Cyber Horizon
Back to Blog
SOX ITGCFinancialGovernance

SOX IT General Controls (ITGC): A Guide for Public Companies

30 May 2026·8 min read·Cyber Horizon Team

The Sarbanes-Oxley Act (SOX) makes management and auditors responsible for the reliability of financial reporting — and modern financial reporting runs on IT systems. That’s where IT General Controls (ITGC) come in: the controls that ensure the systems behind the numbers are trustworthy.

Why ITGC matters

If a system that produces financial data isn’t properly controlled, none of the application-level controls on top of it can be relied on. Auditors test ITGC first because weak general controls undermine everything else — a single ITGC deficiency can cascade into a material weakness.

The four ITGC domains

Access to Programs & Data

Provisioning, least privilege, periodic access reviews, segregation of duties, and timely de-provisioning of leavers.

Program Changes

Change management: requests, testing, approval and segregation between who develops and who deploys.

Program Development

Controls over new systems and major implementations — requirements, testing and approval before go-live.

Computer Operations

Job scheduling, backups, incident and problem management, and monitoring of the systems that process financial data.

What auditors actually test

Expect sampling: pulls of access listings to confirm reviews happened, change tickets to confirm approvals and testing, and evidence that segregation of duties holds. The recurring failure isn’t missing controls — it’s missing evidence that the control operated consistently across the whole period.

Staying audit-ready

  • Scope the in-scope systems (ERP, financial apps, supporting infrastructure) precisely.
  • Automate access reviews and capture them as dated evidence.
  • Tie every production change to an approved, tested ticket.
  • Collect operations evidence (backups, job runs) continuously, not at year-end.
  • Map ITGC to your wider control library so SOX work reuses your SOC 2 / ISO 27001 evidence.

The bottom line

SOX ITGC is about proving the systems behind your financials are controlled all year, not just on audit day. Treat it as continuous evidence collection over access, change and operations — and most of it overlaps with the security controls you already run.

Keep SOX ITGC evidence audit-ready

Cyber Horizon automates access reviews, change-evidence and operations logging, and maps SOX ITGC to your SOC 2 and ISO 27001 controls — so one evidence set serves them all.

Book a Demo