CEOs and CFOs (Section 302), making them direct stakeholders in IAM control effectiveness