SOX 404 and IT General Computing Controls Services

What is SOX 404 and IT General Computing Controls (ITGC)?

The Sarbanes-Oxley Act of 2002 (SOX) is a federal regulation establishes how publicly traded U.S. companies communicate, store, and protect financial information. Section 302 of the law requires companies to develop “internal controls or framework” to ensure the accuracy of their financial reporting, while Section 404 requires companies to assess and document the effectiveness of those internal controls. The relationship between IT processes and the “internal controls” described in Section 404 is not very clearly defined. Industry accepted and established standards like COBIT, COSO, and ISO 27001:2013 are utilized by enterprises to modeling IT processes and respective controls.

CyberGen team of SOX 404 and ITGC experts utilize frameworks like COBIT 5, COSO, and ISO/IEC 27001:2013, to model respective IT processes and controls for your business by using these standards as a framework for IT General Controls (ITGC) and as a guide for performing IT security assessments for organizations regulated by SOX.

CyberGen Consultants know how to meet the rigorous demands of the regulatory environment and communicate with auditors and audit committees within a risk-based framework. Our team’s objectivity and assessment quality can reveal internal control over financial reporting improvement opportunities and allow external auditors to rely on third-party work. And, we can flexibly scale to your specific needs and level of support.

What is SOX Auditing of Internal IT Controls?

The evaluation of internal controls is one of the largest components of a SOX compliance audit. Internal controls include any IT Infrastructure (servers, network hardware and other electronic infrastructure from where any financial data passes through. From the IT side of things, CyberGen recommends focusing on four basic areas:

Access Management

Access Management refers to both the physical, electronic and logical controls that prevent unauthorized users from assessing sensitive information. This includes keeping servers and data centers in secure locations, but also making sure only authorized personnel can assess respective resources and information; effective password controls are in place. Implementing the principle of least privileges is considered one of the effective methods of organization-wide access control.


IT Security is a wide-ranging topic. In this case, it means making sure appropriate controls are existing to prevent breaches and having tools to remediate incidents as they occur. Taking steps to manage risk is a good policy regardless of SOX compliance status. Investing smartly in services or appliances that will monitor and protect your financial database is the best way to avoid compliance and security issues altogether.

Change Management

The objective of Change Management in this context is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to control IT infrastructure, in order to minimize the number and impact of any related incidents upon. Having a record of what was changed, in addition to when it was changed and who changed it, simplifies a SOX IT audit and makes it easier to correct problems when they arise.

Backup Management

Backup systems should be in place to protect your financial or sensitive data. Data centers containing backed-up data plus those stored off sites or by a third party are subject to the same SOX compliance requirements as those hosted on-premises.

Your SOX Compliance Checklist

Every business and every audit are different, which is why the idea of a general SOX compliance checklist that can be referred by everyone isn’t a particularly useful one. There are, however, a few general questions every business should consider. Before an audit, evaluate yourself:

Are we working with an accepted framework, is it COBIT, COSO, or a mix of both?

Have policies and procedures outlining how to create, change and maintain accounting systems been established, including computer systems and programs handling financial data?

Do we have security measures to prevent data tampering in place? Have we tested the identified measures and found them effective?

Is access to financial and sensitive information being monitored and logged?

What were the previous data breaches and failures of security safeguards? Have we disclosed the past breaches or failures to auditors?

Have we received, recent SSAE18 SOC I and II reports from all applicable service organizations and vendors?

How CyberGen can assist you with your SOX and IT General Controls (ITGC) needs?

CyberGen provide a broad range of IT audit assistance along with consulting services around the technology risk and control aspects of Sarbanes-Oxley compliance. Our GRC consultants have broad expertise to assist in all aspects of IT audit services, performing risk assessments, the annual planning and scoping process to the execution of all types of technology related audit items. We provide expertise in documenting critical business processes, identifying risks and mitigating controls, analyzing performance gaps, and recommending and implementing action plans to improve controls. Our Certified Information Systems and Internal IT Auditors add value by helping our customers comply with the information technology risk and control-related requirements of Sarbanes-Oxley, primarily Section 404. In each of these areas CyberGen help their customers understand and evaluate technology-related risks related to:

  • Technology audit planning and risk assessments
  • Application control reviews and assessments
  • ITGC Controls Testing Automation
  • Cybersecurity assessments and audits
  • Technology process controls reviews and audits

CyberGen’s expertise in GRC space help businesses