SOX IT Controls
SOX-ready
before they arrive.
Year 1 of SOX is the hardest audit your IT team will face. We scope your ITGCs, design the controls, build the evidence library, and brief you for your external auditors — so you walk into the audit window with everything your auditors need, already organized and tested.
SOX 404 · PCAOB-aligned · External auditor liaison included
8–16 weeks
Fixed-fee project
Pre-IPO & public companies
Auditor-ready evidence package
ITGC domains
Four domains.
Every auditor tests them.
IT General Controls are the foundational controls that govern access to systems, changes to production, system operations, and software development. External auditors test all four — failure in any domain can create a significant deficiency or material weakness finding.
Access to Programs & Data
User access provisioning and de-provisioning, privileged access management, access reviews, segregation of duties, authentication controls.
Change Management
SDLC controls, code review, testing and approval, emergency change procedures, segregation between development and production environments.
Computer Operations
Job scheduling, batch processing, system monitoring, backup and recovery, incident management, data center physical controls.
System Development
SDLC methodology, requirements, design, testing, deployment, and acceptance controls for new system implementations.
Our process
Six stages.
Audit-ready at the end.
Every SOX IT controls engagement follows this sequence — from the first scoping call to the final auditor handoff. You know exactly where you stand each week.
Scoping & system inventory
We identify all in-scope systems, applications, and infrastructure components that could materially affect financial reporting. We define the audit scope with your external auditors to avoid scope creep later.
Gap assessment & risk rating
We assess your current ITGCs against each domain. Every gap is risk-rated: significant deficiency risk, material weakness risk, or observation. You get a prioritized remediation roadmap with effort estimates.
Control design & documentation
We design controls that fit your actual technology stack and team structure. Controls are documented in walkthrough-ready format your external auditor can test immediately.
Evidence gathering & testing
We work with IT, engineering, and HR to gather and organize evidence for each control. Screenshots labeled, access reviews formatted, change tickets annotated, job logs documented.
Internal walkthrough
We conduct an internal walkthrough simulating your external auditor's testing procedures, catching weak evidence, undocumented exceptions, and control gaps before they become findings.
Auditor liaison & support
We support your external audit team throughout the engagement: initial evidence requests, follow-up questions, control narratives, and deficiency assessments if issues surface.
Deliverables
What your
auditor receives.
ITGC scope matrix
System-by-system mapping of in-scope applications, owners, and applicable ITGC domains. The starting point for your auditor's testing plan.
Control narratives
Walkthrough-ready documentation for each control: purpose, frequency, owner, procedure, and evidence. Formatted to PCAOB/AICPA standards.
Evidence library
Organized evidence package for each in-scope control, pre-labeled for auditor sampling with population sizes and sample selections noted.
Remediation tracker
Live tracking of open gaps, assigned owners, target dates, and remediation status. Shared with your team weekly.
Deficiency assessment
Where gaps exist, we formally assess severity (control deficiency vs. significant deficiency vs. material weakness risk) to frame auditor communication.
Management rep support
Assistance with management representation letters and auditor requests related to IT, including written responses to auditor memos and findings.
FAQ
Common questions.
What does "Year 1 of SOX" actually mean for IT?
Year 1 is the hardest. Your external auditor is scoping everything for the first time, your controls may have never been documented, and your evidence library doesn't exist yet. You're also likely dealing with the auditor education curve — most external audit teams have limited IT expertise and rely heavily on their own ITGC specialists. Our job is to get your controls documented and tested before your auditors arrive, so Year 1 runs as smoothly as Year 3.
What is a material weakness, and how worried should we be?
A material weakness is a deficiency (or combination of deficiencies) in internal control that creates a reasonable possibility that a material misstatement of financial statements will not be prevented or detected on a timely basis. In Year 1, material weaknesses are not uncommon — but they are disclosable in your 10-K and create significant investor and audit committee concern. We prioritize prevention: identifying and remediating at-risk controls before the audit window closes.
Do you work with our external auditors?
Yes, directly. We liaise with your external audit team (whether Big 4 or otherwise) throughout the engagement. We attend planning calls, respond to initial requests, and help your team answer auditor questions in real time. We can't remove the auditor from the process, but we make them significantly less painful.
We use cloud infrastructure (AWS/Azure/GCP). How does that affect ITGC scope?
Cloud doesn't reduce ITGC scope — it reshapes it. Access management controls shift to IAM policies. Change management controls shift to CI/CD pipelines. Operations controls shift to monitoring and alerting tools. We scope ITGCs across your actual technology stack, cloud or on-premise, and document controls in the format your auditors expect for each.
What is the difference between ITGCs and application controls?
ITGCs (General Controls) are the foundational controls that govern all systems — access management, change management, operations. Application controls are automated controls within a specific application — input validation, processing rules, output reconciliation. Both matter for SOX. We focus on ITGCs; application controls are typically assessed alongside business process controls by your external auditor.
SOX-ready
before Year 1 closes.
Book a free scoping call. We'll review your systems, define ITGC scope, and send a fixed-fee proposal within 48 hours.
Fixed-fee proposal in 48 h · Auditor liaison included