As your company prepares for the FY2026 Sarbanes‑Oxley (SOX) compliance cycle, now is an ideal time for Internal Audit teams to identify opportunities to improve efficiency, strengthen control precision, and enhance audit readiness.
This article, the fifth of a focused series, guides you through next steps so you can approach SOX compliance in 2026 with clarity and confidence.
Beyond Technical Compliance: The Critical Role of IT General Controls (ITGCs) in SOX
For many organizations, Sarbanes-Oxley (SOX) compliance sits at the intersection of the business and IT. Yet IT General Controls (ITGCs) are still too often treated as a technical requirement rather than what they truly are: a core component of reliable financial reporting.
When ITGCs are weak, inconsistently performed, or poorly evidenced, the impact extends beyond IT. It affects whether management can rely on system outputs, whether controls operate as intended, and whether auditors can place reliance on the control environment without expanding substantive procedures. In increasingly complex system landscapes, even isolated control breakdowns can have broad implications across processes and reporting areas.
Understanding ITGCs and how they support system‑dependent controls helps Internal Audit focus efforts where they can reduce risk, improve audit outcomes, and prevent late‑cycle disruption.
Understanding IT General Controls (ITGCs)
ITGCs govern how financial systems are accessed, changed, and operated. They do not prevent or detect misstatements directly. Instead, they establish whether the systems supporting financial reporting can be trusted.
In a SOX context, ITGCs typically include:
- Access Management – ensuring access is appropriately granted, reviewed, and removed
- Change Management – controlling and testing changes to systems, configurations, and reports
- Segregation of Duties (SoD) – preventing incompatible responsibilities from residing with one individual
- IT Operations – supporting processing integrity and system availability
Given continued reliance on system functionality and system‑generated information, Internal Audit should assess whether ITGCs are designed appropriately and operating consistently throughout the year. This goes beyond confirming that controls exist. It requires understanding whether access, changes, and system governance actually mitigate financial reporting risk and whether the organization can produce evidence to support this conclusion. Weak ITGCs often explain recurring findings, auditor reperformance, or reduced reliance.
Understanding System‑Dependent Controls
System‑dependent controls are controls that rely on IT systems to function effectively. They include application‑level controls, configured ERP controls, and management review controls that depend on system‑generated reports or queries (often referred to as information produced by the entity, or IPE). These controls may be manual, automated, or a combination of both.
The key consideration is dependency, as the control’s effectiveness depends on the reliability of the system producing the information or enforcing the configuration. As a result, ITGCs and system‑dependent controls are inherently linked. Where ITGCs are not effective, system‑dependent controls may not be suitable for audit reliance, regardless of how well they are designed or executed.
Why ITGC Weaknesses Can Undermine System-Dependent Control Reliance
Auditors focus on ITGCs because deficiencies can have a cascading effect across multiple controls. Common issue examples include:
- Access weaknesses that allow users to modify master data, report logic, or application control configurations without detection or appropriate oversight
- Change management gaps that make it difficult to demonstrate that control logic was consistent throughout the year
- Segregation of Duties (SoD) conflicts that compromise independence (for example, the same person can configure and execute a control)
Access provisioning, change management, and SoD remain the highest risk ITGC areas in most SOX environments. Internal Audit plays a critical role in validating that users have appropriate access, that system and report changes are tested and approved, and that incompatible responsibilities are addressed. When weaknesses exist, auditors may reduce reliance on system‑dependent controls, expand substantive testing, or require additional manual procedures, often late in the audit cycle.
Report Reliance and Information Produced by the Entity (IPE)
Many SOX controls depend on system‑generated reports to support management review or control execution. Problems arise when report logic is unclear, parameters change, ownership is undefined, or completeness and accuracy procedures are not documented.
Internal Audit can reduce this risk by identifying SOX-critical reports early, testing report completeness and accuracy, understanding report logic and data sources, ensuring access to create or modify reports is appropriately restricted, and maintaining clear documentation of report changes.
Coordinating with IT and Cybersecurity
ITGC risk does not exist in isolation. Identity initiatives, cybersecurity enhancements, and system upgrades can all affect SOX‑relevant controls. Internal Audit is uniquely positioned to coordinate with IT and cybersecurity teams to ensure emerging risks are evaluated through a SOX lens and that controls evolve as the risk environment changes.
ITGCs are not just an IT exercise. They form the backbone of reliable financial reporting. Organizations that take a proactive, risk‑based approach to ITGCs and understand how system‑dependent controls rely on that foundation are better positioned to withstand audit scrutiny and reduce disruption. In today’s SOX environment, confidence in financial reporting starts with confidence in the systems behind it.
Explore the rest of the series for more actionable insights:
- Strengthen SOX Compliance: FY2025 SOX Close‑Out and Lessons Learned
- Strengthen SOX Compliance: FY2026 SOX Scope and Risk Assessment
- Strengthen SOX Compliance: External Auditor Alignment
- Strengthen SOX Compliance: Balancing a Risk-Based SOX Program with External Auditor Needs
- Strengthen SOX Compliance: Third-Party Service Providers and SOC Reports
- Strengthen SOX Compliance: Implementing Continuous Auditing
If you have questions about refining your SOX approach or want to discuss how to strengthen your internal processes, reach out to the Schneider Downs team at [email protected].
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected].
