SOX IT General Controls Readiness

What you'll walk away with

• Documented ITGC control matrix mapped to financially-relevant systems
• Control design reviewed against common external-auditor expectations
• Walkthrough-ready evidence package for auditor interviews
• Identified remediation items with owners and timeline

The problem this solves

Newly-public pharma and biotech inherit SOX ITGC expectations without an internal IT audit function to meet them. External auditors ask for documented controls around access provisioning, change management, backup and recovery, and logical security — tied to financially-relevant systems like NetSuite, SAP, Workday, and M365. Most companies at this stage have the underlying practices in place. What they're missing is the documentation, the evidence, and a control matrix an auditor can actually walk through. Without it, the first SOX cycle becomes a fire drill: pulling screenshots the week before fieldwork and improvising narratives on the spot.

What the engagement looks like

Four phases over four to eight weeks. Everything is delivered virtually. Coordination with your external auditor is async.

Weeks 1–2: Scope

I work with finance leadership to define which systems are in scope — ERP, HRIS, and anything feeding financial reporting — and inventory controls already in place, even informal ones. The goal is an honest baseline before anything gets documented.

Weeks 3–5: Design and document

I build the ITGC control matrix across five domains: access provisioning, change management, backup and recovery, computer operations, and logical security. Each control gets a design description, an owner, a frequency, and a sample evidence pull so the format is established before auditor fieldwork begins.

Weeks 6–7: Walkthrough dry-runs

I run internal walkthroughs that simulate auditor interviews. This is where gaps surface — controls that exist on paper but can't be evidenced, or owners who don't know they own something. Each gap gets a remediation item, an owner, and a timeline.

Week 8: Final deliverables and handoff

I deliver the complete package and hand off to whoever will operate the controls going forward — the CFO team, internal audit, or a Fractional IT Leadership retainer.

Who it's most useful for

• Recently-public companies inside their first SOX compliance cycle
• Pre-IPO companies three to six months from an S-1 filing
• Post-IPO companies that received an ITGC deficiency or significant deficiency finding
• Companies whose external auditor has flagged ITGC as an area of concern heading into the next cycle

What you'll walk away with

You get a control matrix built to be used, not filed away. The ITGC matrix documents every control with its owner, frequency, and evidence format. The system-scoping document records which applications are in scope and why, so that conversation doesn't restart each year. The evidence collection runbook is the most operationally useful piece: it tells whoever runs the program exactly what to pull each quarter and from where — so SOX stops being a scramble and becomes a repeatable process. The remediation roadmap closes the engagement with a clear list of open items, owners, and deadlines.

Common questions

Do you represent us to our external auditor?

No. I prepare the controls, the documentation, and the evidence package. You or your CFO team handles the auditor relationship. I can help you prep for those conversations, but I'm not a party to the audit.

Will this satisfy our auditor directly?

It prepares you to satisfy them. Audit sign-off happens during external auditor fieldwork, not before. This engagement puts you in front of that fieldwork with a defensible control matrix, organized evidence, and a team that has practiced the walkthrough.

Can this run alongside a retainer?

Yes. The fixed-scope engagement builds the foundation; ongoing quarterly maintenance fits cleanly into a retainer.

Most effective alongside ongoing leadership

SOX ITGC is not a one-time project. Controls drift, systems get added, auditor expectations shift year to year. Quarterly evidence pulls, annual control updates, and walkthrough prep for each new cycle are exactly the kind of steady operational work that fits a Fractional IT Leadership retainer. The Advisory retainer is the natural home for ongoing ITGC maintenance once the initial program is built.

Deliverables

• ITGC control matrix (spreadsheet + narrative)
• System-scoping document (in-scope applications and their owners)
• Evidence collection runbook (what to pull each quarter and how)
• Remediation roadmap for identified gaps