SOX 404 and IT General Controls (ITGC)

The Sarbanes-Oxley Act of 2002 (SOX) is a federal regulation establishes for how publicly traded U.S. companies communicate, store, and protect financial information. Section 302 of the law requires companies to develop “internal controls” to ensure the accuracy of their financial reporting, while Section 404 requires companies to assess and document the effectiveness of those internal controls. The relationship between IT processes and the “internal controls” described in Section 404 is not very clearly defined.

TCG utilizes frameworks like COBIT 5, COSO, and ISO/IEC 27001:2013, to model respective IT processes and controls for your business by using these standards as a framework for IT General Controls (ITGC) and as a guide for performing IT security assessments for organizations regulated by SOX.

TCG Consultants know how to meet the rigorous demands of the regulatory environment and communicate with auditors and audit committees within a risk-based framework. Our team’s objectivity and assessment quality can reveal internal control over financial reporting improvement opportunities and allow external auditors to rely on third-party work. And, we can flexibly scale to your specific needs and level of support.

How TCG can assist you with SOX and IT General Controls (ITGC)

  • Plan, perform risk assessment and define the scope
  • Document significant processes and related entity-level IT General controls
  • Identify key internal controls covering financial statement assertions
  • Assess design effectiveness of internal controls, including document walkthroughs for reliance by auditors
  • Perform and document internal control operating effectiveness testing
  • Evaluate individual and aggregate deficiencies and consult on remediation actions
  • Report results to process/control owners, management, and Audit Committee