FOUNDING ACCESS First 3 months free — use it in production and tell us what to fix. Claim it →
Back to Compliance Frameworks
Compliance Frameworks Important

Produce audit evidence for a SOX access review

0 views

title: Produce audit evidence for a SOX access review category: Compliance Frameworks tags: sox, audit evidence, attestation, compliance priority: High

Produce audit evidence for a SOX access review

For a SOX audit, your reviewer needs proof that access to financial systems is reviewed on a schedule, that each review was performed by an appropriate person, and that anything inappropriate was removed. In Certification Center that evidence is a byproduct of doing the review — every decision is captured as a timestamped attestation, and you export it when the auditor asks. This guide shows how to run a review that produces clean SOX evidence and how to hand it over.

Prerequisites

  • A Certification Center workspace with your directories connected and synced
  • The financial systems and privileged groups in scope identified (ERP, finance apps, admin roles)
  • A completed or in-progress access review campaign covering that scope

The attestation trail is the evidence

You do not assemble evidence separately. As reviewers work through a campaign, Certification Center records each decision automatically.

Captured for every item What the auditor learns
Identity and access Who held what access
Decision Whether it was approved (attested as still needed) or revoked
Reviewer Which named person made the decision — the attestation
Timestamp When the review happened, proving it was on schedule
Write-back result That a revoke actually removed access in the source directory, not just noted it
SoD conflicts That toxic-pair conflicts were surfaced and resolved

Together these form the attestation trail: a complete, per-decision record of the control operating.

Step 1: Scope the review to your financial systems

Run an access review campaign scoped to the systems and roles SOX cares about — the ERP, finance applications, and privileged admin groups. Manager-based routing sends each person's access to their manager for attestation. See Set up your first access review campaign in 15 minutes.

Step 2: Make sure Separation of Duties is applied

SOX auditors look specifically for toxic combinations such as create-a-vendor plus approve-a-payment. With Separation of Duties rules active, those conflicts surface in the same review queue and get resolved on the record. See Separation of Duties: policy examples and toxic pairs.

Step 3: Complete the review

Reviewers approve or revoke each item. Encourage them not to rubber-stamp — an approval is a personal attestation. Revokes write back to the source directory, so the evidence shows the loop was actually closed, not just flagged. See the Reviewer guide.

Step 4: Export the evidence auditors accept

Once the campaign is complete, export the attestation history from the audit reporting area. A good SOX evidence package answers three questions on its face:

Auditor question What the export shows
Was the review performed on schedule? Campaign start, due, and completion dates with per-decision timestamps
Did the right person review it? Each decision attributed to a named reviewer
Was inappropriate access removed? Revoke decisions with their write-back outcome

Hand the auditor the export directly, or keep it on file as your evidence of the control operating for the period.

Tips for a clean audit

Practice Why
Run on a fixed cadence SOX wants periodic, usually quarterly, reviews — consistency is part of the evidence
Keep scope tied to financial relevance Reviewing the right systems matters more than reviewing everything
Document exceptions with justification Accepted SoD conflicts should carry a reason and a compensating control
Do not reuse one reviewer for everything Attestations are stronger when the reviewer is the person accountable for the access

Still stuck?

Email support@certification-center.com with the campaign name and the period your auditor is examining.

Next steps

Was this article helpful?

Related articles

Is Certification Center SOC 2 certified?
Compliance Frameworks Overview
Activating Compliance Frameworks