SOX · Compliance · Rolling Thunder Security

The Sarbanes-Oxley Act of 2002 — "SOX" or "Sarbox" — is a US federal statute aimed at restoring trust in public-company financial reporting after a wave of accounting scandals. The visible product is a CEO and CFO who certify each quarterly and annual financial filing, on penalty of personal criminal liability. The invisible product is the elaborate web of internal controls that has to exist for those signatures to be credible — and a substantial portion of that web is operated by IT and security teams.

This page concentrates on the side of SOX practitioners actually live in: IT General Controls (ITGCs) and the audit process that tests them. The financial-reporting fundamentals get a brief tour so the IT-controls part has context. The goal is to leave you fluent enough to talk to an external auditor without confusion when one of them shows up asking who has admin access to the general ledger.

Who's covered

SOX applies to:

US public companies — any issuer whose securities are registered under the Securities Exchange Act of 1934, or that's required to file reports with the SEC. Roughly 4,500 companies as of 2024.
Foreign private issuers listed on US exchanges (with some accommodations).
Subsidiaries of those issuers, to the extent their financial activity rolls up to the parent's consolidated statements.
Public accounting firms auditing those companies — SOX created the PCAOB to register, inspect, and discipline them.

SOX does not apply to private companies, non-profits, or government entities. But many private companies that intend to IPO begin "SOX-readiness" projects 12-24 months ahead of the offering. Many privately-held companies also adopt SOX-style controls because their lenders, insurers, or major customers expect them. Treat SOX as the de facto baseline for the financial-systems side of any well-run organization, regulated or not.

The four sections that matter

SOX has 11 titles and over 60 sections. Four come up constantly.

Section	What it requires
302	The CEO and CFO must personally certify every periodic report (10-K, 10-Q) — they have reviewed it, it doesn't contain material misstatements or omissions, they are responsible for internal controls, they disclosed all material weaknesses and any fraud. Civil liability for false certifications.
404	Annual management assessment of the effectiveness of Internal Controls over Financial Reporting (ICFR), included in the 10-K. For "accelerated filers" (most large public companies), the external auditor must also issue an attestation on the effectiveness of ICFR. 404 is where almost all the SOX work lives.
906	The criminal version of 302. CEO/CFO certifications under 906 carry up to 10 years' imprisonment if false, and up to 20 years if willful. Independent of any other prosecution.
802	Document retention. Auditors must retain audit workpapers for at least 7 years. Knowingly destroying records to obstruct a federal investigation is a felony (up to 20 years). The Arthur Andersen / Enron shredding case birthed this provision.

For security and IT teams, section 404 is the entire job. Everything below this point flows from 404's requirement that management assess (and the auditor attest to) the effectiveness of controls over financial reporting.

ICFR and the controls hierarchy

Internal Controls over Financial Reporting is a hierarchy. SOX 404 cares whether the top number on the financial statements is materially correct. To get assurance there, the auditor follows a chain of controls down the stack:

Entity-level controls — the cultural and governance controls (tone at the top, code of conduct, fraud risk assessments, board oversight).
Process-level controls — the controls inside business processes that touch financial reporting (revenue recognition, accounts payable approvals, inventory counts, journal entry review).
IT Application Controls (ITACs) — automated controls inside the financial applications (the ERP requires three-way match before payment, the GL won't accept unbalanced journal entries, only the controller's role can post a manual journal > $50,000).
IT General Controls (ITGCs) — the controls over the IT environment that keep those application controls trustworthy. This is the security and IT operations work.

The logic chains upward: if the ITGCs are weak, the auditor can't rely on the application controls. If the application controls fail, the process controls can't be relied on to produce accurate numbers. A weak ITGC environment forces the auditor to expand substantive testing on every downstream control, which is enormously expensive and slow. This is why CFOs notice when ITGC findings appear in the audit report.

IT General Controls · the security side of SOX

Four ITGC families are tested by virtually every SOX audit. The detailed controls vary by environment, but the families are universal. This is the part security teams own.

ITGC 1

Logical access

Who has access to financial systems, and is that appropriate? Tested controls typically include:

Provisioning: documented role-based access; approval by manager + system owner; tied to a ticketing system.
De-provisioning: access removed within X days of termination/transfer; periodic terminated-employee access reviews.
Periodic recertification: usually annual; system owners attest that each user's access is still required.
Privileged access: separate accounts; logged; reviewed.
Segregation of duties (SoD): nobody can both create a vendor and pay an invoice; configurable role matrices.
Authentication: MFA, password policies, account lockout. shared accounts are an automatic finding.

ITGC 2

Change management

Are changes to financial systems controlled, tested, and approved? Tested controls typically include:

Documented change request: business justification, technical description, risk assessment.
Approval: change advisory board or designated approvers; segregated from the developer.
Testing: evidence of UAT; separate non-production environment.
Migration to production: performed by someone other than the developer; logged.
Emergency changes: shorter process but always followed by post-change documentation and review.
Direct database changes: tightly restricted; alerted; manually reviewed against change tickets.

ITGC 3

IT operations

Do production systems run reliably and recover from disruptions? Tested controls typically include:

Job scheduling: automated jobs (overnight batch postings, EOM closing routines) execute as scheduled; failures alert and are followed up.
Monitoring: system performance, error rates, availability are monitored.
Incident management: documented process, ticket trail, root cause analysis for outages affecting financial systems.
Backup and recovery: backups scheduled, validated, periodically restored; documented DR plan, tested at least annually.
Capacity: storage and compute monitored to prevent silent data loss.

ITGC 4

Information security

Is the environment around financial systems protected from external threats? Tested controls typically include:

Network security: firewall rules, segmentation between corporate and financial systems, perimeter monitoring.
Patch management: documented process, defined SLAs for critical patches on financial-system hosts.
Vulnerability management: regular scanning, documented remediation.
Encryption: data at rest and in transit on financial systems.
Logging and monitoring: SIEM ingestion of financial-system logs; alerting; periodic log review.
Anti-malware: deployed, current, alerted.

The audit and PCAOB AS 2201

Public-company external audits are governed by the Public Company Accounting Oversight Board (PCAOB), created by SOX itself. The PCAOB writes the audit standards, registers and inspects audit firms, and enforces compliance.

The standard that controls SOX 404 work is AS 2201, "An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements." Two practical implications:

Top-down, risk-based. The auditor starts from the financial statement and identifies the controls that matter for the line items most exposed to risk. Not every system in the org is in scope — only those that materially affect financial reporting.
Three findings categories. A control deficiency is the most common finding (the control didn't fully achieve its objective). A significant deficiency is worse (a less-than-material weakness). A material weakness is the big one — it means there's a reasonable possibility of a material misstatement going undetected. Material weaknesses are disclosed in the 10-K and tank stock prices.

Most organizations align their control framework with COSO Internal Control — Integrated Framework (2013 update is the standard) and the COBIT framework for IT-specific guidance. SOX itself doesn't require either, but the auditor expects you to be using a recognized framework. If your control language doesn't match COSO/COBIT, you'll spend the audit explaining your own taxonomy instead of testing controls.

Enforcement and penalties

SOX enforcement runs along three tracks:

SEC civil enforcement — the most common. Companies that file inaccurate reports, fail to maintain adequate ICFR, or restate financials face SEC investigations, civil fines, and consent orders. Disgorgement of bonuses tied to falsified results is routine.
DOJ criminal enforcement — the rarer but headline-making track. SOX 906 false certifications are a federal crime; obstruction of justice via document destruction (802) is also a federal crime. Most criminal SOX cases pair with broader fraud charges.
PCAOB enforcement against auditors — the consequence for audit firms that don't catch what they should have. Sanctions, financial penalties, and (rarely) revocation of registration.

Penalties scale with the violation:

Provision	Maximum
SOX 906 false certification (knowing)	$1M and/or 10 years imprisonment
SOX 906 false certification (willful)	$5M and/or 20 years imprisonment
SOX 802 record destruction	20 years imprisonment
SEC civil penalties	Per-violation; commonly into the tens of millions for material cases; bonuses subject to clawback

Recent cases

A few representative post-2015 enforcement matters that surfaced ITGC- or control-related issues:

Wells Fargo (2018-2020). After the fake-accounts scandal, the SEC found material weaknesses in compliance controls and disclosure controls. Settlements with the SEC, OCC, and DOJ totaled over $3B; the CEO and other executives faced personal SOX-related liability. The IT-controls dimension came up in evidence around the alerting systems that didn't surface mass account creation.
SolarWinds (2023-2024). SEC charged SolarWinds and its CISO with fraud and internal-controls violations related to disclosures about cybersecurity. The case is a watershed for SOX/security overlap — the SEC explicitly argued that material cybersecurity weaknesses ARE ICFR weaknesses when financial systems are involved. As of 2024, parts of the case have been dismissed but the materiality theory continues to shape disclosure practice.
Under Armour (2021). SEC charged the company with misleading investors regarding revenue growth via "pull-forward" sales. The investigation surfaced gaps in disclosure controls and revenue-recognition oversight.
Hertz (2019). The company restated multiple years of financials. Subsequent SEC enforcement cited material weaknesses in ICFR including IT-related controls around lease accounting systems.
General Electric (2020). The SEC fined GE $200M for disclosure failures around its power and insurance segments. The investigation surfaced internal-controls and disclosure-controls issues across multiple business units.

The SolarWinds line. The SEC's 2023 enforcement action explicitly tied a company's cybersecurity posture to its SOX ICFR obligations. The argument: if your security controls are materially deficient and that affects the integrity of financial-reporting systems, you have an ICFR problem — not just a security problem. This case is reshaping how security teams document control deficiencies and how they communicate with internal audit and the disclosure committee.

What SOX means for a security team

Translated into operational reality:

Know which systems are "in scope." Internal audit and external auditor maintain a list. You should know it cold. Don't assume scope based on system name — the scope follows the financial-data flow.
Maintain the evidence the audit will ask for, in the form they'll ask for it. Approval tickets for access changes, screenshots of change-management workflows, terminated-user reports, MFA configuration evidence, log retention proof. Reactive evidence-gathering is the most expensive way to do SOX.
Segregation of duties is non-negotiable. Developers don't migrate to production. Privileged-account holders don't approve their own changes. Cash-handlers don't reconcile cash. SoD violations are findings even when nothing went wrong.
Track material changes year-round. A new ERP implementation, a major cloud migration, an acquisition — these are all "control environment changes" that the audit will examine. Surprises during testing season are bad. Pre-briefs to internal audit are good.
Logging and monitoring isn't enough — review is the point. The audit wants evidence that logs are reviewed, not just collected. Build the review cadence into someone's job description with documented sign-offs.
Treat security incidents on in-scope systems as control deficiencies until proven otherwise. An incident that touched a financial system might be a control deficiency, significant deficiency, or material weakness depending on impact. Engage internal audit and finance early, not at year-end.
Document your control framework alignment. COSO 2013 + COBIT is the default. Whatever you use, write it down and make sure your control descriptions match the framework's vocabulary.

Takeaway

SOX is a financial-reporting statute that turns out to require half the work to be done by IT and security teams. The mechanism is the controls hierarchy: if your ITGCs (access, change management, operations, security) can't be relied on, then the application controls inside the ERP can't be relied on, then the auditor can't sign off on management's ICFR assessment, then the 10-K filing is at risk. That chain is why CFOs care about who has admin rights to production.

The path of least friction is to align your security program with COSO/COBIT vocabulary, automate evidence collection where you can, and treat internal audit as your most useful internal customer. The SolarWinds case made one thing newly explicit: materially deficient cybersecurity controls on financial systems are now an ICFR problem under SEC enforcement theory, not just a security issue. Build for that reality.

Sources

U.S. Congress. (2002). Sarbanes-Oxley Act of 2002. Pub. L. No. 107-204, 116 Stat. 745. https://www.congress.gov/bill/107th-congress/house-bill/3763
Public Company Accounting Oversight Board. (2007, as amended). Auditing Standard No. 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201
Committee of Sponsoring Organizations of the Treadway Commission. (2013). Internal Control — Integrated Framework. https://www.coso.org/Pages/ic.aspx
ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. https://www.isaca.org/resources/cobit
U.S. Securities and Exchange Commission. (2023). SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Press Release 2023-227). https://www.sec.gov/news/press-release/2023-227
U.S. Department of Justice and U.S. Securities and Exchange Commission. (2020). Wells Fargo Agrees to Pay $3 Billion to Resolve Criminal and Civil Investigations into Sales Practices. https://www.justice.gov/opa/pr/wells-fargo-agrees-pay-3-billion-resolve-criminal-and-civil-investigations-sales-practices