Youattest Logo

The Relation Between SOX 404(b) Audits and Access Reviews

Enacted in 2002, the Sarbanes-Oxley Act, better known as SOX, was established to reduce fraudulent financial reporting and establish the Public Company Accounting Oversight Board. Before the passage of SOX into law, it was difficult to prosecute CEOs of companies that were fraudulently reporting a company’s financial statements. In section 404, SOX requires eligible companies to report internal controls and audit whether the controls in place are effective. SOX also holds company executives personally accountable for the reports, allowing them to be prosecuted if they participate in fraudulent reporting. 

With Section 404 split into two parts, 404(a) establishes the implementation and maintenance of internal controls while 404(b) calls for the audit of these controls to verify their effectiveness. For eligible companies (ones that exceed $75 million in shares held by public investors), they are required to undergo the audits outlined in the regulation. 

While SOX does not specifically outline the internal controls that should be implemented by a company, it is understood to include information security protocols to ensure the security of financial information. One aspect of all good information security protocols is periodic access reviews. As companies continue to evolve their systems to incorporate more digital information management, it is imperative that sensitive information is only available to those authorized to view it. The purpose of an access review is to confirm that only authorized users can access secure data and revoke access from those who should not. 

When conducting SOX 404(b) audits, companies must evaluate the effectiveness of their access reviews. Does their access review properly determine that only authorized users are accessing sensitive information? Do they properly revoke access from those who shouldn’t be able to access certain resources? A SOX 404(b) audit ensures that the answer to these questions is “yes.”

Since SOX audits are to be conducted by an audit committee that is neither financially nor personally tied to the company audited, it ensures that the company is managing their company with integrity. When risks are properly managed, investors and customers of the company can be assured that their financial information is being kept safe from potential data breaches and falling into the hands of criminals. If companies are not conducting the proper access reviews, it creates an enormous risk.

For companies to maintain SOX compliance, 404(b) audits must be conducted and include audits of access reviews. If they do not include a key aspect of information security, they cannot be certain that the sensitive financial information they are responsible for is not able to get into the wrong hands. Access reviews ensure that only users they have authorized can access secure information, which greatly reduces the risks that companies may face when it comes to the threat of data breaches.

A quantified way to conduct access reviews is to utilize YouAttest cloud-based access review system.

YouAttest automates the creation and review of these access reviews.  To learn more about YouAttest, please  register for our next webinar,  Insider Theat and Access Reviews.   Or write us @

Garret Grajek, CISSP, CEH
CEO of YouAttest