SOX
The Sarbanes-Oxley Act mandates internal controls over financial reporting for US public companies — with significant IT control requirements that touch every system that touches financial data.
Section 404 of the Sarbanes-Oxley Act requires public companies to assess and report on the effectiveness of internal controls over financial reporting (ICFR). For technology systems, this translates to IT General Controls (ITGCs) — the access controls, change management processes, and operational controls that govern systems supporting financial reporting. ITGCs are audited annually by external auditors as part of the financial statement audit.
The four ITGC domains that matter most to engineering teams are: access management (who can access production systems and financial data), change management (how code changes move through development to production), computer operations (how systems are monitored and incidents are handled), and data management (how financial data is stored, backed up, and protected from unauthorized modification). Deficiencies in any of these domains can result in material weaknesses that require disclosure to the SEC.
SOX compliance is primarily an audit trail problem. Auditors test ITGCs by requesting evidence: access provisioning and deprovisioning records, change ticket histories, deployment logs, access reviews, and incident management records. Organizations that cannot produce this evidence — because their change management is informal, their access provisioning is undocumented, or their deployment logs are not retained — fail their ITGC audit regardless of whether the underlying controls are technically sound.
We build SOX ITGC controls into the engineering workflow — enforcing change management through code review and CI/CD pipelines that produce audit trails automatically, implementing access management through identity providers with complete provisioning logs, and retaining deployment and access records in audit-ready formats. Our teams understand what external auditors test and build evidence generation into the development process.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.