Youattest Logo

What is a PbC (Provided By Client) in an Access Review Audit for SOX compliance?

Passed in 2002, the Sarbanes-Oxley Act (SOX) was designed to fix the way that public companies are audited in an effort to reduce fraudulent financial reporting. Also known as the Corporate Fraud Accountability Act of 2002, SOX outlines in section 404 that companies must establish internal controls and document and test the procedures they have put in place. 

The audit team usually issues a Provided By Client (PbC) list, outlining the information and documents required by the IT team to complete the audit.

As an internal control, companies must regularly conduct access reviews. During the periodic access reviews, it must be determined that users are only capable of accessing the information required for them to carry out their duties. If users have access to information they shouldn’t, it poses significant risks to the security of the company’s data. Additionally, under SOX, financial information and its handling are protected, so ensuring that it is kept safe from unauthorized use prevents it from falling into the hands of criminals.

Just as periodic access reviews must take place, access review audits must also be conducted. Throughout the audit, companies verify that they have proper security controls in place to prevent data breaches. This includes ensuring that users are not given access to information that they should not be authorized to view, decreasing the likelihood that it will be used fraudulently. To complete an audit, SOX requires an audit committee that is not financially tied to the company for whom they are completing the audit. For the audit to be conducted, the committee issues a Provided By Client (PbC) list, outlining the information and documents required to complete the audit.

Once the PbC information is returned to the audit committee, they can begin their audit process. To facilitate an efficient process, companies require cooperation across departments and information returned on time. For your next audit, YouAttest can help you streamline the process, ensuring that the audit committee receives the information when they need it. Rather than manually emailing department heads, with YouAttest you can delegate tasks with their due dates, automatically emailing the assignee. With the completed report, you can easily display who has access to what.

While SOX compliance has many different aspects, access review audits are a central component of information security. Without knowledge of who can access sensitive information, it is impossible to ensure that it is not being viewed by those wishing to use it for criminal activities. Throughout the audit process, PbC lists requested by the audit committees will provide them with the needed information to verify that a company’s internal access controls are properly functioning and maintained.

A quantified way to conduct access reviews is to utilize YouAttest cloud-based access review system.

YouAttest automates the creation and review of these access reviews.  To learn more about YouAttest, please  register for our next webinar with QoS Consulting Solutions featuring Stacey Cameron and Shannon Noonan.   Or write us @

Garret Grajek, CISSP, CEH
CEO of YouAttest