Loading…
Trust · SOX 404
Sarbanes-Oxley Section 404 requires US public companies to assess and report on the effectiveness of internal control over financial reporting (ICFR), including the IT general controls (ITGCs) — change management, access management, computer operations, and program development — that support financial-system integrity.
What it is, what it covers
When a financial system has SOX impact, every code change, access grant, and operational event is potentially a control point. Prosigns engineers financial-reporting-adjacent systems so the ITGCs are produced as a side-effect of normal engineering operation: change records traceable to ticket, access reviews automated with named approvers, and segregation-of-duties enforced at the platform layer rather than via process discipline alone.
SOX 404 audits don't fail because of one missing control. They fail because the evidence supporting the control doesn't tie cleanly to the change it governed. Our discipline: every change record is keyed to the ticket, every access decision is keyed to the approver, every operational event is keyed to the runbook. Auditors pull samples and walk the trail; the trail does not break.
Scope
SOX 404 applies to US public companies' systems that materially affect financial reporting — general ledger, billing, order management, revenue recognition, consolidation, and the IT infrastructure that supports them. We engineer for SOX impact whenever a deliverable touches a financial-system control plane.
Engineering controls
Prosigns engineering practices that produce SOX 404-aligned evidence as a side-effect of normal delivery. Each control carries a specific reference where applicable.
Every change to ICFR-relevant code or configuration is keyed to a ticket carrying business justification, approval chain, test evidence, and deployment record. Pull-request templates enforce the required fields; merges blocked when fields are absent. The audit trail walks: ticket → PR → tests → approval → deploy → post-deploy verification.
PCAOB AS 5; ITGC change management
Production access is reviewed quarterly with named approvers per role. Access grants and revocations are logged with actor and approver; orphaned access is flagged automatically. Segregation of duties enforced at the platform layer — developers cannot deploy to production unilaterally; deployers cannot modify code unilaterally.
PCAOB AS 5; ITGC access management
Scheduled jobs, batch processes, and operational events are documented in runbooks tied to alerting. Failure handling is documented; incidents tied to ICFR-relevant systems trigger a documented response with retention of all forensic evidence.
PCAOB AS 5; ITGC computer operations
Every change to ICFR-relevant code goes through senior peer review with documented sign-off. Test evidence is retained per release; release notes capture business-justification language auditors can map to the change.
PCAOB AS 5; ITGC program development
Application and infrastructure logs retained per the engagement's ICFR retention policy, typically 7 years for financial-reporting-relevant events. Log integrity protected against tampering; querying is straightforward enough that auditors can pull samples without engineering on call.
DR plans documented and tested at least annually for ICFR-relevant systems. Recovery time and recovery point objectives stated and validated; test evidence retained for the audit cycle.
Honest posture
Prosigns engineering practices are SOX 404 ITGC-aligned. We engineer to the standard whenever a deliverable touches financial-reporting scope; we do not provide financial-statement attestation services — that's your external auditor's role. We make their job straightforward by producing the evidence they expect.
Audit pack contents
Engagement-scoped to the SOX 404 deliverable. Available on request under NDA, same business day for procurement and InfoSec review.
Where it applies
Public banks, brokerages, and capital-markets firms with ICFR scope.
Open the industryPublic retailers with order-to-cash systems in financial-reporting scope.
Open the industryPublic manufacturers with cost-accounting and ERP systems in scope.
Open the industryServices we deliver
ICFR-adjacent enterprise applications and integrations.
Open the practiceDynamics 365, Salesforce, ServiceNow with documented SOX-relevant configurations.
Open the practiceStrangler-fig migrations of legacy financial systems with documented control continuity.
Open the practiceFrequently asked
No. SOX attestation is your external auditor's role; Prosigns is the system integrator and engineering partner. We engineer ICFR-adjacent systems so the ITGC evidence the auditor needs is produced as a side-effect of normal operation, and we coordinate with your auditor on walkthrough sessions, evidence pulls, and remediation. The assessment relationship stays with you.
Platform-layer enforcement does the heavy lifting. Developers can't deploy to production unilaterally; deployers can't modify code unilaterally; the deployment system enforces approval from a different actor than the change author. On smaller teams where role overlap is unavoidable, we document the compensating controls (manager review, post-deploy verification) and the audit trail captures actor identity at every step.
Two flavors. (1) Greenfield: design ICFR-relevant systems with the controls engineered in from kickoff — typical scope 12-24 weeks for a new financial-reporting-adjacent application. (2) Remediation: take an existing system that's failing or struggling on ITGC walkthrough and bring it into compliance — typical scope 8-16 weeks depending on the gap inventory.
Yes — our enterprise-platforms department ATLAS implements these platforms with documented SOX-relevant configurations, role design, and customization governance. Customizations are version-controlled and change-managed at the platform layer; out-of-the-box audit logs are retained per the engagement's retention policy.
Per the engagement's ICFR retention policy, typically 7 years for financial-reporting-relevant events. Log integrity is protected against tampering; querying is structured so auditors can pull samples on their own without engineering on call. Retention costs are a function of log volume; we cost-shape this as part of the architecture, not as a surprise line item later.
The cloud provider covers the underlying infrastructure controls (data-center physical security, hypervisor isolation, etc.) — they publish their own SOC 1 / SOC 2 reports for that. Your application is everything above the shared-responsibility line, and that's where most SOX failures actually happen. We engineer the application layer to make the ITGC story coherent end-to-end.
Related regulators
PCI Security Standards Council
PCI-DSS Engineering for Payments-Touching Systems
Open the pageBoard of Governors of the Federal Reserve System; OCC Bulletin 2011-12 (parallel guidance)
Federal Reserve SR 11-7 Model Risk Management for ML Systems
Open the pageNew York State Department of Financial Services (DFS)
NYDFS 23 NYCRR 500 Cybersecurity for Financial Institutions
Open the pageTalk to us
CITADEL co-pilots every regulated engagement. Senior engineer plus department lead joins the first call. Audit pack on the same business day.