SOX Professionals Group

 View Only
  • 1.  ITGCs, IAM Tools, and SOX

    Posted 10-04-2022 09:52 AM
    Where IAM tools can be leveraged for user access reviews and automation of Active Directory access termination, are ITGCs over privileged access and change management warranted and subject to testing for SOX compliance? Seems excessive.

    Barb Terlap
    Internal Controls Manager

  • 2.  RE: ITGCs, IAM Tools, and SOX

    Posted 10-05-2022 10:45 AM
    Hi, Barb.  Our InfoSec team has developed an application in Splunk to automate much of the UAR process.  However, this is limited (for now) to those apps with Single-sign on (we use OKTA).

    As to ITGC's over AD, since AD and OKTA are integrated, having good controls over AD gives comfort around timely terminations - since there is sometimes a lag between the deactivation of user accounts in the individual applications.  However, if their SSO access is terminated, the user cannot get to the application.

    Drop me an email at if you'd like to discuss more...

    David Gamble
    Director Risk and Advisory Services

  • 3.  RE: ITGCs, IAM Tools, and SOX

    Posted 10-06-2022 10:28 AM
    Hi Barb!  Thanks for posting your question.  I think many companies may have the same question.  From my experience, any in scope application would have privilege access and changement controls in place.  Agree with David's response.

    Can I ask you why you think it is excessive?  That may provide more color around your particular situation.

    Have a great day!

    Sakina Lara CPA CISA CFE
    SOX Manager