Checklist IT/Security SOX

SOX IT General Controls Checklist

SOX IT General Controls Checklist – This checklist helps IT and Security teams verify compliance with the Sarbanes-Oxley Act Section 404 requirements for IT general controls. These controls are critical to ensuring the integrity of financial reporting systems and data. Each item references specific regulatory guidance and should be verified and documented quarterly. Non-compliance findings must be escalated to the Audit Committee and remediated within defined timelines.

  • User Access Management: Verify that user access to financial systems is provisioned and de-provisioned within 24 hours of role changes. Maintain documented evidence of segregation of duties reviews conducted at least semi-annually per COSO Framework – Internal Control – Integrated Framework (SOX 404 foundational guidance).
  • Change Management Process: Confirm all changes to financial systems follow a formal change control board (CCB) process with documented approval, testing, and sign-off before deployment to production per IT General Control Standards (ITGC).
  • System Access Logging: Verify that all access to financial applications and databases is logged with user ID, timestamp, and action; logs are retained for minimum 12 months and reviewed for unauthorized access monthly per SOX 404 – IT Control Framework.
  • Segregation of Duties (SOD): Perform quarterly SOD conflict analysis across financial systems to ensure no user can initiate, approve, and record the same transaction per COSO Framework and SOX compliance requirements.
  • System Configuration Management: Maintain an inventory of all production financial systems with documented baseline configurations. Compare actual configurations to baselines monthly and document all deviations with business justifications per IT Change and Configuration Management Control.
  • Data Backup and Recovery: Conduct tested backup-to-recovery drills for all financial systems at least semi-annually; document recovery time objectives (RTO) and recovery point objectives (RPO) with evidence of successful restoration per SOX 404 Business Continuity Controls.
  • User Password Policies: Enforce minimum password requirements (14+ characters, complexity, expiration every 90 days) and verify compliance through automated monitoring reports; maintain evidence of policy enforcement across all financial system user populations per ITGC – Access Control.
  • Privileged Access Management (PAM): Document all privileged user accounts (admin/root); verify that privileged access is approved, monitored, and reviewed monthly with session recordings or detailed audit logs per SOX 404 – High-Risk User Access Controls.
  • System Patching and Vulnerability Management: Maintain a documented patch management schedule with maximum 30-day application windows for critical patches to financial systems; verify 100% compliance through automated inventory tools and provide evidence to auditors per IT System Hardening Controls.
  • Security Testing and Vulnerability Scans: Perform quarterly vulnerability scans on all financial systems and databases; remediate critical and high-risk findings within 15 days; document remediation evidence or approved risk exceptions per SOX 404 – Security Monitoring.
  • Incident Response and Logging: Maintain a documented incident response procedure; log and track all security incidents involving financial systems with root cause analysis and corrective actions; provide monthly incident reports to management per SOX 404 – Monitoring Controls.
  • IT Disaster Recovery Plan: Document and test the IT Disaster Recovery Plan annually with full system restoration from off-site backups; evidence of testing (test reports, sign-offs) must be available for audit per SOX 404 – Business Continuity and Resilience.
  • System Monitoring and Alerting: Configure automated alerts for financial systems covering failed logins, privileged access, data exports, and configuration changes; verify alerts are monitored 24/7 and escalated per policy per ITGC – Monitoring and Logging.
  • Vendor and Third-Party Risk Management: Maintain a register of all third-party vendors with access to financial systems; verify security assessments (SOC 2, certifications) are current and renewed annually; document access restrictions and contractual security requirements per SOX 404 – Third-Party Controls.
  • IT Policy Documentation: Maintain current, signed IT security policies covering access control, change management, system security, and incident response; distribute to all IT and Finance staff; document acknowledgment of receipt per SOX 404 – Policy and Governance.
  • Quarterly Control Testing: Design and execute quarterly control testing procedures for all key financial system controls; document testing results, exceptions, and management sign-offs; escalate exceptions to the Audit Committee per SOX 404 – Testing and Evidence.
  • Segregation of Production and Development Environments: Verify that development and test environments are physically and logically separated from production systems; restrict production data in non-production environments; document environment access restrictions per IT General Controls – Environment Separation.
  • Financial System Data Integrity: Perform monthly data reconciliation between feeder systems and the general ledger; investigate and document all reconciling items with supporting evidence; maintain audit trail of all reconciliation actions per SOX 404 – Data Integrity Controls.