Section 404 of Sarbanes-Oxley requires management to assess and attest to the effectiveness of internal controls over financial reporting (ICFR). For any company that is, or is contemplating becoming, a publicly-traded company or a significant subsidiary of one, Section 404 controls apply to IT systems that support financial reporting.
In M&A, this creates a specific IT due diligence obligation that most finance teams don’t know how to scope — because it requires understanding the target’s IT environment in sufficient detail to assess whether the controls around IT general controls (ITGCs) are documented, operating, and designed effectively.
What SOX Actually Requires from IT
SOX 404 controls are organized around six key control areas for IT:
1. Access Control — Who has access to the systems, data, and programs that support financial reporting? This includes: database access, application access, operating system access, and network access. SOX specifically requires that access is restricted to authorized personnel and that access rights are reviewed periodically.
2. Change Management — How are changes to IT systems authorized, tested, and deployed? A properly controlled change management process ensures that unauthorized changes don’t introduce errors into financial data. Key controls: change tickets, testing evidence, segregation between development and production.
3. Computer Operations — How are batch jobs, scheduled processes, and data feeds that support financial reporting controlled? This includes: backup and recovery procedures, job scheduling controls, data transmission controls, and incident response.
4. System Development — How are new systems or significant modifications to existing systems developed and tested before going live? For acquired companies that have developed internal systems supporting financial reporting, this is often a significant gap.
5. Data Integrity — How is the accuracy and completeness of data in financial reporting systems maintained? Includes reconciliation controls, input validation, and error correction procedures.
6. Segregation of Duties — Are the roles and responsibilities designed to prevent any single individual from being able to commit and conceal errors or fraud in the financial reporting process?
The ITGC vs. IT Application Control Distinction
SOX distinguishes between:
IT General Controls (ITGCs): Controls over the IT environment that support the reliability of financial reporting — the six areas above. ITGCs are pre-requisites. If ITGCs are weak, any financial data generated by systems in that environment is unreliable.
IT Application Controls: Automated controls within an individual application that ensure the accuracy, completeness, and validity of transactions processed by that application — input validation, workflow approvals, edit checks.
In a typical ERP system (SAP, Oracle, NetSuite), application controls exist within the system. ITGCs exist in the infrastructure around the system. The external auditor tests both — but if ITGCs are missing or ineffective, application controls cannot be relied upon.
The M&A Problem: Pre-Acquisition ITGC Gaps
The most common finding in a pre-acquisition ITGC assessment is that the target’s controls are either:
Not documented — The control exists, the team knows how to do it, but there’s no written policy or procedure. Auditors can’t test what isn’t documented.
Not tested — The control is documented but has never been tested for operating effectiveness. SOX auditors will test a sample of transactions to determine if controls are operating as designed.
Not reviewed — Access reviews (who has access to what) should be conducted quarterly or annually. In most companies, access reviews are done when someone thinks of it, not on a defined schedule.
Not remediated — Control failures identified in prior audits were logged but not remediated. The findings are still open.
The ACQI Module Contribution
ACQI’s ITGC discovery module tests and reports on the actual state of the target’s IT general controls. Specifically:
Access Controls: Enumerate all privileged accounts (Domain Admin, Enterprise Admin, database sysadmin, application admin roles) across AD, Azure, SQL Server, and the key financial applications. Flag accounts that have never had their access rights reviewed (based on last modification date of role assignments).
Change Management: Identify the change management process in use (ServiceNow, JIRA, manual ticketing, nothing). Determine whether production changes go through a ticketing system with appropriate approval evidence. Flag any systems where changes appear to have been made without documented approval.
Backup Controls: Verify that backup jobs exist, are configured correctly, and that restoration testing has been performed. The most common SOX finding for ITGC is “backup restoration tested more than 12 months ago.”
Service Account Management: Service accounts used by financial applications must be documented and their credentials must be managed (passwords rotated on schedule, credentials stored in a credential vault). ACQI surfaces all service accounts used by financial application servers.
The Post-Acquisition Integration Timeline
If the target has significant ITGC gaps, the integration timeline for SOX compliance looks like this:
Months 1-3: Document all existing controls. Identify gaps vs. the SOX control framework. Engage external auditors for a pre-assessment.
Months 4-6: Remediate critical gaps — particularly access control deficiencies, which are the most common and most severe. Implement a centralized credential management solution for service accounts.
Months 7-12: Implement formal change management processes. Document the IT organization structure (who has what role, who approves what). Begin user access review cycles.
Months 13-18: First full ITGC audit with external auditors. The company needs to be audit-ready for the next fiscal year-end.
The integration timeline for a company with significant ITGC gaps is typically 18-24 months from close. This is the period during which the company is operating under increased SOX risk — and the acquirer bears that risk.
The Reps and Warranties Angle
For a private equity acquirer who plans to take the company public within 3-5 years (or who holds portfolio companies that will eventually need SOX compliance as public subsidiaries), the ITGC gap assessment is a material representation about the company’s financial reporting infrastructure.
If SOX gaps are identified during due diligence, the deal model should include a remediation reserve. Standard practice is to hold 1-2% of deal consideration in escrow to cover SOX remediation costs if the gaps are more significant than represented.
If the target represents “IT controls are in place and operating effectively” and the ITGC assessment shows they are not, this is a breach of reps and warranties — and the acquirer has a claim.