IAMRoadmapIAMRoadmap
Back to Compliance
Financial Compliance

SOX

Sarbanes-Oxley Act

United States
Effective: July 30, 2002

Overview

The Sarbanes-Oxley Act establishes requirements for financial reporting and internal controls for publicly traded companies. Section 404 requires management to assess and report on the effectiveness of internal controls over financial reporting. IT general controls, including access controls and segregation of duties, are critical components of SOX compliance.

IAM Requirements

Access Control

  • Implement logical access controls to financial systems
  • Restrict access based on job responsibilities
  • Regular access reviews and recertification
  • Timely removal of access upon termination or role change

Segregation of Duties

  • Separate incompatible duties (e.g., authorization vs. custody)
  • Implement compensating controls where segregation is not possible
  • Monitor for SoD violations
  • Document and approve any SoD exceptions

Change Management

  • Control access to make changes to financial systems
  • Separate development, test, and production environments
  • Require appropriate approvals for changes
  • Maintain audit trail of all changes

Audit and Monitoring

  • Log access to financial data and systems
  • Monitor privileged user activities
  • Retain logs for required periods
  • Regular review of access logs

Compliance Checklist

1
Identify in-scope financial systems and applications
2
Document IT general controls (ITGCs)
3
Implement access provisioning and deprovisioning procedures
4
Establish periodic access review process
5
Implement segregation of duties controls
6
Deploy privileged access management
7
Maintain comprehensive audit trails
8
Establish change management procedures
9
Document policies and procedures
10
Conduct regular control testing
11
Remediate identified deficiencies
12
Maintain evidence for external auditors

Penalties for Non-Compliance

Criminal penalties for executives: Up to $5 million fine and 20 years imprisonment for willful certification of false statements. Civil penalties and delisting from stock exchanges

Quick Facts

Region
United States
Effective Date
July 30, 2002
Enforcing Body
U.S. Securities and Exchange Commission (SEC)

Related Certifications

Related Vendors

Related Solutions

Resources

Official Website

Related Regulations & Frameworks

PCI-DSS

Global

Payment Card Industry Data Security Standard

Back to All Compliance