Executive Summary

SOX refers to the Sarbanes-Oxley Act and the internal control expectations that come with being a public company. For finance teams, the hardest part is often not the accounting rules. It is proving that the systems feeding financial reporting are controlled, that access is appropriate, and that changes are tested before they reach production.

This guide explains SOX IT General Controls (ITGC) in plain terms for Financial Technology organizations. It focuses on how to scope your SOX systems, how to design controls that auditors can test, and how to run an evidence routine that does not derail engineering work each quarter.

---

Why SOX creates security work for finance teams

SOX requirements are about the integrity of financial reporting. When your revenue, billing, and cash processes depend on software systems, those systems become part of the control environment. Auditors want assurance that the data is complete and accurate, and that people cannot change it without authorization or oversight.

SOX ITGC is the set of control categories that support reliable systems. It covers who can access systems, how changes are introduced, and whether day-to-day operations are controlled. In a modern FinTech stack, ITGC often spans cloud infrastructure, identity platforms, CI/CD pipelines, and third-party services.

Common triggers for SOX readiness work

• IPO preparation: SOX readiness becomes a gating item for public filings and investor confidence.
• Rapid growth: Headcount growth and system sprawl create control gaps that auditors will flag.
• Multiple revenue streams: New products and pricing models introduce complexity in billing and revenue recognition.
• Heavy reliance on SaaS: Third-party systems become part of financial reporting, which means SOC reports and vendor controls matter.

Scope SOX the right way

A strong SOX program starts with a clear scope. The scope is not every system in your company. It is the set of applications, infrastructure, and interfaces that support financial reporting. Scoping discussions are easier when you anchor to the financial statements and work backward.

Systems that often fall into SOX scope for FinTech

• General ledger and ERP: Your source of record for financial statements.
• Billing and subscription systems: Revenue and receivables often originate here.
• Payment platforms: Authorization, settlement, chargebacks, and fees can impact revenue and cash.
• Data warehouses and reporting: If management reporting feeds journal entries, it becomes relevant.
• Identity and access management: Access control is often a key control for all in-scope systems.
• Infrastructure and hosting: Cloud platforms, databases, and backups that support financial applications.

Interfaces and data pipelines

Most SOX issues show up at the seams. Data moves between systems through APIs, ETL jobs, and file transfers. Each interface is a risk that data can be dropped, duplicated, or changed. Identify the interfaces that feed financial reporting and decide where controls will live, such as reconciliation, logging, and change approvals.

SOX IT General Controls explained

ITGC is commonly grouped into three categories. The categories are broad, but the control design should be specific to how your team actually works.

ITGC category	What auditors look for	Examples of evidence
Access to programs and data	Only authorized users can access systems, and privileged access is controlled	User access listings, joiner-mover-leaver tickets, MFA configuration, access review sign-off
Change management	Changes are approved, tested, and deployed in a controlled way	Change tickets, pull request approvals, CI/CD logs, testing evidence, release notes
Computer operations	Systems run reliably and issues are handled through defined processes	Incident tickets, monitoring alerts, backup logs, job schedules, restore tests

Access controls and segregation of duties

Access controls are a core SOX theme because they protect financial data from unauthorized change. In FinTech, the hard part is often privileged access. You need to know who can change production data, who can change configuration, and who can approve those changes.

• Joiner, mover, leaver process: Provision and remove access through tracked requests and approvals.
• Privileged access management: Use separate admin accounts, strong authentication, and time-bound elevation where possible.
• Periodic access reviews: Review access to in-scope systems on a defined cadence and document outcomes.
• Segregation of duties: Avoid giving one person the ability to both make and approve a material change without oversight.

Change management in CI/CD environments

SOX does not require a specific tool, but it does require a controlled process. For teams using CI/CD, the control objective is that code changes are reviewed, tested, and traceable. The evidence usually lives in your ticketing and source control systems.

• Change approval: Link changes to tickets or approved work items.
• Testing evidence: Document what testing is required for financial systems and where results are captured.
• Separation between dev and prod: Limit who can deploy to production and require review for emergency changes.
• Configuration management: Treat infrastructure and security configuration as code that is reviewed like application code.

Operations, backups, and incident management

Operations controls prove that systems are stable and recoverable. Backups, monitoring, and incident response are not just resilience topics. They are also control evidence that systems do not silently fail or drift in ways that impact reporting.

• Monitoring and alerting: Define what is monitored for in-scope systems and how alerts are handled.
• Backup and restore testing: Prove that backups exist and that restores are tested on a schedule.
• Incident response: Track incidents, document root cause, and show that corrective actions are completed.
• Job scheduling and batch controls: For batch jobs and reconciliations, show that runs are monitored and failures are addressed.

Evidence that makes SOX testing easier

SOX testing becomes painful when teams have to reconstruct what happened months later. The goal is to build a small set of repeatable evidence artifacts that you can produce on demand.

A practical evidence set for most FinTech teams

• Access review packets: Exported user lists, review notes, approvals, and remediation tickets for any access removals.
• Change samples: A set of changes with linked tickets, approvals, tests, and deployment records.
• Operations reports: Backup logs, restore test evidence, incident metrics, and uptime reporting for key systems.
• Vendor SOC reports: SOC 1 or SOC 2 reports for key service providers that support financial reporting.
• Policy and procedure documents: Short, accurate procedures that describe how you actually operate.

"SOX readiness is easier when you treat evidence as a product. If a control cannot produce evidence reliably, it is not a control." - Jacobian Engineering

Common pitfalls in SOX ITGC implementations

Most SOX findings are not caused by malicious behavior. They come from fast growth and informal processes that never matured.

• Untracked admin access: Shared admin accounts or undocumented break-glass access makes testing fail quickly.
• Emergency changes without follow-up: Emergency releases are allowed, but they must be documented, tested, and reviewed after the fact.
• Missing control ownership: Controls without an owner do not stay healthy. Assign a person and a backup for each key control.
• Interfaces without reconciliations: If data moves between systems with no reconciliation, auditors will treat the interface as a risk.
• Over-scoping: Including too many systems increases evidence volume and makes audits harder. Scope based on financial reporting impact.

SOX in cloud-first environments

Cloud platforms can support strong ITGC controls, but auditors still expect you to define responsibility boundaries. The cloud provider operates the underlying infrastructure, while you configure identity, logging, networking, and the applications that process financial data.

Cloud-first SOX programs work well when infrastructure changes are version controlled, access is centralized, and logging is consistent. Infrastructure as code also helps because it turns configuration into a reviewable change record.

Implementation methodology for SOX ITGC

Phase 1: SOX readiness assessment

Start with scoping and a gap assessment. Confirm which systems are in scope, identify the control owners, and document how work is currently done. The outcome is a prioritized remediation plan that focuses on the controls auditors will test first.

Phase 2: Control design and remediation

Design controls that fit your operating model. Implement access control routines, change management workflows, and operations procedures. Where tooling is missing, add automation for logging, approvals, and reporting so evidence is consistent.

Phase 3: Testing support and steady-state operation

Before the first formal audit cycle, run a mock test of your controls. Confirm you can produce evidence quickly. Then move into a steady-state cadence where access reviews, change sampling, and operational reporting happen on a schedule.

How Jacobian Engineering supports SOX programs

SOX work often spans finance, engineering, and IT. Jacobian Engineering supports teams that need both control design and technical implementation.

• SOX readiness and scoping: Workshops to identify in-scope systems, interfaces, and control owners.
• ITGC control design: Controls that match your tooling and team size, with clear evidence expectations.
• Cloud and DevOps implementation: Logging, access controls, infrastructure as code, and deployment controls built into your stack.
• Third-party risk support: SOC report reviews and vendor control questionnaires for service providers tied to financial reporting.
• Security testing: Penetration testing and configuration reviews that support control objectives.

Business benefits

SOX can feel like overhead, but the control discipline is valuable when it is implemented well.

• Predictable audits: Strong evidence routines reduce audit disruption and last-minute requests.
• Faster close: Controlled systems and reconciliations reduce surprises during month-end and quarter-end.
• Reduced operational risk: Access control and change discipline reduce outages and data integrity issues.
• Better governance: Clear ownership and reporting improves decision making across finance and engineering.

FAQs

When should a FinTech company start SOX readiness?

Earlier than most teams expect. If an IPO or acquisition is on the horizon, SOX readiness should start while you still have time to change processes and tooling. Many organizations begin readiness work 12 to 18 months before they expect formal testing.

Do we need SOX controls if we are not public?

Not legally, but SOX-style controls are common in due diligence for late-stage funding and M&A. If you plan to become public, early adoption reduces rework.

How do SOC reports from vendors relate to SOX?

When a third-party service supports financial reporting, auditors often ask for the vendor's SOC report as evidence of controls at the service provider. You still need to manage your side of the shared responsibility.

Are spreadsheets in scope for SOX?

They can be. Spreadsheets used for journal entries, reconciliations, or reporting can become key controls. The typical mitigation is access control, versioning, review sign-off, and where possible migrating critical logic into controlled systems.

What is the most common SOX ITGC failure?

Weak access control evidence. Many teams have reasonable access practices, but they cannot prove approvals, periodic review, and timely removal of access.

Primary references

• U.S. SEC overview of Sarbanes-Oxley Act: sec.gov
• COSO internal control framework resources: coso.org