PDF for IT auditors: SOX compliance and control testing

Per-control sections, re-perform instructions, hashed evidence attachments, and signed sign-offs with documented independence.

By ScoutMyTool Editorial Team · Last updated: 2026-05-28

Introduction

My first SOX season I delivered a control binder where the evidence section was 200 pages of screenshots and the external auditor still flagged six controls because the re-perform instructions said "ran query in production" without naming the query, the system, or the filter. The binder is not for me; it is for an external auditor who has none of the internal context and needs to reproduce every test. Here is the per-control structure that holds up: narrative, design test, effectiveness test, evidence (with hashed attachments), re-perform instructions, exceptions, and signed sign-off. The same template across every control so the binder is scannable.

Vocabulary, quickly

TermMeaning
SOXSarbanes-Oxley — US public-company financial-reporting compliance
IT general controls (ITGC)Access, change, operations controls supporting financial systems
Control narrativePlain-language description of a control's objective and operation
Test of design (ToD)Procedure proving the control is properly designed
Test of effectiveness (ToE)Procedure proving the control operates as designed
WalkthroughStep-by-step trace of a transaction through the control
Re-perform instructionsSteps an external auditor follows to reproduce the test

Step by step

  1. Template the control section. Narrative, design test, effectiveness test, evidence list, exceptions, sign-off. Same shape per control.
  2. Write the narrative once per fiscal year. Update only when the control changes. Stable narratives speed review.
  3. Document re-perform steps explicitly. Name the system, the query, the filter, the expected output count.
  4. Capture evidence with timestamps. Screenshots with the system clock visible; raw logs as PDF/A-3 attachments.
  5. Hash attachments in the section text. SHA-256 printed next to the attachment reference; auditor verifies later.
  6. Document exceptions specifically. What, why, remediation, compensating control. Vague exceptions become deficiencies.
  7. Sign at preparer and independent reviewer. Reviewer is not the control owner. Both signatures with dates close to test dates.
  8. Bookmark by control name. External auditor jumps directly to controls under question.
  9. Archive as PDF/A per fiscal year. Seven-year retention minimum.

Binder readiness checklist

  • Every control has the full template — narrative, design, effectiveness, evidence, exceptions, sign-off.
  • Re-perform instructions are concrete enough for an external auditor without internal access.
  • Evidence attachments are hashed in the section text; integrity verifiable.
  • Reviewer signatures are independent of control ownership; dates close to test dates.
  • Exceptions document remediation and compensating controls specifically.
  • PDF/A archive complete with the year\'s binder before the external auditor opens it.

Common pitfalls in SOX binders

  • Re-perform instructions that say "pulled report" without naming the system, the query, or the filter — external auditor cannot reproduce and the test fails as evidence.
  • Evidence screenshots without a visible system clock — timestamp unverifiable, weakens the test.
  • Reviewer signature dated months after the preparer signature — looks like a rubber-stamp; weakens the independence chain.
  • Exception write-ups that lump several issues into one paragraph — each exception needs its own structured entry with severity, remediation, and compensating control.
  • Control narratives copy-pasted from prior years without update — when the system or process changed, an outdated narrative is a documentation deficiency.
  • Evidence attachments without hashes printed in the binder text — integrity cannot be proven later.
  • PDF/A archive missing one or two controls — the binder must be complete; partial archives get bounced.

FAQ

What does a clean IT control binder look like?
One section per control: narrative, design test, effectiveness test, evidence, exceptions, sign-off. Same template across all controls so the external auditor can scan the binder without re-learning every section. The narrative is one page; everything else is supporting. Bookmarks at the control-name level so the auditor jumps directly to a control under question.
How do I attach evidence (screenshots, logs) without bloating the file?
Use PDF/A-3 attachments for raw evidence (server logs, raw exports) and inline screenshots only when needed for readability. The attachment ships the raw data; the inline visual makes the page reviewable. Hash every attachment in the section text — the external auditor can verify integrity later.
Re-perform instructions — what level of detail?
Enough that an external auditor can reproduce the test without access to your internal tools. "Open ServiceNow, navigate to Change → Search, filter by date range Q1, export to CSV, count rows" is sufficient. "Pulled change tickets and counted them" is not. Re-perform is the difference between an exception you can defend and one that turns into a control failure.
How do I document exceptions?
In the exception section: what the test found, why it is or is not a deficiency, what remediation occurred, and what compensating controls exist. The external auditor reads this section first when judging a control as effective despite exceptions. Vague exception write-ups become deficiencies; specific ones get cleared.
Reviewer sign-off — preparer plus what?
Preparer plus an independent reviewer (not the preparer's manager if the manager owns the control). The independence chain is part of audit evidence. Both signatures with date; the external auditor checks the dates against the test-performed dates. Long gaps between test and review weaken evidence.
How long do we retain SOX evidence?
PCAOB minimum is seven years; many firms hold ten. Archive each fiscal-year binder as PDF/A with embedded attachments. Don't rely on internal SharePoint to preserve binders — export to an audit-archive system with controlled retention.

Citations

  1. Wikipedia — “Sarbanes-Oxley Act — Section 404 and IT controls.” en.wikipedia.org/wiki/Sarbanes-Oxley_Act
  2. Wikipedia — “Information technology general controls (ITGC).” en.wikipedia.org/wiki/Information_technology_controls
  3. Wikipedia — “PCAOB — audit standards and retention.” en.wikipedia.org/wiki/Public_Company_Accounting_Oversight_Board

Assemble SOX binders in your browser

Template per-control sections, attach hashed evidence, sign with independence documentation, archive as PDF/A — ScoutMyTool runs every step locally so audit data stays inside the firm.

Open the PDF toolkit →