SOX Compliance Checklist: 47 Controls Every Audit Team Should Test

Sarbanes-Oxley Section 404 compliance is one of the most resource-intensive regulatory obligations for public companies. Management must assess and report on the effectiveness of internal controls over financial reporting (ICFR), and external auditors must attest to that assessment. Internal audit teams play a critical role in testing these controls throughout the year.

This checklist covers the 47 controls we see most frequently across SOX compliance programs, organized by category. For each control, we include the control objective, typical evidence required, and testing approach. Use this as a starting point and customize based on your organization's specific risk profile and control environment.

IT General Controls (ITGCs)

IT general controls underpin all automated and IT-dependent controls in your environment. PCAOB AS 2201 requires auditors to test ITGCs for any system that supports a significant account or process. Most organizations scope 4-8 in-scope applications with ITGCs tested across four domains.

Access Management (Controls 1-12)

1. New user provisioning: Access requests require documented approval from the user's manager and system owner before account creation. Test by selecting a sample of new accounts created during the period and tracing to approved access request forms.
2. User access modifications: Role changes and additional access require approval before implementation. Sample access modification tickets and verify approval documentation.
3. User termination/deprovisioning: Access is removed within a defined timeframe (typically 24-48 hours) after employment termination. Compare HR termination dates to system access removal dates for a sample of terminated employees.
4. Periodic access reviews: System owners review user access rights at least quarterly (or semi-annually for lower-risk systems). Obtain access review documentation showing reviewer, date, and disposition of each user reviewed.
5. Privileged access management: Administrative and elevated access is restricted to authorized personnel with documented business justification. Obtain current privileged user listings and verify each user's business need.
6. Password policy enforcement: Systems enforce minimum password complexity, length, expiration, and lockout thresholds. Obtain system configuration screenshots or exports showing password policy settings.
7. Multi-factor authentication: MFA is required for remote access, privileged accounts, and access to sensitive financial systems. Verify MFA configuration for in-scope systems and test a sample of user sessions.
8. Service account management: Service accounts have documented owners, restricted permissions, and undergo periodic review. Obtain service account inventory and verify ownership and review documentation.
9. Segregation of duties: Conflicting access combinations (e.g., create vendor + approve payment) are prevented or detected through role design and monitoring. Obtain role matrix and test for SoD conflicts in user access assignments.
10. Generic/shared account restrictions: Generic and shared accounts are prohibited or have documented business justification with enhanced monitoring. Review account listings for generic naming patterns and verify controls.
11. Database access controls: Direct database access is restricted to DBAs with all access logged and reviewed. Obtain DBA access lists and review database access logs for anomalies.
12. Remote access controls: VPN and remote desktop access require authentication, authorization, and session logging. Verify remote access configuration and review connection logs.

Change Management (Controls 13-22)

13. Change request and approval: All changes to in-scope applications require documented approval before implementation. Sample change tickets and verify approval by authorized change manager before deployment.
14. Testing and QA: Changes undergo testing in a non-production environment before deployment. Verify test plans and results documentation for sampled changes.
15. Separation of development and production: Developers cannot migrate code directly to production environments. Review access rights to deployment tools and verify SoD between development and production promotion.
16. Emergency change procedures: Emergency changes follow an expedited but documented process with post-implementation review. Sample emergency changes and verify retroactive documentation and approval.
17. Change rollback procedures: Rollback plans exist for all significant changes. Verify rollback documentation for sampled changes.
18. Configuration management: System configurations are documented, version-controlled, and changes follow the standard change process. Review configuration management database and verify change history.
19. Patch management: Security patches are evaluated, tested, and applied within defined timeframes based on severity. Review patch management reports and verify timely application of critical patches.
20. Release management: Production releases follow a defined schedule with documented release notes and approval. Sample production deployments and verify release documentation.
21. Code review: Application code changes undergo peer review before deployment. Verify code review documentation for sampled changes.
22. Change audit trail: All changes are logged with timestamp, user, description, and approval references. Review change management system logs for completeness.

Operations & Monitoring (Controls 23-32)

23. Backup execution: Automated backups run on schedule for all in-scope systems and databases. Review backup job logs and verify successful completion for the testing period.
24. Backup restoration testing: Restore tests are performed at least annually (quarterly for critical systems) and results are documented. Obtain restore test documentation showing date, system, and successful recovery verification.
25. Job scheduling and monitoring: Batch jobs and scheduled processes are monitored for successful completion with alerting on failures. Review job monitoring logs and verify response to failed job alerts.
26. Incident management: Security and system incidents are logged, triaged, resolved, and reviewed. Sample incident tickets and verify timely resolution and root cause analysis.
27. Disaster recovery planning: DR plans exist for all in-scope systems with defined RTOs and RPOs. Verify DR plan currency and review results of most recent DR test.
28. System availability monitoring: Uptime monitoring and alerting is active for all in-scope applications. Review availability reports and verify SLA achievement.
29. Log management and review: Security and application logs are centralized, retained per policy, and reviewed regularly. Verify log retention settings and review evidence of periodic log analysis.
30. Capacity planning: System capacity is monitored and managed to prevent performance degradation. Review capacity reports and threshold alerting configuration.
31. Anti-malware protection: Endpoint protection software is deployed, updated, and monitored across all in-scope systems. Verify deployment coverage and review malware detection reports.
32. Network security: Firewalls, IDS/IPS, and network segmentation protect in-scope systems. Review firewall rule sets and network architecture documentation.

Application Controls (Controls 33-40)

Financial Application Controls

33. Automated calculations: System-calculated amounts (tax, depreciation, interest, allocations) produce accurate results. Verify calculation logic through recalculation and comparison to expected results.
34. Input validation: Applications validate data entry for required fields, data types, reasonable ranges, and referential integrity. Test input validation by attempting to enter invalid data and verifying rejection.
35. Interface controls: Data transfers between systems include completeness and accuracy checks (record counts, hash totals, reconciliation). Review interface logs and reconciliation reports for sampled transfers.
36. Report generation accuracy: Financial reports produced by applications accurately reflect underlying data. Reconcile report outputs to source data for sampled reports.
37. Automated workflow approvals: System-enforced approval workflows prevent unauthorized transactions from processing. Test workflow controls by verifying that transactions cannot bypass required approval steps.
38. Three-way matching: Purchase orders, receiving documents, and invoices are automatically matched within defined tolerances before payment processing. Test matching logic with sample transactions including over-tolerance items.
39. Duplicate detection: Applications prevent or detect duplicate entries (invoices, payments, journal entries). Test duplicate detection controls with sample duplicate submissions.
40. Period-end cutoff controls: Applications enforce proper period assignment for transactions around month-end and year-end. Review transactions near period boundaries and verify correct period assignment.

Entity-Level Controls (Controls 41-47)

Governance and Oversight

41. Tone at the top: Management communicates the importance of internal controls and ethical behavior. Review code of conduct acknowledgments, management communications, and training completion rates.
42. Audit committee oversight: The audit committee reviews internal control matters, meets regularly, and receives adequate reporting. Review audit committee meeting minutes, agendas, and reporting packages.
43. Risk assessment process: Management performs periodic risk assessments that consider financial reporting risks. Obtain risk assessment documentation and verify that identified risks are addressed by controls.
44. Fraud risk assessment: Management specifically assesses fraud risks including management override, revenue recognition, and asset misappropriation. Review fraud risk assessment documentation and anti-fraud programs.
45. Whistleblower mechanism: A confidential reporting channel exists for employees to report concerns about financial reporting or ethics. Verify hotline availability, test submission process, and review investigation procedures.
46. Financial close process: Month-end and year-end close procedures are documented, include checklists, and are completed within defined timelines. Review close checklists, verify completion dates, and test a sample of close activities.
47. Account reconciliation: Key accounts are reconciled on a defined schedule with documented preparer and reviewer sign-off. Sample account reconciliations and verify timeliness, accuracy, and review evidence.

Using This Checklist Effectively

This checklist is a starting point, not an exhaustive list. Your specific control population will vary based on your organization's size, industry, IT environment complexity, and risk assessment. Key considerations when adapting this checklist:

Scope based on risk: Not every control requires the same level of testing. Focus testing intensity on controls that address the highest-risk financial statement assertions.
Coordinate with external auditors: Align your testing approach with your external auditors early in the year to maximize reliance and minimize duplicate testing effort.
Document the rationale: For each control in your population, document why it is included (or excluded) based on your risk assessment. This documentation supports your SOX 404 assessment methodology.
Leverage automation: Many of these controls — particularly ITGCs — involve collecting system exports, screenshots, and configuration data that can be automated. Focus your auditor time on evaluating the evidence, not gathering it.

Automate Your SOX Testing with AuditBolt

AuditBolt includes pre-built SOX templates with all 47 controls, test procedures, and evidence requirements ready to go.

Start Your Free Trial