SOX (Sarbanes-Oxley)
IT general controls for SOX-regulated public companies.
Overview
What it is, in plain English.
Sarbanes-Oxley Section 404 requires public company management — and its external auditor — to attest to the effectiveness of internal controls over financial reporting (ICFR). For technology, that means IT General Controls (ITGCs) over the systems that produce financial data. Lyra designs, implements, and tests ITGCs across the four classic domains: Access to Programs and Data, Program Changes, Program Development, and Computer Operations.
ITGC design, testing, and remediation supporting SOX compliance — including access management, change management, and computer operations.
Who needs it
Built for organizations that have to get this right.
Public companies (and pre-IPO companies preparing for first 10-K)
Subsidiaries of foreign private issuers required to comply
Companies through carve-out or spin-off transactions
Audit committees needing independent ITGC remediation support
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Risk & Scoping
We identify in-scope financial systems, key reports, and the ITGCs that support them — aligned to your external auditor's expectations.
- 02
Control Design & Implementation
We design ITGCs that are testable, automatable, and don't crush your IT team — using SoD analysis, automated provisioning, and CI/CD-aware change controls.
- 03
Testing & Remediation
We perform management testing, identify deficiencies before the auditor does, and remediate before year-end.
- 04
Auditor Coordination
We work directly with your Big 4 (or other) external auditor to walk through controls, evidence, and findings.
Key controls
What's actually in scope.
Logical access provisioning, deprovisioning, and quarterly user access reviews
Privileged access management and segregation of duties (SoD)
Change management with approvals, testing, and emergency change procedures
Job scheduling, backup, recovery, and incident management
SDLC controls aligned to financial-system code paths
Third-party SOC 1 reports and complementary user entity controls
Deliverables
What you walk away with.
ITGC matrix mapped to financial assertions
Process narratives and flowcharts
Management testing workpapers
Deficiency tracker with remediation owners and timelines
Year-end ICFR-ready evidence package
Timeline
First-year SOX program: 6–12 months. Ongoing annual cycles: continuous, with peak effort Q3–Q4.
Questions we hear
Straight answers to the real questions.
- What's the difference between SOX 302 and 404?
- 302 is quarterly CEO/CFO certification of the financial statements. 404 is the annual management assertion (and external auditor opinion) on ICFR effectiveness — that's where ITGCs live.
- Do startups going public need SOX immediately?
- Newly-public companies get a transition period — Section 404(a) management assertion in year one, 404(b) auditor attestation typically by the end of year two. We help you build the program before the clock starts.
- How do you handle SaaS / cloud financial systems?
- We rely on the SaaS provider's SOC 1 Type 2 report, design Complementary User Entity Controls (CUECs), and test the controls you actually own — usually access, configuration, and integration.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.