The Sarbanes-Oxley Act of 2002 (SOX) is a U.S. federal law that mandates specific practices in financial record keeping and reporting for corporations. While SOX doesn't prescribe specific IT controls, Section 404 requires management to assess the effectiveness of internal controls over financial reporting (ICFR), which heavily involves IT systems.
Applies to: Publicly traded companies in the U.S. and their subsidiaries, accounting firms that audit public companies.
Key sections relevant to IT:
- Section 302: Corporate Responsibility for Financial Reports - CEOs and CFOs must certify the accuracy of financial statements
- Section 404: Management Assessment of Internal Controls - Requires documentation and testing of internal controls over financial reporting
SOX compliance relies on IT General Controls that provide a foundation for application controls used in financial reporting systems. ITGCs are typically organized into five categories:
- User authentication and authorization: Multi-factor authentication for systems processing financial data
- Privileged access management: Separation of duties for database administrators, system administrators
- Access reviews: Periodic review of user access rights (quarterly or semi-annual)
- Termination procedures: Immediate revocation of access when employees leave
- Change request and approval: Documented approval process for production changes
- Testing requirements: Evidence of testing in non-production environments
- Deployment controls: Separation between development, testing, and production environments
- Emergency change procedures: Documented process for urgent fixes with post-implementation review
- Backup and recovery: Regular backups of financial systems with tested restore procedures
- Job scheduling and monitoring: Automated batch processing with error detection
- Incident management: Tracking and resolution of production issues
- Capacity planning: Ensuring systems can handle transaction volumes
- SDLC governance: Formal development lifecycle with stage gates
- Code review: Peer review or automated analysis of code changes
- Version control: Source code management with audit trail
- Release management: Controlled promotion of code to production
- Data integrity: Controls to ensure accuracy and completeness of financial data
- Data retention: Maintaining records per retention policies (typically 7 years for financial records)
- Data encryption: Protection of sensitive financial data in transit and at rest
- Data classification: Identifying and labeling financial data
| CALM Control | SOX ITGC Category | Mapping Guidance |
|---|---|---|
access-control |
Access Controls | Maps to user authentication requirements. Look for MFA, RBAC, least privilege principles. |
audit-logging |
All categories | Critical for SOX - all financial system activities must be logged. Check for tamper-proof logs, retention policies. |
data-encryption |
Data Management | Required for protecting financial data. Verify encryption at rest (AES-256) and in transit (TLS 1.2+). |
data-retention |
Data Management | Must align with 7-year retention requirement for financial records per SEC Rule 17a-4. |
backup-recovery |
Operations | Required for business continuity. Verify backup frequency, retention, and tested restore procedures. |
session-management |
Access Controls | Prevents unauthorized access to financial systems. Check for session timeout, secure cookies. |
| CALM Protocol | SOX Requirement | Assessment |
|---|---|---|
HTTPS / TLS / mTLS |
Data encryption in transit | COMPLIANT - Secure communication protocol |
HTTP |
Data encryption in transit | NON-COMPLIANT - Financial data must be encrypted |
JDBC |
Database access controls | PARTIAL - Verify connection uses TLS/SSL and authentication |
WebSocket |
Secure communication | PARTIAL - Check if WebSocket Secure (wss://) is used |
deployed-inrelationships: Financial services must be deployed in controlled, segregated networks- Network segmentation: Separate financial systems from general corporate networks (defense-in-depth)
- Change control: All deployments to production must follow change management procedures
-
Missing audit logging on financial transactions
- Issue: Database or service nodes processing financial data lack
audit-loggingcontrol - Impact: Cannot prove accuracy of financial reporting, fails Section 404
- Remediation: Add comprehensive audit logging with immutable log storage (WORM compliance)
- Issue: Database or service nodes processing financial data lack
-
Unencrypted database connections
- Issue:
JDBCorTCPprotocols used without TLS/SSL for database containing financial data - Impact: Financial data exposed in transit, fails data protection requirements
- Remediation: Enable TLS/SSL on database connections, use encrypted protocols
- Issue:
-
No separation of duties in deployment
- Issue: Same individuals can develop, test, and deploy to production
- Impact: Risk of unauthorized or untested changes to financial systems
- Remediation: Implement RBAC with separate roles for dev/test/prod access
-
Inadequate access controls on financial databases
- Issue: Database nodes lack
access-controldefinitions or use shared credentials - Impact: Cannot trace who accessed/modified financial data
- Remediation: Implement individual user accounts, MFA, periodic access reviews
- Issue: Database nodes lack
-
Insufficient data retention controls
- Issue:
data-retentioncontrol exists but doesn't specify 7-year retention for financial records - Impact: May not meet SEC Rule 17a-4 requirements
- Remediation: Document retention policy aligned with regulatory requirements
- Issue:
-
Backup procedures not documented
- Issue:
backup-recoverycontrol lacks specific RPO/RTO metrics - Impact: Cannot prove ability to recover financial data in disaster scenarios
- Remediation: Document backup schedules, test restore procedures quarterly
- Issue:
-
Generic session management
- Issue:
session-managementcontrol exists but doesn't specify timeout duration - Impact: Risk of session hijacking or unauthorized access
- Remediation: Implement 15-minute idle timeout for financial applications
- Issue:
-
Missing change management controls
- Issue: Service nodes lack documented change control procedures
- Impact: Cannot prove changes were tested and approved
- Remediation: Reference change management policy in service metadata
-
Insufficient network segmentation documentation
- Issue:
deployed-inrelationships don't clearly show isolation of financial systems - Impact: Harder to prove defense-in-depth security posture
- Remediation: Add
network-segmentationcontrols and document trust boundaries
- Issue:
- All financial data nodes have
audit-logging,data-encryption,access-control - All database relationships use encrypted protocols (
TLS,mTLS) data-retentionpolicies documented and aligned with 7-year requirementbackup-recoveryprocedures documented with tested restore evidence- Network segmentation clearly defined with
deployed-inrelationships - Change management controls documented in service metadata
- Audit logging exists but may be incomplete (e.g., doesn't cover all CRUD operations)
- Some but not all database connections are encrypted
- Data retention policies exist but duration unclear
- Backup procedures exist but not regularly tested
- Access controls exist but lack separation of duties or MFA requirements
- Missing audit logging on financial transaction systems
- Unencrypted data in transit or at rest
- No documented access control procedures
- No backup/recovery controls
- No evidence of change management
When analyzing a CALM architecture for SOX compliance:
- Identify financial data flows: Trace nodes and relationships that process, store, or transmit financial data
- Check ITGCs per category: Verify each of the 5 ITGC categories (Access, Change, Operations, Development, Data) has corresponding CALM controls
- Assess control adequacy: Review control descriptions and requirements to ensure they meet SOX standards
- Document gaps: List missing or insufficient controls with specific remediation steps
- Calculate risk scores: Weight critical findings (audit logging, encryption) higher than informational findings
CALM controls should reference evidence that auditors can verify:
- Audit logging: Log retention policy, SIEM configuration, sample log entries
- Access controls: User access review reports, MFA enrollment rates, privilege escalation logs
- Data encryption: Encryption key management procedures, TLS/SSL certificate chain
- Backup/recovery: Backup success reports, disaster recovery test results
- Change management: Change request tickets, deployment approval records
- SOX Section 302: 15 U.S.C. § 7241 (Corporate Responsibility for Financial Reports)
- SOX Section 404: 15 U.S.C. § 7262 (Management Assessment of Internal Controls)
- SEC Rule 17a-4: 17 CFR § 240.17a-4 (Records to be preserved by certain exchange members, brokers and dealers)
- PCAOB AS 2201: Auditing Standard for Internal Control Over Financial Reporting
- COSO Framework: Committee of Sponsoring Organizations Internal Control - Integrated Framework (commonly used for SOX 404 compliance)
- SOX doesn't mandate specific technologies - Focus on whether controls achieve the intent (e.g., audit trail, segregation of duties)
- Not all systems are in scope - Only systems that materially affect financial reporting (general ledger, billing, payroll, etc.)
- Control design vs. operating effectiveness - CALM architecture shows control design; operating effectiveness requires runtime evidence
- Compensating controls - If direct control is missing, look for compensating controls that achieve the same objective
- Materiality matters - Risk findings should consider business impact (e.g., payroll system vs. internal wiki)