By ScoutMyTool Editorial Team · Last updated: 2026-05-28
Introduction
My first SOX season I delivered a control binder where the evidence section was 200 pages of screenshots and the external auditor still flagged six controls because the re-perform instructions said "ran query in production" without naming the query, the system, or the filter. The binder is not for me; it is for an external auditor who has none of the internal context and needs to reproduce every test. Here is the per-control structure that holds up: narrative, design test, effectiveness test, evidence (with hashed attachments), re-perform instructions, exceptions, and signed sign-off. The same template across every control so the binder is scannable.
Vocabulary, quickly
| Term | Meaning |
|---|---|
| SOX | Sarbanes-Oxley — US public-company financial-reporting compliance |
| IT general controls (ITGC) | Access, change, operations controls supporting financial systems |
| Control narrative | Plain-language description of a control's objective and operation |
| Test of design (ToD) | Procedure proving the control is properly designed |
| Test of effectiveness (ToE) | Procedure proving the control operates as designed |
| Walkthrough | Step-by-step trace of a transaction through the control |
| Re-perform instructions | Steps an external auditor follows to reproduce the test |
Step by step
- Template the control section. Narrative, design test, effectiveness test, evidence list, exceptions, sign-off. Same shape per control.
- Write the narrative once per fiscal year. Update only when the control changes. Stable narratives speed review.
- Document re-perform steps explicitly. Name the system, the query, the filter, the expected output count.
- Capture evidence with timestamps. Screenshots with the system clock visible; raw logs as PDF/A-3 attachments.
- Hash attachments in the section text. SHA-256 printed next to the attachment reference; auditor verifies later.
- Document exceptions specifically. What, why, remediation, compensating control. Vague exceptions become deficiencies.
- Sign at preparer and independent reviewer. Reviewer is not the control owner. Both signatures with dates close to test dates.
- Bookmark by control name. External auditor jumps directly to controls under question.
- Archive as PDF/A per fiscal year. Seven-year retention minimum.
Binder readiness checklist
- Every control has the full template — narrative, design, effectiveness, evidence, exceptions, sign-off.
- Re-perform instructions are concrete enough for an external auditor without internal access.
- Evidence attachments are hashed in the section text; integrity verifiable.
- Reviewer signatures are independent of control ownership; dates close to test dates.
- Exceptions document remediation and compensating controls specifically.
- PDF/A archive complete with the year\'s binder before the external auditor opens it.
Common pitfalls in SOX binders
- Re-perform instructions that say "pulled report" without naming the system, the query, or the filter — external auditor cannot reproduce and the test fails as evidence.
- Evidence screenshots without a visible system clock — timestamp unverifiable, weakens the test.
- Reviewer signature dated months after the preparer signature — looks like a rubber-stamp; weakens the independence chain.
- Exception write-ups that lump several issues into one paragraph — each exception needs its own structured entry with severity, remediation, and compensating control.
- Control narratives copy-pasted from prior years without update — when the system or process changed, an outdated narrative is a documentation deficiency.
- Evidence attachments without hashes printed in the binder text — integrity cannot be proven later.
- PDF/A archive missing one or two controls — the binder must be complete; partial archives get bounced.
Related reading and tools
FAQ
- What does a clean IT control binder look like?
- One section per control: narrative, design test, effectiveness test, evidence, exceptions, sign-off. Same template across all controls so the external auditor can scan the binder without re-learning every section. The narrative is one page; everything else is supporting. Bookmarks at the control-name level so the auditor jumps directly to a control under question.
- How do I attach evidence (screenshots, logs) without bloating the file?
- Use PDF/A-3 attachments for raw evidence (server logs, raw exports) and inline screenshots only when needed for readability. The attachment ships the raw data; the inline visual makes the page reviewable. Hash every attachment in the section text — the external auditor can verify integrity later.
- Re-perform instructions — what level of detail?
- Enough that an external auditor can reproduce the test without access to your internal tools. "Open ServiceNow, navigate to Change → Search, filter by date range Q1, export to CSV, count rows" is sufficient. "Pulled change tickets and counted them" is not. Re-perform is the difference between an exception you can defend and one that turns into a control failure.
- How do I document exceptions?
- In the exception section: what the test found, why it is or is not a deficiency, what remediation occurred, and what compensating controls exist. The external auditor reads this section first when judging a control as effective despite exceptions. Vague exception write-ups become deficiencies; specific ones get cleared.
- Reviewer sign-off — preparer plus what?
- Preparer plus an independent reviewer (not the preparer's manager if the manager owns the control). The independence chain is part of audit evidence. Both signatures with date; the external auditor checks the dates against the test-performed dates. Long gaps between test and review weaken evidence.
- How long do we retain SOX evidence?
- PCAOB minimum is seven years; many firms hold ten. Archive each fiscal-year binder as PDF/A with embedded attachments. Don't rely on internal SharePoint to preserve binders — export to an audit-archive system with controlled retention.
Citations
- Wikipedia — “Sarbanes-Oxley Act — Section 404 and IT controls.” en.wikipedia.org/wiki/Sarbanes-Oxley_Act
- Wikipedia — “Information technology general controls (ITGC).” en.wikipedia.org/wiki/Information_technology_controls
- Wikipedia — “PCAOB — audit standards and retention.” en.wikipedia.org/wiki/Public_Company_Accounting_Oversight_Board
Assemble SOX binders in your browser
Template per-control sections, attach hashed evidence, sign with independence documentation, archive as PDF/A — ScoutMyTool runs every step locally so audit data stays inside the firm.
Open the PDF toolkit →