title: Produce audit evidence for a SOX access review category: Compliance Frameworks tags: sox, audit evidence, attestation, compliance priority: High
Produce audit evidence for a SOX access review
For a SOX audit, your reviewer needs proof that access to financial systems is reviewed on a schedule, that each review was performed by an appropriate person, and that anything inappropriate was removed. In Certification Center that evidence is a byproduct of doing the review — every decision is captured as a timestamped attestation, and you export it when the auditor asks. This guide shows how to run a review that produces clean SOX evidence and how to hand it over.
Prerequisites
- A Certification Center workspace with your directories connected and synced
- The financial systems and privileged groups in scope identified (ERP, finance apps, admin roles)
- A completed or in-progress access review campaign covering that scope
The attestation trail is the evidence
You do not assemble evidence separately. As reviewers work through a campaign, Certification Center records each decision automatically.
| Captured for every item | What the auditor learns |
|---|---|
| Identity and access | Who held what access |
| Decision | Whether it was approved (attested as still needed) or revoked |
| Reviewer | Which named person made the decision — the attestation |
| Timestamp | When the review happened, proving it was on schedule |
| Write-back result | That a revoke actually removed access in the source directory, not just noted it |
| SoD conflicts | That toxic-pair conflicts were surfaced and resolved |
Together these form the attestation trail: a complete, per-decision record of the control operating.
Step 1: Scope the review to your financial systems
Run an access review campaign scoped to the systems and roles SOX cares about — the ERP, finance applications, and privileged admin groups. Manager-based routing sends each person's access to their manager for attestation. See Set up your first access review campaign in 15 minutes.
Step 2: Make sure Separation of Duties is applied
SOX auditors look specifically for toxic combinations such as create-a-vendor plus approve-a-payment. With Separation of Duties rules active, those conflicts surface in the same review queue and get resolved on the record. See Separation of Duties: policy examples and toxic pairs.
Step 3: Complete the review
Reviewers approve or revoke each item. Encourage them not to rubber-stamp — an approval is a personal attestation. Revokes write back to the source directory, so the evidence shows the loop was actually closed, not just flagged. See the Reviewer guide.
Step 4: Export the evidence auditors accept
Once the campaign is complete, export the attestation history from the audit reporting area. A good SOX evidence package answers three questions on its face:
| Auditor question | What the export shows |
|---|---|
| Was the review performed on schedule? | Campaign start, due, and completion dates with per-decision timestamps |
| Did the right person review it? | Each decision attributed to a named reviewer |
| Was inappropriate access removed? | Revoke decisions with their write-back outcome |
Hand the auditor the export directly, or keep it on file as your evidence of the control operating for the period.
Tips for a clean audit
| Practice | Why |
|---|---|
| Run on a fixed cadence | SOX wants periodic, usually quarterly, reviews — consistency is part of the evidence |
| Keep scope tied to financial relevance | Reviewing the right systems matters more than reviewing everything |
| Document exceptions with justification | Accepted SoD conflicts should carry a reason and a compensating control |
| Do not reuse one reviewer for everything | Attestations are stronger when the reviewer is the person accountable for the access |
Still stuck?
Email support@certification-center.com with the campaign name and the period your auditor is examining.