What are SOX Controls?

SOX controls, also known as SOX 404 controls, are rules that can prevent and detect errors in a company’s financial reporting process. Internal controls are used to prevent or discover problems in organizational processes, ensuring the organization achieves its goals.

SOX controls are driven by the 2002 Sarbanes Oxley Act (SOX) which is a federal law that aims to increase the reliability of financial reporting and protect investors from corporate fraud. It covers publicly traded companies operating in the United States, and also some private companies, as defined in SOX sections 302 and 404. Section 404 of the SOX regulation requires organizations to implement internal controls, to ensure their financial reporting is accurate.

Read More: Sarbanes-Oxley Act (2002) Summary

Eliminate Risk while Reducing Manual SOX Audit Costs

Learn how Pathlock Automates Cross-App SoD & Transaction Monitoring

Download The Solution Brief

Types of SOX Controls

The SOX standard does not provide a list of specific controls. Instead, it requires organizations to define their own controls to meet the regulator’s goals. The types of SOX controls could include, for example, access control, change management, segregation of duties, cybersecurity solutions, and backup systems.

SOX controls must be applied and verified in all cycles leading to the company’s financial report or financial results. Internal auditors must conduct regular compliance audits to verify that appropriate controls are in place and that they are functioning properly.

SOX Compliance Requirements

To better understand the context of internal controls within the SOX standard, here is a brief review of SOX requirements:

Senior management responsibility

In publicly-traded companies, the CEO and CFO are directly responsible for any financial report filed with the Securities Exchange Commission (SEC). Since the CEO and CFO are held responsible, they face severe criminal penalties for SOX Act violations, including prison time and millions of dollars in fines.

Section 906 requires CFOs and CEOs to attest that regular reports adhere to SEC rules. It also mandates criminal penalties for certifying inaccurate financial reports. The law imposes fines of up to $5 million and jail time of not more than 20 years as criminal punishments for making false certifications.
Besides that, SOX emphasizes accountability for actual fraud and planning or trying to execute it. This is stated in Section 902, which says that anyone who attempts or conspires to commit a criminal fraud offense will be subject to the same penalties as if they had committed it.

Internal control report

SOX requires organizations to file a report that demonstrates that the management of the company remains responsible for the internal control structure applied to financial records.

To ensure transparency, all material weaknesses must be immediately reported to senior management. Sections 302 and 404 are highly relevant to this aspect of the act:

• SOX Section 302—holds the CEO and CFO responsible for reporting and all related internal controls.
• SOX Section 404—ensures finances remain transparent by requiring quarterly updates and annual disclosures, which should be provided to the SEC and relevant stakeholders.

Data security policies

SOX requires organizations to create and maintain a data security policy that protects the storage and use of all financial information. SOX requires organizations to consistently implement this policy and clearly communicate it to all employees.

Proof of compliance

SOX requires organizations to create and maintain compliance documentation, which must be provided to auditors upon request. Additionally, organizations are required to continually perform SOX control testing, as well as monitor and measure SOX compliance objectives.

SOX External Reporting

SOX reporting is usually done both internally and externally. External reports are filed with the U.S. Securities and Exchange Commission (SEC) and are publicly accessible. They are subject to strict regulatory standards and certification requirements. Following is the list of external reports along with their frequency of filing.

Type of report	Frequency	Requirements	Regulatory Basis
10-Q	Quarterly reports are filed three times a year to disclose quarterly financial results.	Includes financial statements, management discussion and analysis (MD&A), and disclosures about internal controls. CEOs and CFOs must certify the accuracy and effectiveness of internal controls under SOX Section 302.	Sections 302, 404, 906
10-K	Annual report	Covers the company’s financial performance, operations, risk factors, and control environment. Includes management’s internal control assessment (SOX Section 404(a)) and, for most large public companies, the external auditor’s attestation report (Section 404(b)). Requires executive certification under Sections 302 and 906.	Sections 302, 404, 906
8-K – Current Report for Material Events	Must be filed within four business days of the event.	Used to notify the SEC of significant or unexpected events that may impact shareholders. Examples include mergers, leadership changes, cybersecurity breaches, or restatements. Supports real-time transparency under SOX Section 409.	Section 409
Section 802 – Record Retention		Requires retention of audit-related documents for a minimum of 5 years. Applies to public companies and auditors. Prohibits alteration or destruction of relevant records; violations can result in criminal penalties.	Section 802
Enhanced Disclosure Requirements		Requires greater transparency for financial exposures and risks. Disclosures must include off-balance-sheet arrangements (e.g., leases, guarantees), use of special purpose entities (SPEs), material adjustments proposed by auditors, and internal control deficiencies affecting financial reporting.	Section 401+

SOX Internal Controls Audits: 4 Key Areas of Focus

An enterprise’s internal audit and controls testing is generally the largest, most complex, and time-consuming part of an SOX compliance audit. This is because internal controls include all of the company’s IT assets, including computers, hardware, software, and all other electronic devices that have access to financial data.

A SOX IT controls audit focuses on the following areas:

1. Access Control

Evaluating how the organization restricts access and implements access control measures, to ensure only the right people can physically and electronically access sensitive financial information. This includes physical access measures like locks and video surveillance for server rooms, and digital measures like authentication and credentials management using an identity and access management (IAM) solution.

2. IT Security

Evaluating how the organization identifies sensitive data, protects it against cyberattacks, monitors who is accessing it and how, and detects security incidents. In the event of an accident, the company must be able to take corrective action in a timely and effective manner. This requires dedicated security staff, effective security procedures, and security tools such as a Security Information and Event Management (SIEM) system.

3. Data Backup

Evaluating how the organization backs up data and key systems to minimize business disruption and data loss in case of a disaster. Both the original systems, and the data center containing backups or standby systems that store financial data, must be compliant with SOX requirements.

4. Change Management

Evaluating how the organization manages changes to the IT environment, such as new employees, new computing infrastructure, new software, updates to existing software, and configuration changes. Changes must be recorded and any sensitive changes should be monitored, anomalies should be reported and acted on to prevent security breaches.

Role of PCAOB in SOX Controls

The Public Company Accounting Oversight Board (PCAOB) is a nonprofit organization created by the Sarbanes-Oxley Act (SOX) to oversee external auditors of public companies. Its mission is to protect investors by ensuring high-quality and trustworthy audits.

Even though companies do not directly report to PCAOB, the auditors they hire do. Those auditors must follow PCAOB standards when reviewing SOX compliance, especially internal controls over financial reporting (ICFR). If the auditors do not comply with PCAOB standards, it reflects on the SOX audit and could trigger red flags. Understanding PCAOB expectations helps you prepare documentation and test controls properly and avoid audit issues.

Best Practices for SOX Controls

The following best practices can help you more effectively implement and audit SOX controls.

Use a Top Down Risk Assessment Approach

According to the PCAOB, it is best to use a top-down approach to assess risks related to SOX controls. Start from financial statements, identify entities related to each statement, and define the controls needed for the important accounts and disclosures related to the statement.

The end goal of a risk assessment is to identify possible risks, existing controls, and whether they are enough to satisfy SOX requirements. If not, the next step is to develop new procedures to implement the missing controls.

Related content: Learn more in our guide to internal control weaknesses

Determining Materiality in SOX

It is critical to determine materiality and to understand the level of controls required for a financial statement to comply with SOX. The following guidelines can help you determine materiality:

• Apply quantitative benchmarks to assess materiality. Use standard thresholds as a starting point to determine if a mistake or control failure could influence financial decisions:
  • 5% of operating income (pre-tax) – e.g., for $40M income, materiality ≈ $2M
  • 3–5% of net income – e.g., for $20M net income, threshold = $600K–$1M
  • 0.5–2% of total revenues – e.g., for $500M revenue, materiality = $2.5M–$10M
  • 1–2% of total assets – e.g., for $1B in assets, threshold = $10M–$20M
  • 1% of equity – e.g., for $800M in equity, threshold = $8M
• Use lower thresholds for control testing. Consider setting testing materiality between 25% and 50% of financial materiality to identify control failures early and reduce audit risk.

• Identify what is material to P&L and balance sheet—see if an item in a financial statement can impact the economic decisions made by the company, by analyzing its significance as a share of the overall economic activity.
• Identify business units or locations with material account balances—review financial statements for all units of the business. If any of them contain material account balances, they will probably require SOX testing in the next financial year.
• Identify key transactions—when you identify a material account balance, identify the specific debits and credits that affect the balance. Find and document a process to monitor these key transactions.
• Identify financial reporting risks—for every material account, see what can cause key transactions to be improperly reported. Clearly identify how risk events can affect the account balance, and as a result, the overall financial statement.

Limit the Number of SOX Controls By Identifying Key Controls

It can be tempting to apply a control every time a risk is identified in the risk assessment process. However, this leads to a large number of controls, which can be difficult to implement and enforce and may needlessly impact business operations.

It is advised to limit the number of controls to the minimum necessary, by identifying key controls. A simple way to differentiate key vs. non-key controls is to ask the question: “What risk does this control mitigate, and is the risk low or high?” If the risk is low, the control may not be needed. Use this approach to prioritize your efforts.

Distinguishing Critical IT Systems from SOX-Relevant Systems

Not all critical IT systems are directly relevant to SOX compliance. A system’s relevance depends on whether it impacts financial reporting or controls tied to financial data.

When defining your SOX control scope, focus on systems directly impacting financial reporting. Understanding data flows and how information travels from operational systems to the general ledger will help identify SOX-relevant systems.

SOX-relevant systems	Critical but not SOX-relevant
Financial ERP systems (e.g., SAP, Oracle Financials)	Customer relationship management (CRM) systems (e.g., Salesforce), unless they contribute directly to revenue or billing processes that affect financial statements
Systems used for revenue recognition	Human resources systems, unless payroll or compensation data directly impact financial reporting
Inventory management systems tied to financial reporting	Operations or logistics systems, unless they influence inventory costing or other financial metrics
Any system that processes financial transactions or produces reports contributing to financial statements.

Identify Manual vs. Automated Controls

In a large enterprise, it is infeasible to implement all controls manually. Automated controls are increasingly preferred in SOX compliance programs because they reduce the risk of human error, enhance consistency, and simplify testing processes.

Differentiate between type of controls as follows:

• Manual controls are performed without the aid of system automation. They often involve human judgment, review, or approval and are commonly used in areas requiring subjectivity or qualitative assessment. The SOX audit team tests these controls directly by reviewing evidence of performance (e.g., signoffs, memos, supporting documentation). Examples include bank reconciliations performed monthly by the accounting team and reviewed by a supervisor.

• Automated controls outside the scope of IT General Controls (ITGC) testing are system-based controls that do not rely on ITGCs for their effectiveness. Instead, they operate on configured logic within applications that can be tested independently of system access or change management processes. Examples include automated exception reports generated daily by a financial reporting system that flags transactions outside thresholds.

• Automated controls within the scope of ITGC testing are highly dependent on ITGCs for reliability—particularly access control, program change management, and IT operations. If ITGCs are not effective, the reliability of these controls is also compromised.

The first two categories fall under the responsibility of the SOX audit team. However, the third category is taken care of by existing ITGC efforts. By identifying this third category, and focusing your efforts on the first two, you can save a significant amount of time in SOX control auditing.

Leveraging Automation and Cybersecurity in ITGC Scoping

As businesses grow, integrating automation and cybersecurity measures becomes critical for maintaining the effectiveness of SOX controls. Cybersecurity is crucial for determining the relevance of controls to SOX compliance. Controls that protect systems and data integral to financial reporting fall within the SOX scope. Therefore, organizations must assess their existing cybersecurity measures to close potential gaps.​

By integrating automation and evaluating cybersecurity controls, companies can enhance the precision of their SOX control scoping and ensure the robust protection of financial reporting processes.

Management Review Controls (MRCs): Enhancing Financial Oversight

Management Review Controls (MRCs) are a subset of key controls within SOX compliance. They typically seek to improve management’s confidence that internal control over financial reporting (ICFR) is effective and to reduce the risk of material misstatements in financial reports.

MRCs are vital to all internal control systems. They involve skilled personnel reviewing aggregated financial data or estimates to identify potential misstatements. These controls rely significantly on the completeness and accuracy of underlying information, often obtained from various internal and external systems.

Management can detect and address discrepancies or errors by thoroughly reviewing financial statements. MRCs are typically applied in the monthly close process, budget versus actual analysis, and quarterly and annual financial reviews.

Implementing effective MRCs requires clear documentation of review procedures, evaluation criteria, and review process evidence. This not only strengthens the internal control environment but also provides auditors with the necessary documentation to assess the effectiveness of these controls.​

SOX Control Testing

SOX testing ensures that internal financial reporting controls are designed effectively and operating as intended. It helps organizations identify weaknesses that can lead to material misstatements, protecting the accuracy and integrity of financial disclosure.

Both internal audit teams and external auditors participate in this process. External auditors evaluate controls to validate management’s assertions, while internal teams assess control performance to detect issues proactively. From a technical perspective, effective SOX control testing begins with understanding the specific control and the risks it is meant to mitigate. Testers must design test procedures based on the contract’s key attributes and gather sufficient evidence to evaluate its effectiveness.

Automating SOX Internal Controls Auditing with Pathlock

Preparing for a SOX audit can be a stressful, expensive, and time-consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to proving compliance with your internal controls for SOX. Continuous controls monitoring can ensure that you are always tracking your compliance, so there are no major surprises when the audit season comes around.

In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. By connecting directly into your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls, and pinpoint and quantify the financial impact of any risks. Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.

Financial Impact Prioritization

Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions

Comprehensive Rulebook

Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.

Real-time Access Mitigation

Pathlock allows users to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time

Out-of-the-Box Integrations

Pathlock’s out-of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place, such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more

Lateral SOD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications

Continuous Control Monitoring

Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation

Schedule a demo with our compliance experts to understand how Pathlock can enable you to achieve compliance using fine-grained controls within your ERP applications.

Frequently Asked Questions