The Cybersecurity Blind Spot in SOX Compliance and How to Fix It

Recent ransomware attacks and new SEC cyber disclosure rules have increased the focus on cyber resilience across nearly all industries. As a result, many companies have invested substantial resources to help manage and mitigate cybersecurity risk to an acceptable level. Case in point: Gartner projects that worldwide information security spending will reach $212 billion in 2025, up more than 15% from the prior year.

Sarbanes-Oxley (SOX) compliance provides a structured mechanism for public companies to evaluate IT general controls (ITGCs) specific to financial reporting systems, including some controls that touch on cybersecurity topics. However, this may give leadership and stakeholders a false sense of security that enterprise cyber risk is being managed appropriately. In fact, the SOX compliance process to assess ITGCs is inherently limited. Companies that rely solely on SOX ITGCs are overlooking critical cyber exposures that could disrupt operations, damage reputation, trigger regulatory scrutiny, and result in significant financial and intellectual property (IP) losses.

Limitations of SOX compliance testing

By design, SOX compliance focuses exclusively on applications, processes and infrastructure that support financial reporting. This means that broader cybersecurity risks (including but not limited to operational technology, customer databases and IP systems) are intentionally excluded from SOX compliance programmes. Similarly, many foundational cybersecurity controls and domains that are often viewed as too granular for conventional SOX compliance programmes are also excluded.

SOX ITGCs place a heavy focus on access controls that typically cover the following:

• Confirming only authorised users can access systems supporting financial reporting.
• Requiring timely removal of access for terminated employees.
• Periodically monitoring user and privileged access for appropriateness.
• Limiting access to financial systems via authentication mechanisms.

Although these ITGCs are essential for evaluating the integrity of financial reporting and ensuring the completeness and accuracy of financial reports, they were never designed to serve as a comprehensive cybersecurity framework. Rather, they focus on addressing risks related to unauthorised changes or inappropriate access to financial systems.

While SOX testing focuses on financial reporting controls, internal audit and control testing teams are uniquely positioned to notice indicators of potentially poor cyber hygiene during their work. These observations may not be classified as SOX deficiencies, but they can signal broader risk. For example, the absence of multi-factor authentication (MFA) on privileged accounts may fall outside SOX scope yet represents significant exposure. When these situations arise, teams should raise the question of appropriateness and escalate concerns to management or the cybersecurity function. Even asking a simple question – for example, “Should we be comfortable with this?” – can help surface issues before they become incidents.

Board members and management need to be aware of the limitations of ITGC SOX compliance testing, which include the following:

• External threat actors and attack vectors: SOX testing does not evaluate an organisation’s defenses against phishing, ransomware or advanced persistent threats attempting to breach the network perimeter.
• Data exfiltration outside of financial systems: Protection of data, including customer data, IP and other sensitive information beyond financial records, falls outside the scope of SOX compliance.
• Real-time threat detection and response: SOX testing focuses on certain preventative controls and periodic review of access, but does not address continuous monitoring, security logging or incident response capabilities.
• Supply chain and third-party risks: While vendor access may be reviewed if that access is related to financial systems, comprehensive third-party risk management and software supply chain security are not SOX requirements and generally are viewed to be out of scope.
• Emerging attack techniques: Zero-day exploits, cloud misconfigurations, API vulnerabilities and other evolving threats are not specifically addressed by traditional SOX testing procedures.
• Enhanced authentication controls: As noted earlier, MFA is a leading security practice that significantly reduces unauthorised access risk. It is not explicitly required for SOX compliance, even though its absence may leave organisations exposed to broader cyber threats.
• Network segmentation and architecture: SOX compliance does not evaluate whether an organisation’s network is segmented to limit the spread of cyberattacks or to protect sensitive data.

Another key point: While external auditors performing Section 404 attestations are increasingly inquiring about cybersecurity matters, their focus generally remains limited to understanding potential impacts on financial reporting or disclosures (e.g., through discussions with IT leadership about significant cyber incidents or operational disruptions). These interactions do not represent a comprehensive assessment of cybersecurity controls or resilience. Management and boards should therefore coordinate with their external audit partners to ensure perspectives are aligned but recognise that true cyber assurance extends beyond the scope of SOX compliance efforts.

Expanding oversight beyond SOX

Audit committees, boards and senior management should recognise that traditional SOX-centric IT controls, while necessary, are not sufficient to address the full spectrum of cybersecurity risks. Boards and audit committees face growing pressure to demonstrate cyber oversight. While many organisations already provide cybersecurity updates to their boards, these updates rarely provide the same level of independent assurance that SOX delivers for financial reporting. And relying solely, or too much, on SOX ITGCs can leave organisations exposed to significant financial, compliance, reputation and operational risks. Simply put: Organisations need to complement their ITGC testing with independent, risk-based assessments of cyber capabilities and resilience.

While SOX ITGCs help enforce control discipline in systems that impact financial reporting, they do not assess the full spectrum of cyber risk. Below is a more holistic (but not exhaustive) set of control domains that boards, audit committees and management should consider when evaluating the effectiveness of a cybersecurity programme:

• Governance and oversight
• IT asset management
• IT risk management
• Penetration testing
• Vulnerability management
• Social engineering and phishing exercises
• Security awareness training
• Incident response and recovery

A word about frameworks

To build a resilient cybersecurity programme that complements ongoing SOX compliance efforts, management may elect to align on a common set of frameworks and guiding principles. Leveraging established standards such as the NIST Cybersecurity Framework (CSF), NIST SP 800-53, CIS Critical Security Controls and/or ISO 27001 provides a structured approach to managing cyber risk. These frameworks offer similar and aligned perspectives:

• NIST CSF emphasises risk management and maturity.
• NIST 800-53 provides detailed control baselines.
• CIS focuses on prioritised, actionable safeguards.
• ISO 27001 delivers a globally recognised governance model.

Management may choose to align with a single framework or leverage components of multiple frameworks. Either way, management will be creating a unified strategy that strengthens the control environment, enhances resilience against evolving threats, and aligns with regulatory expectations and leading practices.

Now what?

To help close the gap between SOX compliance and true cyber resilience, we advise organisations to take these next steps now:

• Educate the board: Brief directors on the distinction between SOX ITGCs and enterprise cybersecurity, using recent incidents or case studies.
• Commission independent cyber assessments: Engage a qualified third party to evaluate enterprise cyber controls using a recognised framework. Even where management provides routine cyber updates, boards should seek objective, independent validation of the programme’s design and operating effectiveness.
• Leverage internal audit: Internal audit should assess management’s approach to mitigating critical cybersecurity risks and report regularly on the results of cyber audits.
• Prioritise high-impact controls: Focus on areas like MFA, incident response, IT asset management, ransomware readiness and third-party risk management, which typically are out of scope for SOX testing and compliance.
• Regularly revisit scope: Reassess the boundaries of SOX and cyber programmes as threats and regulations evolve.

Final thoughts

SOX compliance complements, but does not fully address, cyber assurance. Understanding this difference between awareness and assurance is critical. Only independent validation can give boards true confidence that cyber risks are being managed effectively. Boards and management teams that understand the distinction will be better positioned to protect shareholder value.

Here’s the question to take back to your next audit committee meeting: What independent assurance do we have that our cybersecurity programme is effective?

If the answer is not obvious, that’s your signal to act.

Protiviti Managing Directors Gordon Braun, Jason Maslan and Angelo Poulikakos also contributed to this article.