This article provides an overview of how SOX 404 interacts with IT controls.

A typical SOX 404 cycle for IT would run throughout a year, on the basis that it ties in with the organisation’s financial statement cycle. A typical calendar of events would be as follows:

  1. Month one or two would focus on ensuring that the correct systems were in scope.
  2. Months three through six would create and initially verify the process design maps for the relevant controls.
  3. Months nine through twelve would collect evidence that the controls were in place and operating effectively.
  4. Control defects would be collated, entered into a tracking system and remediated as they were discovered.

Scoping for IT applications and systems for SOX 404 would need to be determined on an organisation by organisation basis, but would typically be factored around the importance of a system (the volume and value of transactions) and its direct relationship to the financial statements or published disclosures. An ERP General Ledger and its key interfaces and extracts would almost certainly be in scope. Once the system is determined as being in scope the following processes and controls are likely to be assessed:

  1. Manage Third Party Services.
  2. Performance and Capacity.
  3. Ensure Continuous Service.
  4. Ensure System Security.
  5. Manage Problems and Incidents.
  6.  Manage Data.
  7. Manage IT Physical Space.
  8. Manage Operations.
  9.  Manage Changes.
  10.  Manage Programme Development.

For more information please contact Morland-Austin at