IAM Maturity Assessment for SOX
Section 404 of the US Sarbanes-Oxley Act requires management to assess internal control over financial reporting. Auditors evaluate IT general controls, where access management is a core control family: who can reach financial systems, how access is granted, reviewed, separated, and evidenced.
- Maturity threshold
- 2.0 / 4.0
- Mapped questions
- 10
- IAM domains
- 4
- Assessment scope
- Workforce
What SOX Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to SOX citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Identity lifecycle management (joiner, mover, leaver) with documented access requests, approvals, and periodic recertification
- Role-based access modeling, entitlement classification, and segregation of duties over financial systems
- Protection of administrative credentials and recorded privileged sessions as audit evidence
- Clear ownership and accountability for identity data
AXIS Questions Mapped to SOX
10 of the 37 questions in the AXIS bank carry SOX citations, including 4 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | SOX references |
|---|---|---|---|
| IGA-01 Domino | IGA | Lifecycle Management (Joiner / Mover / Leaver) | SOX 404; SOX Separation of Duties |
| IGA-02 | IGA | Access Requests & Approvals | SOX Access Control Expectations |
| IGA-03 | IGA | Access Reviews & Recertification | SOX 404 |
| IGA-04 | IGA | Role-Based Access Control (RBAC) & Access Modeling | SOX Separation of Duties |
| IGA-05 | IGA | Entitlement Discovery and Classification | SOX 404; SOX Least Privilege |
| IGA-06 | IGA | Segregation of Duties (SoD) | SOX 404; SOX ITGC; SOX Compensating Controls |
| PAM-01 Domino | PAM | Admin Credential Protection | SOX (access control evidence) |
| PAM-05 | PAM | Session Management and Recording | SOX ITGC |
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | SOX 404 (authentication controls) |
| GOV-01 Domino | Governance | Identity Data Ownership | SOX (Management Responsibility) |
How AXIS Scores SOX Alignment
A threshold model: each mapped control either meets the SOX maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.0 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For SOX, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for SOX in a given assessment reflects the answers selected. The table above lists every question whose answer options carry SOX citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
SOX is scored in the workforce and full assessment scopes, where its mapped controls are assessed.
It is shown when the assessed organization operates in: Financial Services. Other industries see only the frameworks relevant to them.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to Sarbanes-Oxley Act Section 404 (SOX). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how SOX applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against SOX
Run the AXIS assessment and get your maturity score, SOX alignment, and a prioritized roadmap in one pass. No signup required to start.