SOX IT General Controls Controls Checklist

Access to financially significant systems is granted only after documented approval.

Evidence: Approved access requests for a sample of new grants.

User access to in-scope systems is reviewed periodically for appropriateness.

Evidence: Completed access-review attestations with remediation of exceptions.

Administrative / privileged access is restricted, justified, and monitored.

Evidence: Privileged-account inventory and a sample of reviewed admin activity.

System access is revoked promptly upon termination or role change.

Evidence: Termination-to-removal reconciliation for the period.

Conflicting duties are segregated to prevent a single user from completing a risky transaction.

Evidence: SoD ruleset and the latest conflict-review results.

Authentication settings (password policy, MFA) enforce secure access.

Evidence: Authentication-policy configuration export.

Changes to in-scope applications and infrastructure are authorized before implementation.

Evidence: Sample change tickets with documented authorization.

Changes are tested and approved prior to deployment to production.

Evidence: Change tickets showing test results and approvals.

Developers cannot deploy their own changes directly to production.

Evidence: Deployment-access listing showing separation from developers.

Backups of financially significant data are scheduled, monitored, and retained.

Evidence: Backup job success/failure reports for the period.

Restorations from backup are tested periodically to confirm recoverability.

Evidence: Restore-test results with date and outcome.

Scheduled jobs supporting financial processing run completely and are monitored for failures.

Evidence: Job-monitoring dashboard export and failure-resolution samples.

Environmental and operational controls protect in-scope systems availability.

Evidence: Hosting provider SOC 1/SOC 2 report review.

SOC reports for sub-service organizations are obtained and reviewed for exceptions.

Evidence: SOC report review memos for in-scope sub-service organizations.

New vendors with access to financial systems/data are risk-assessed before onboarding.

Evidence: Vendor onboarding risk assessments for the period.