SOX checklist for tech change

A tech change that touches financial reporting is supposed to leave a paper trail: who approved it, how it was tested, when it moved, and what happened after it went live. Section 404 of the Sarbanes-Oxley Act requires management to assess internal control over financial reporting, and Public Company Accounting Oversight Board standards make those controls part of the audit. (sec.gov) (pcaobus.org) In practice, that means change management is not just an engineering workflow. A company has to show that changes to systems tied to revenue, payroll, general ledger, or other financial reporting processes were requested, reviewed, approved, tested, implemented, and logged. (pcaobus.org) (nist.gov) The basic control is simple: no undocumented change should reach production in a system that can affect the numbers in a public filing. NIST Special Publication 800-53 includes change control requirements for documenting, approving, testing, and tracking system changes, which mirrors the evidence auditors typically ask for in information-technology general controls reviews. (nist.gov) (pcaobus.org) That is why compliance checklists for tech teams usually read like an audit binder in miniature. They center on named approvers, test results, segregation of duties, deployment dates, backout plans, and proof that the person who wrote a change was not the only person who pushed it through. (nist.gov) (pcaobus.org) The same “write it down” discipline shows up outside Sarbanes-Oxley work. The Health Insurance Portability and Accountability Act Security Rule requires covered entities and business associates to protect electronic protected health information with administrative, physical, and technical safeguards, and federal guidance calls risk analysis the first step in that process. (hhs.gov 1) (hhs.gov 2) For financial firms and other companies covered by the Gramm-Leach-Bliley Act, the Federal Trade Commission’s Safeguards Rule requires a written information security program. The FTC says covered firms must develop, implement, and maintain that program, and the rule now also includes a notification requirement for certain security events that took effect in May 2024. (ftc.gov 1) (ftc.gov 2) (ftc.gov 3) That makes change documentation part of a larger compliance habit, not a one-time project before an audit. Health and financial privacy rules both point companies toward recurring risk reviews, maintained policies, oversight of service providers, and evidence that safeguards still work after systems change. (hhs.gov) (ftc.gov 1) (ftc.gov 2) Auditors and regulators do not test intentions; they test records. For tech and fintech teams, the practical checklist is less about adding paperwork than about preserving the approvals, tests, and rollout history that prove a control actually happened. (pcaobus.org) (hhs.gov)