Executive Summary
SOX compliance remains a challenge even after two decades, with IT-related failures and Segregation of Duties (SoD) issues accounting for a significant share of Material Weaknesses. Veza simplifies SOX compliance with automated access controls, real-time SoD monitoring, and audit-ready reporting to reduce risk while cutting down audit preparation time.
The Sarbanes-Oxley Act (SOX) was enacted in 2002—a time when CDs dominated music, Tesla had yet to be founded, and babies born that year are now college graduates. Given that public companies have had over two decades to adapt, one might expect SOX compliance to be second nature by now. Yet, even the most seasoned organizations continue to face challenges.
SOX deficiencies fall into three categories, ranked by severity: Deficiency (D), Significant Deficiency (SD), and Material Weakness (MW). A Material Weakness (MW) is a serious red flag, signalling that a company’s financial reporting has a reasonable risk of material misstatement. Auditors also have been scrutinizing companies’ cybersecurity measures, investigating data breaches during the SOX audit period, and assessing their impact on financial reporting. A significant data breach may also lead to material weakness. This is the kind of thing that makes investors sweat and auditors cry.
A Workiva study found that companies disclosing MWs see their stock prices drop an average of 6% in 3 months, 11% in 6 months, and 19% in a year. Yet, despite knowing the risks, “Of the 3,549 annual reports filed in the 2022/2023 year, 242 companies (7%) disclosed MWs in their filings as of June 30, 2023. The percentage of companies disclosing MWs in 2023 was similar to the prior year and was consistent with pre-pandemic levels.” a KPMG’s study found.
What’s causing all these MWs? Two primary factors stand out: IT, Software, Security & Access issues and Lack of Segregation of Duties. In 2023, 55% of MWs came from IT-related failures (up from 40% in 2022), while 40% resulted from segregation of duties issues (up from 34% in 2022).
Why are we still struggling to avoid SOX deficiencies after two decades?
Below are three factors may be the main culprits:
Growing Scale and Complexity in Business Processes and Technology:
Gone are the days of a single on-prem ERP system managing financial data. Today, companies juggle hundreds of SaaS applications, cloud platforms, AI tools, and legacy systems. As technology stacks grow, so do access points, making it increasingly difficult to track who can modify financial data and how processes protect data integrity. Managing access and controls across a constantly evolving digital landscape has become a daunting task.
Evolving Audit Standards:
Regulatory expectations from the Public Company Accounting Oversight Board (PCAOB), a nonprofit corporation created by the Sarbanes–Oxley Act of 2002 to oversee the audits of US-listed public companies, and the Securities & Exchange Commission (SEC) continue to shift, leading audit firms to raise the bar and compliance teams struggle to stay compliant. To name a few recent developments:
- Stricter User Access Reviews: It’s no longer enough to check who has system access. Auditors now expect companies to conduct roles-to-permission reviews across all SOX-relevant systems.
- Service Accounts Under Scrutiny: Service accounts can be assigned permissions and accessible by multiple users. Auditors want companies to demonstrate who has access to service accounts to mitigate hidden risks.
- Cybersecurity in the Spotlight: While materiality standard has remained conceptually consistent, the SEC has placed increasing emphasis on qualitative factors, such as cybersecurity breaches and reputational harm, recognizing that they can be just as material as traditional quantitative financial thresholds.
Manual Processes That Can’t Keep Up:
Many companies still rely on spreadsheets, emails, and outdated workflows for critical SOX processes like user access reviews and user provisioning and deprovisioning. These manual methods are slow, error-prone, and difficult to scale, leading to issues such as, delayed removal of access permissions, missed approvals or incorrect role assignments.
How Can Veza Help with SOX Compliance?
Veza simplifies SOX compliance by providing full visibility into who has access to what within your environment leveraging Veza’s unique Access Graph technology. Built atop the Access Graph, Veza’s Access Governance and Access Intelligence products equip organizations with modern tools to efficiently manage controls at scale, helping to maintain SOX compliance while reducing manual effort and costs with automation.
Quick start guide on implementing SOX controls with Veza:
- Phase 1: Connect core systems and establish baseline visibility
- Phase 2: Configure automated access controls and SoD rules
- Phase 3: Set up compliance dashboards and reports
- Phase 4: Begin automated monitoring and violation detection
Access and Change Management Controls
SOX compliance relies on two primary control types: IT General Controls (ITGCs) and business controls. For all SOX in-scope systems, organizations must enforce access controls and change management controls.
Access Controls
User Provisioning & Deprovisioning:
Veza’s Lifecycle Management and Access Requests products allow organizations to operationalize and automate their security policies related to birthright user provisioning, just-in-time access requests, required approval workflows, and automated deprovisioning when users no longer require access or depart the organization. This ensures timely provisioning and deprovisioning for joiners, movers, and leavers as well as just-in-time access to applications and resources, when required. This approach also helps minimize standing privilege within in-scope systems.
User Access Reviews:
Veza’s Access Reviews product supports role-to-user, role-to-permission, and permission-to-role-to-user reviews for regular and privileged users. It also pulls in non-human identities and local application accounts, not just IdP users, to ensure complete and accurate user lists. Additionally, Veza provides visibility into nested groups and roles, offering full transparency on inherited access.
Change Management Controls:
While Veza is not a change management platform, it enables SOX Change Management Controls by monitoring the effective implementation of separation of duties (SoD) through its SoD capabilities within Veza’s Advanced Access Intelligence product. Although specific controls that are applicable to organizations may vary, here are some examples of the visibility that Veza’s platform can provide:
- SoD between software development vs. production deployment: Veza enables continuous monitoring to ensure deployment teams are separate from development teams. For example, SOX-relevant GitHub repositories without branch protection rules can be flagged.
- SoD between developer and tester or SoD between change initiator vs. approver can be monitored and demonstrated within Veza’s SoD capabilities.
Segregation of Duties (SoD) Controls
SoD sits at the intersection of ITGCs and business controls, ensuring that no single individual has excessive access to financially relevant business activities such as: payroll change and payroll reconciliation, journal entry creations and approvals, accounts payable processing and reconciliation.
Veza’s SoD module helps organizations enforce cross-platform SoD rules and real-time SoD monitoring to prevent fraud and financial mismanagement. Powered by the Access Graph, Veza enables cross-application SoD analysis, ensuring visibility into permissions and roles across multiple SaaS, cloud computing and storage, and legacy on-prem systems, such as Procure-to-pay in Coupa and NetSuite, Revenue Recognition in Salesforce and Oracle Fusion.
Enhancing Cybersecurity & Compliance Monitoring
In the event of a security breach, Veza supports blast radius analysis, helping organizations mitigate potential damage and reduce the financial impact. Veza’s Access Intelligence, Access Monitoring, and Non-Human Identity products strengthen identity and data security monitoring by continuously scanning permissions for security misconfigurations, deviations from best practices, access risks and compliance violations.
Audit-Ready Reports & SOX Dashboards
All above Veza products provide audit-ready reports to demonstrate the design and operational effectiveness of SOX controls. Additionally, configurable SOX Dashboard enables immediate visibility and monitoring of SOX compliance within your environment.
See how Veza automates SOX compliance for leading enterprises. Schedule a demo.
See how our customers used Veza to simplify their compliance programs:
- https://veza.com/resources/blackstone-case-study/
- https://veza.com/resources/sallie-mae-case-study/
- https://veza.com/resources/copperpoint-case-study/
- https://veza.com/resources/customers-genesys/
- https://veza.com/resources/barracuda-case-study/
- https://veza.com/resources/choice-hotels-case-study/
About the Author
Amber Li is a Principal Product Manager at Veza, focused on building next-generation Access Governance solutions to help organizations manage identity risks. Prior to Veza, she spent 13 years at Deloitte’s Risk Advisory division, assisting large enterprises in designing and implementing access controls, SoD, and change management frameworks. With extensive experience working alongside compliance teams, Amber has helped companies achieve compliance with SOX, SOC, ISO standards, and other regulations. She also was an external auditor for many organizations.
