Compliance Guide
Employee monitoring SOX compliance is the practice of configuring workforce activity logging to satisfy the IT General Controls (ITGC) requirements that Sarbanes-Oxley imposes on public companies and their subsidiaries. The Sarbanes-Oxley Act of 2002 (Public Law 107-204) requires management to assess internal controls over financial reporting every year under Section 404, and PCAOB-registered auditors test whether those controls work. Employee access logs, behavioral anomaly records, privileged account activity data, and separation-of-duties evidence generated by monitoring platforms are the documentary foundation those auditors examine. This guide covers which SOX sections require monitoring data, what IT General Controls auditors test under PCAOB AS 2201, how the COSO and COBIT 5 frameworks map to monitoring activity, and how to configure eMonitor for a 7-year-compliant audit trail.
7-day free trial. No credit card required.
The Sarbanes-Oxley Act is a federal law enacted in July 2002 in response to the Enron and WorldCom accounting scandals that destroyed billions in shareholder value. Congress designed SOX to restore investor confidence by imposing strict accountability on corporate financial reporting, executive certification of accounts, internal control assessment, and auditor independence. The law is enforced by the Securities and Exchange Commission (SEC) and auditor oversight sits with the Public Company Accounting Oversight Board (PCAOB).
SOX compliance applies directly to all companies whose securities are registered under Section 12 of the Securities Exchange Act of 1934, including every domestic company listed on the NYSE, NASDAQ, or other U.S. exchanges. Foreign private issuers that file with the SEC are also subject to SOX, as are wholly-owned subsidiaries of public companies when those subsidiaries' financial results are consolidated into a parent's SEC filing. A subsidiary that processes payroll data, manages accounts payable, or operates an ERP system that feeds into the parent's financial statements is within scope.
Contractors and third-party service providers that handle financial records on behalf of a public company face SOX scrutiny through the parent's vendor management program. A managed service provider that administers a public company's accounting software, for example, is subject to SOX IT control testing as a service organization under PCAOB AS 2601 (Consideration of a Service Organization). According to the SEC's 2023 SOX compliance report, approximately 6,000 companies file annual internal control assessments under Section 404 each year (SEC Annual Report on EDGAR Filers, 2023).
The monitoring obligation is not phrased as "you must deploy employee monitoring software." SOX requires documented evidence that internal controls over financial reporting are designed correctly and operating effectively. IT General Controls are internal controls. And the most defensible way to demonstrate that ITGC controls operate is to produce logs generated by systems that capture access and activity in real time — meeting the audit trail requirements that PCAOB auditors expect — not after-the-fact reconstructions assembled when an auditor requests evidence.
SOX contains 11 titles and 66 sections, but four sections create direct obligations that employee monitoring activity data satisfies. Understanding exactly what each section requires tells you which monitoring records to generate, retain, and format for auditor review.
SOX Section 302 requires the principal executive officer and principal financial officer of every SEC reporting company to personally certify, in each quarterly and annual filing, that disclosure controls and procedures are effective. The certification is not ceremonial. Executives who certify knowing the statement is false face criminal penalties of up to $5 million in fines and 20 years in prison under Section 906 (18 U.S.C. 1350).
The certification requires executives to attest that they have reviewed the report, the report does not contain untrue statements, the financial statements fairly present the company's financial condition, and disclosure controls are effective. That last attestation is where monitoring data enters the picture. A CEO cannot credibly certify that disclosure controls are effective if the company cannot produce records showing who accessed financial reporting systems during the certification period, whether any unauthorized access occurred, and whether anomalous activity was detected and investigated.
Employee access logs from financial systems, combined with behavioral anomaly alerts that flag out-of-pattern access events, create the documented control evidence that supports a Section 302 certification. Without those records, the certification rests on assertion alone, which no competent auditor accepts as sufficient and no executive should rely on in a criminal inquiry.
SOX Section 404 is the section that drives the most IT control work. Section 404(a) requires management to include in the annual report an assessment of the effectiveness of internal controls over financial reporting (ICFR). Section 404(b) requires the external auditor to independently attest to management's assessment. Together, these requirements turn internal controls from a management aspiration into a documented, independently verified claim.
The PCAOB issued Auditing Standard AS 2201 (An Audit of Internal Control Over Financial Reporting) to guide external auditors. AS 2201 requires auditors to test IT General Controls as part of their ICFR audit because financial application controls depend on the reliability of the underlying IT environment. If ITGC controls are weak, auditors cannot rely on application-level controls, which can trigger a material weakness finding that must be disclosed to investors.
ITGC testing under AS 2201 covers four areas. Access controls govern who can enter, modify, or approve transactions in financial systems. Change management controls govern how software updates are made to financial applications. Computer operations controls govern how financial systems run on a day-to-day basis. Program development controls govern how new financial applications are built. Employee monitoring generates direct evidence for access control testing and operational monitoring that AS 2201 requires.
SOX Section 802, codified at 18 U.S.C. 1519, makes it a federal crime to destroy, alter, conceal, or falsify any document with the intent to impede a federal investigation or proceeding. The section requires that audit work papers, financial records, and related documentation be retained for a minimum of 7 years. The SEC formalized this into a regulation at 17 CFR Part 210 Rule 2-06, which applies to both audit firms and their clients.
For IT General Controls documentation, the 7-year requirement covers user access logs for financial systems, privileged account activity records, system change logs, incident investigation records, and any monitoring reports that were presented to management or the audit committee. Deleting logs after 90 days or 1 year, common in organizations without a formal retention policy, creates direct SOX Section 802 exposure. The SEC brought criminal charges against Arthur Andersen in 2002 for document destruction, and the principle has not changed: if auditors can request the records, the records must be retained.
Seven years is a minimum, not a maximum. Organizations facing legal hold obligations for monitoring data or SEC investigations may need to extend retention beyond the standard period. A monitoring platform with configurable retention policies and tamper-evident log storage removes the risk of accidental or unauthorized deletion.
SOX Section 1107, codified at 18 U.S.C. 1513(e), criminalizes retaliation against employees who report potential securities violations to law enforcement or the SEC. Any supervisor who takes adverse employment action against a whistleblower faces criminal penalties up to 10 years in prison. In civil proceedings under Section 806, employees who prove retaliation are entitled to reinstatement, back pay, and attorney fees.
The connection to employee monitoring is indirect but important. When a SOX whistleblower allegation triggers an investigation, the company must reconstruct a timeline of events to determine whether the adverse action was retaliatory. Employee activity logs create an objective, timestamped record of what happened before and after the protected disclosure. Those logs can demonstrate that a performance action was in progress before the disclosure, or conversely, that the timing points to retaliation. Without monitoring records, investigations rely on witness testimony, which is inherently reconstructed and contestable.
SOX IT auditors conducting ITGC testing under PCAOB AS 2201 arrive with a specific evidence list. Understanding that list in detail tells you exactly what your monitoring configuration must produce. The following breakdown reflects standard ITGC audit procedures at Big Four and regional public accounting firms in 2026.
Access control testing is the highest-volume ITGC procedure in a SOX audit. Auditors request a population of all user accounts with access to financial systems (ERP, general ledger, accounts payable, treasury management, payroll). From that population, they select a sample and request evidence that access was authorized, that terminated employees were de-provisioned promptly, and that access rights match job responsibilities.
The evidence auditors want includes: access provisioning request forms or system tickets showing who approved access, periodic access reviews (typically quarterly or semi-annual) showing management confirmed each user still needs their access, and termination reports showing that access was removed within the company's defined SLA (typically 24 hours for critical financial systems). Employee monitoring platforms that log every access event to designated financial applications create the underlying activity record that demonstrates these controls are operating, not just documented on paper.
Privileged accounts, including system administrators, database administrators, and shared service accounts, present the highest fraud and error risk in financial systems — see insider risk quantification research for the financial impact — because they can bypass application controls. PCAOB auditors test privileged access separately from standard user access and apply stricter scrutiny. The control objective is to ensure that privileged access is tightly restricted, all privileged activity is logged, and logs are reviewed by someone independent of the administrators being monitored.
Monitoring evidence for privileged access includes logs of administrator logins to financial systems, records of commands or transactions executed under privileged credentials, alerts triggered when privileged accounts perform unusual activity outside normal business hours, and documented reviews of those logs by a supervisor or internal audit team member. The PCAOB's Staff Guidance on Evaluating IT General Controls (2016) specifically notes that organizations should monitor privileged access continuously, not just at month-end or audit time.
Change management testing covers the process by which modifications are made to financial applications, databases, and infrastructure. Auditors test whether changes were authorized before implementation, tested in a non-production environment, approved by the business owner, and implemented by someone other than the developer. The control objective is to prevent unauthorized or untested code from entering financial systems.
Monitoring data supports change management testing by providing before-and-after records of system configuration. Access logs showing that developers did not have production access during the change period, combined with records of who deployed the change and when, give auditors the population they need to test completeness and authorization. File monitoring that tracks modifications to configuration files in financial application directories is particularly useful for demonstrating that changes followed the approved change ticket.
Separation of duties (SoD) conflicts arise when one employee has system access permissions that allow them to both initiate and approve a financial transaction, or both create a vendor and authorize payment to that vendor. SOX auditors test SoD by running conflict matrix analyses against the user access population. When conflicts exist, they request compensating controls: evidence that someone independent reviewed the conflicting transactions during the audit period.
Employee activity monitoring contributes to SoD evidence by producing timestamped logs of who accessed what systems, which enables forensic reconstruction if an SoD conflict is flagged. More proactively, monitoring platforms can be configured to alert when an employee exercises access in both roles of a known SoD conflict pair, enabling management to investigate in real time rather than waiting for an audit finding.
eMonitor generates the specific evidence types that SOX ITGC audits require. The following table maps each SOX control area to what auditors examine, the eMonitor feature that produces the evidence, and the format that evidence takes when presented to an auditor.
| SOX Control Area | What the Auditor Tests | eMonitor Feature | Evidence Generated |
|---|---|---|---|
| User Access Logging | Which users accessed financial applications, at what times, and for how long during the audit period | App and website usage analytics with time-spent breakdowns | Timestamped access logs by user, application, and session duration — exportable in CSV, XLSX, or PDF |
| Privileged Access Monitoring | Whether administrator and elevated accounts were monitored independently; logs of privileged activity reviewed by a second party | Role-based access control with activity monitoring per user role; real-time alerts for anomalous activity | Per-user activity logs with role designation; alert history showing privileged account anomalies detected and reviewed |
| Access After Hours | Whether employees accessed financial systems outside normal business hours without documented authorization | Behavioral anomaly alerts; activity timeline view with hour-by-hour breakdown | Flagged access events outside defined working hours; alert logs with timestamps and responding manager acknowledgment |
| Separation of Duties | Whether any employee exercised conflicting access roles; compensating control evidence for identified SoD conflicts | App usage logs with role-level filtering; concurrent session detection | Activity records showing which applications each employee accessed, enabling SoD conflict analysis by auditor or internal audit team |
| Data Exfiltration Detection | Whether unauthorized data transfers from financial systems were detected and investigated | DLP module: USB monitoring, upload/download violation alerts, file activity tracking | Violation log with domain, timestamp, file path, and employee identity; USB insertion events with device serial numbers |
| Change Management Support | Whether unauthorized modifications to financial application configurations were detectable | File monitoring: creation, modification, deletion with paths and timestamps | File event log showing who modified configuration files, when, and on which device — corroborates or contradicts change ticket records |
| Termination De-Provisioning | Whether access was removed promptly when employees left; no activity after termination date | Real-time activity monitoring; automated reporting on user last-active timestamps | Last-active date per user; zero-activity confirmation for terminated accounts during the audit period |
| Section 802 Log Retention | Whether activity logs from the audit period and the prior 7 years are available and unaltered | Configurable data retention with tamper-evident encrypted log storage | 7-year archived logs in role-controlled storage; audit trail of any administrative access to archived records |
The table above covers the core ITGC evidence categories. But the value of monitoring data in a SOX audit extends beyond simply producing logs. Auditors look for evidence that the logs were reviewed during the year, not just generated. eMonitor's alert acknowledgment records, daily activity summaries sent to managers, and exportable compliance reports document that management performed ongoing monitoring, satisfying the AS 2201 requirement that controls operate continuously rather than only at period-end.
Seven-year log retention under SOX Section 802 is not simply a storage question. The logs must be complete, unaltered, accessible on auditor request, and stored in a format that preserves evidentiary integrity. Configuring eMonitor for SOX retention involves four steps that address each of these requirements.
The first configuration step is to designate all financial applications (ERP systems, general ledger software, accounts payable platforms, treasury management, payroll processors) as monitored application categories in eMonitor. This ensures that every login session, active usage period, and background access event for those applications is captured in the activity log regardless of what else the user does on their workstation.
Using eMonitor's productivity classification engine, label financial system applications as a distinct category (for example, "Financial Systems — SOX Scope"). This classification flag attaches to every log entry for those applications, making it straightforward to filter the complete population of financial system access events when an auditor requests the evidence set.
eMonitor's data retention settings allow administrators to define the retention period for activity logs, DLP violation records, alert histories, and screenshot archives independently. For SOX compliance, set the retention period for application usage logs and DLP records to a minimum of 84 months (7 years). Set alert and anomaly records to the same period.
Screenshot retention for SOX purposes requires judgment. Screenshots of financial application screens constitute audit evidence if they capture specific transaction or configuration states. Screenshots of general productivity activity are not required by SOX and can be retained on a shorter schedule. Separating these retention policies by application category (financial systems versus general productivity) provides both SOX compliance and proportional data management.
SOX Section 802 makes it a criminal offense to alter or destroy records with intent to impede an investigation. The monitoring platform must prevent unauthorized modification of historical logs. eMonitor uses encrypted, secure storage for all recorded activity data. Role-based access control limits who can view, export, or administer archived logs.
For SOX compliance, configure log access so that the individuals whose activity is being monitored do not have the ability to modify or delete their own records. Restrict archive access to a designated compliance administrator role and log every administrative access to archived records. That access log itself becomes part of the tamper-evidence chain auditors expect to see.
Generating logs is only half of the ITGC requirement. SOX auditors test whether management reviewed those logs during the year. Configure eMonitor to generate weekly or monthly access summary reports for designated financial system applications and route those reports to the compliance officer or internal audit team. Maintain records of report delivery and acknowledgment. Those distribution records demonstrate that monitoring was an active control, not a passive log collection exercise.
For privileged account monitoring, configure real-time alerts to trigger when any user designated as a privileged account (database administrator, system administrator, finance application administrator) accesses financial systems outside normal business hours or performs high-risk operations. Route those alerts to the CISO or internal audit and document the investigation and resolution for each alert. The alert-investigation-resolution cycle creates the continuous monitoring evidence AS 2201 requires.
SOX audit firms do not evaluate internal controls in a vacuum. They apply established frameworks to determine whether a control environment is well-designed. Understanding how COSO and COBIT 5 map to employee monitoring activity tells you which monitoring outputs align directly to the criteria auditors use when scoring your ITGC environment.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the Internal Control Integrated Framework in 1992, revised in 2013, which is the standard management references in their Section 404 assessments. COSO defines internal control as a process with five components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
Employee monitoring maps most directly to the Monitoring Activities component, which requires "ongoing evaluations, separate evaluations, or some combination of the two" to ascertain whether each of the five components of internal control is present and functioning (COSO 2013, Principle 16). Ongoing evaluation under COSO means continuous or near-continuous monitoring, not annual point-in-time testing. A platform that generates real-time alerts when financial system access deviates from established patterns is an ongoing evaluation control. A quarterly access review without continuous activity logging is a separate evaluation control, which COSO treats as a weaker form.
COSO Principle 11 under Control Activities requires that the entity "selects and develops general control activities over technology." The five criteria for that principle include restricting technology access to authorized users, managing changes to technology, and implementing relevant monitoring activities. Employee access monitoring and DLP controls contribute directly to satisfying Principle 11 criteria 11.3 (restricting technology access) and 11.4 (managing changes).
COBIT 5, published by ISACA, provides the detailed IT process model that audit firms use to map ITGC controls to specific IT activities. COBIT 5 organizes IT governance into 37 processes across five domains. Two processes are directly relevant to employee monitoring in a SOX context.
DSS05 (Manage Security Services) covers the identification and classification of information assets, access management, monitoring of security events, and incident management. Employee monitoring activity logs contribute to DSS05.05 (Manage physical and logical access to IT assets) and DSS05.07 (Monitor the infrastructure for security events). DSS05 testing by a SOX auditor typically involves reviewing whether access policies exist, whether access is provisioned and de-provisioned consistently, and whether security events are detected, logged, and investigated.
MEA02 (Monitor, Evaluate and Assess the System of Internal Controls) covers the ongoing assessment of whether internal controls operate as designed. COBIT 5 MEA02.04 (Identify and report control deficiencies) maps directly to the requirement that management detect and escalate control failures. Monitoring platforms that generate automated alerts for access anomalies, DLP violations, and out-of-hours activity implement the continuous detection capability MEA02.04 describes.
When your external auditors reference COBIT 5 in their ITGC scoping document (as Big Four firms routinely do), the mapping between eMonitor's outputs and DSS05/MEA02 processes allows your IT team to speak the auditor's language precisely, reducing sample expansion and control deficiency findings.
The SOX ITGC audit follows a predictable sequence. Understanding each stage tells you which monitoring outputs to prepare before auditors arrive and how to respond to evidence requests efficiently.
The external auditor's IT team meets with the company's IT and internal audit leaders to scope which applications and systems are "in scope" for ITGC testing. Any system that feeds financial data into the general ledger, generates financial transactions, or produces information used in financial reporting is a candidate for in-scope designation. The monitoring platform used to oversee access to those systems is itself reviewed as a monitoring control.
At this stage, the auditor documents which ITGC control areas they will test, what evidence they expect, and the preliminary sample sizes they plan to draw. Companies with well-documented monitoring configurations and pre-prepared evidence templates significantly reduce the evidence-gathering burden in subsequent stages.
Auditors conduct a walkthrough of each ITGC control by tracing a single transaction or access event through the entire control process. For access control walkthroughs, the auditor selects one user access request from the audit period, traces the provisioning request through to system access, and verifies that the access appears in the monitoring log. This confirms that the described control is the control that actually operates.
For monitoring platforms, the walkthrough involves the auditor observing the platform in operation: reviewing where logs are stored, how alerts are generated and routed, who receives compliance reports, and how long records are retained. Having a documented configuration guide and demonstrating that retention settings match the stated policy eliminates qualification findings at the walkthrough stage.
Auditors draw a statistically determined sample from the population of access events, change management tickets, and privileged account logins during the audit period. For access controls, a typical sample size for a 12-month period is 25 items for a lower-risk population or 40-60 items for a higher-risk population (following PCAOB AS 2315 guidance on sample sizes).
For each sample item, the auditor requests evidence that the specific control attribute operated: that the access was authorized, that the alert was investigated, that the change was tested before deployment. eMonitor's audit export function generates per-user, per-application, and per-alert evidence packages that directly map to sample requests, eliminating the manual evidence-gathering process that consumes internal IT audit resources during fieldwork.
If auditors identify evidence that a control did not operate as described, they classify the finding as a deficiency, significant deficiency, or material weakness depending on severity. A material weakness requires public disclosure in the Section 404(b) attestation report. A single material weakness in ITGC can trigger a qualified audit opinion, which damages investor confidence and stock price.
The most common ITGC finding related to access monitoring is "no evidence of management review of access logs" or "access to financial systems by terminated employees." Both findings are preventable through consistent monitoring configuration and documented review procedures. Organizations that implement continuous monitoring and demonstrate quarterly management review of access reports rarely receive access control deficiency findings.
Configuring eMonitor for SOX compliance involves five implementation areas. The following guide covers each area in the order that produces audit-ready evidence most efficiently.
Begin by creating a list of all financial applications in scope for SOX ITGC testing. Work with your CFO, controller, and IT team to identify every system that: feeds data to the general ledger, processes payroll, handles accounts payable or receivable, manages treasury or banking interfaces, or produces information that appears in SEC filings. Add every application on that list to eMonitor's monitored application catalog and tag each one with the "SOX-Scope" classification label.
This step ensures that the activity log contains complete coverage of all in-scope financial system access from the moment monitoring is deployed. Gaps in application coverage are a common audit finding. A well-scoped application list eliminates coverage gaps before the auditor tests completeness.
Create a dedicated eMonitor user role for financial system oversight. Assign this role to the compliance officer, internal audit lead, and CISO. This role receives all alerts related to SOX-scope application access. Configure the role to receive: after-hours access alerts for financial system users, DLP violation alerts for financial application data, anomaly alerts when access deviates from an employee's historical access pattern, and weekly compliance summary reports for all SOX-scope applications.
The oversight role must be separate from the IT administration role. If the same person who administers eMonitor also receives and acknowledges all financial system alerts, auditors will note a control deficiency because the administrator could theoretically suppress alerts about their own activity. Maintain separation between the eMonitor administrator and the compliance reporting recipients.
Configure eMonitor's Data Loss Prevention module to monitor USB device activity and file transfer activity on devices that have access to financial applications. Set alert thresholds for: any USB device insertion on workstations used by finance team members, uploads of files with financial application naming conventions to personal cloud storage domains, and download events from financial applications above a defined file size threshold.
DLP logs are particularly valuable in SOX audits because they demonstrate that the company has detective controls in place for data exfiltration from financial systems. Section 404 material weakness findings have resulted from auditor identification that no DLP controls existed over financial data (PCAOB Inspection Reports, 2022 and 2023 cycles). Having DLP violation logs for the audit period, even if no violations occurred, demonstrates that the control was operating.
Every alert generated by eMonitor for SOX-scope applications must have a documented investigation outcome. When eMonitor flags an after-hours access event or an anomalous behavioral pattern, the receiving compliance officer must acknowledge the alert, record their investigation conclusion (for example: "reviewed with employee — legitimate access for month-end close"), and close the alert. That acknowledgment record becomes audit evidence that the monitoring control operated with human review, not just automated generation.
Establish a written procedure for alert investigation turnaround times. A standard target is: high-risk alerts (DLP violation, privileged access outside business hours) within 24 hours; medium-risk alerts (after-hours access by standard users, access to non-standard financial applications) within 72 hours; low-risk alerts (extended session durations, productivity deviation) within 5 business days. Document the procedure and train the responsible personnel. Auditors test compliance with the stated procedure, so realistic targets matter more than ambitious ones.
Ninety days before your annual SOX audit period close, conduct an internal review of eMonitor retention settings to confirm that 7-year retention is active for all SOX-scope application logs. Export a sample of logs from the oldest available archive period and verify that the records are complete and readable. Document this review in writing and retain it as evidence of management oversight of the retention control.
Prepare a pre-audit evidence package containing: a complete user list with SOX-scope application access roles for the period, a summary of alerts generated and their disposition, the DLP violation log for the period, and the configuration documentation showing retention settings, alert thresholds, and oversight role assignments. Providing this package proactively at audit kickoff positions the ITGC audit as a verification exercise rather than an investigation, materially reducing audit fieldwork hours.
SOX applies directly to public companies, but the monitoring practices SOX requires have migrated into the private company sector for three interconnected reasons: investor requirements, acquisition due diligence, and customer compliance mandates.
Private equity-backed companies face investor expectations that mirror SOX requirements. General partners at PE firms that acquired public companies before taking them private often carry institutional SOX muscle memory and impose SOX-equivalent ITGC requirements on portfolio companies as a matter of governance discipline. According to a 2024 survey by Deloitte, 62% of PE-backed private companies reported implementing SOX-equivalent internal control frameworks in the two years before an anticipated exit (Deloitte Private Equity Survey, 2024).
Companies preparing for an IPO face SOX compliance from the moment they file an S-1 registration statement. The SEC requires SOX 404(a) compliance in the first annual report after a company becomes public, and the practical reality is that building a documentation and monitoring infrastructure from scratch in the same year as going public creates material weakness risk. Companies with well-configured monitoring and documented ITGC programs in place 12-18 months before IPO are substantially better positioned for their first SOX audit.
Enterprise customer contracts increasingly include SOX-derived IT control requirements through vendor security questionnaires and third-party audit obligations. A private company that sells software or services to a Fortune 500 public company may be required to demonstrate SOX-aligned access controls and audit trails as a condition of the contract. Implementing monitoring that produces that evidence serves both the vendor relationship and the company's own eventual compliance obligations.
SOX does not explicitly mandate employee monitoring software, but Sarbanes-Oxley Section 404 requires management to assess and document internal controls over financial reporting. IT General Controls (ITGC), including user access logs, privileged access monitoring, and separation of duties records, are internal controls. Employee monitoring generates the audit trail evidence PCAOB-registered auditors require to validate those controls each year.
SOX Section 802, codified at 18 U.S.C. 1519, requires companies to retain audit work papers, financial records, and related documentation for a minimum of 7 years. This 7-year standard applies to IT access logs, system activity records, and monitoring evidence that auditors rely on to test IT General Controls. Companies that delete logs before 7 years risk obstruction charges under federal law.
IT General Controls (ITGC) are the foundational technology controls that support the reliability of financial application controls under SOX. PCAOB Auditing Standard AS 2201 requires auditors to test four ITGC domains: access controls (who can enter financial systems), change management (how systems are modified), computer operations (how systems run), and program development (how applications are built and tested). Monitoring logs document evidence for all four domains.
SOX Section 302 requires CEOs and CFOs to personally certify the accuracy of financial reports and attest that disclosure controls are effective. That certification is defensible only when executives can demonstrate who accessed financial systems, when access occurred, and whether any anomalous activity was detected and investigated. Employee monitoring activity logs provide the documented chain of evidence that supports a Section 302 certification.
SOX Section 404 requires management to assess internal controls over financial reporting and external auditors to attest to that assessment. ITGC testing by PCAOB auditors involves reviewing user access logs, privileged account activity, and system change records. Employee monitoring platforms that capture timestamped access logs, behavioral anomaly alerts, and role-based access records provide the documented control evidence required for a clean Section 404 opinion.
SOX IT auditors under PCAOB AS 2201 test whether logical access controls over financial systems are operating effectively. Auditors request user access lists for financial applications, logs of privileged account usage, records of access provisioning and de-provisioning, anomaly alerts triggered during the audit period, and evidence that separation of duties is enforced. eMonitor generates all of these records in exportable formats aligned with auditor expectations.
Separation of duties (SoD) under SOX means that no single employee has end-to-end control over a financial transaction without a second reviewer. Monitoring enforces SoD by recording which users accessed which financial applications at what times, making it detectable when one individual performs multiple conflicting roles. Activity logs showing concurrent or overlapping access across restricted financial system roles are a key piece of ITGC audit evidence.
Employee monitoring software generates SOX audit trail evidence when configured to capture timestamped access logs, application usage records, and behavioral anomaly alerts for financial system users. eMonitor logs which applications employees access, how long each session lasts, and whether access patterns deviate from established baselines. These logs satisfy the user access and privileged access testing procedures under PCAOB AS 2201.
The COSO Internal Control Integrated Framework is the standard management and auditors use to design and evaluate internal controls under SOX Section 404. Monitoring activities map directly to the COSO Monitoring component, which requires ongoing evaluation of control performance. Employee monitoring platforms that generate real-time alerts and periodic activity reports provide the continuous monitoring evidence COSO requires to demonstrate that controls operate effectively over time.
COBIT 5 is the IT governance framework published by ISACA that audit firms use to structure ITGC assessments under SOX. SOX auditors use COBIT 5 processes, particularly DSS05 (Manage Security Services) and MEA02 (Monitor System of Internal Controls), to evaluate whether IT General Controls are adequately designed and operating. eMonitor outputs map directly to both DSS05 (access event logging, security event monitoring) and MEA02 (automated alerts reviewed by management).
SOX applies primarily to publicly traded companies and their subsidiaries that file with the SEC. Private companies are not directly subject to SOX unless they are a subsidiary of a public company, have issued public debt, or are preparing for an IPO. However, 62% of PE-backed private companies report implementing SOX-equivalent ITGC frameworks in the two years before an anticipated exit (Deloitte Private Equity Survey, 2024), and enterprise customer contracts increasingly require SOX-aligned access controls from vendors.
SOX Section 802 mandates 7-year retention for audit work papers and financial records. IT access logs used to support ITGC testing fall within this requirement because they are part of the evidence base auditors rely on. Organizations should configure monitoring platforms to retain raw access logs for a minimum of 7 years in tamper-evident storage, with at least 3 years of logs immediately accessible for annual audit requests.
SOX Section 1107, codified at 18 U.S.C. 1513(e), criminalizes retaliation against employees who report potential securities violations. When a retaliation allegation arises, companies must investigate whether the adverse action was connected to the whistleblower activity. Employee monitoring activity logs provide a timestamped, objective record of what happened before, during, and after the reported event, giving HR and legal teams documented evidence to support or refute a retaliation claim.
SOX compliance sits within a broader internal control and audit trail program. The following resources cover adjacent compliance areas where employee monitoring evidence requirements overlap with Sarbanes-Oxley.
SOC 2 Type II audits require evidence that access controls, monitoring controls, and incident response controls operated continuously. This guide covers the Trust Services Criteria that overlap with SOX ITGC requirements.
PCI DSS Requirements 10 and 12 mandate audit trails and monitoring for cardholder data environments. Companies subject to both SOX and PCI DSS can satisfy overlapping access log and DLP requirements with a single monitoring configuration.
A framework-agnostic guide to what an audit trail must contain, how long records must be kept, and how to structure monitoring evidence for multiple compliance programs simultaneously.