SOX in the Cloud: Why Traditional ITGC Models Are No Longer Fit for Purpose

Cloud changed the operating model of technology. Many SOX and ITGC frameworks didn�t get the memo. In practice, I see organisations migrating infrastructure faster than they modernise control ownership, evidence, and testing approaches�and that gap is where audit risk grows.

The point isn't that cloud makes SOX harder. The point is that cloud exposes which parts of your control framework were never truly resilient. Legacy ITGC models were built around assumptions that no longer hold: stable infrastructure, slow change cycles, and a neat boundary between "the system" and "the people who run it."

The uncomfortable truth: lift-and-shift ITGCs is how you create risk

Traditional ITGCs assume a predictable world: servers provisioned by ticket, changes released in batches, and ownership mapped cleanly to teams. Cloud replaces that with elasticity, configuration as code, continuous deployment, and a shared responsibility model that�s frequently misunderstood.

When organisations attempt to copy-and-paste on-prem controls into cloud platforms, they often achieve the worst outcome: controls that look familiar on paper but fail under real cloud velocity. That is not compliance; it's theatre.

Control ownership is still the most underestimated failure mode

In cloud environments, the provider secures parts of the stack, but the organisation remains accountable for the controls that matter to financial reporting: access, configuration, data integrity, change governance, and monitoring. Yet I repeatedly see two predictable gaps:

• Over-reliance on SOC reports without mapping them to internal SOX assertions and your own control design.
• Ambiguous ownership where neither the provider nor the organisation clearly �owns� the control end-to-end.

From an audit perspective, ambiguity is risk. If you cannot name the control owner, define the control objective, and demonstrate consistent evidence, the control is already failing�regardless of what the policy says.

Access governance is the new SOX battleground

Cloud grants power quickly: privileged access can be created in seconds. Without robust identity governance, role-based access, automated provisioning, and frequent review, you lose visibility long before you lose the environment.

Here�s the shift audit and risk teams must accept: access governance needs to behave like a continuous control. Quarterly spreadsheets and manual attestations were barely adequate on-prem; in cloud, they cannot keep pace. If your access model is manual, your risk posture is effectively �unknown.�

Change management must evolve�or it will be bypassed

Classic SOX change controls rely on manual approvals and after-the-fact review. In DevOps-driven delivery, those controls either slow teams until they route around them�or they become a rubber stamp.

The answer isn't weaker control. It�s embedded control: segregation enforced through tooling, version control that is actually used, automated approvals tied to policy, and immutable logs. Done properly, this produces stronger assurance than manual sign-offs ever did�while preserving delivery speed.

Evidence expectations are rising, not falling

Cloud platforms can generate excellent evidence�if you design for it. Screenshots and ad-hoc exports are not an evidence strategy. Audit-ready environments use repeatable reporting, configuration baselines, and monitoring dashboards that can be re-run on demand with consistent outputs.

Organisations that invest in evidence automation don�t just reduce audit effort. They increase confidence, reduce exceptions, and make control performance visible to the people who actually need it.

Opinion: modernise now, or accept growing audit risk

The difference between organisations that succeed and those that struggle is rarely �cloud maturity.� It is control maturity. If your SOX ITGC framework still assumes static systems, manual controls, and periodic testing, it is already out of date.

Modern ITGCs should reflect cloud reality: shared responsibility, automation, continuous monitoring, unambiguous ownership, and evidence that can be reproduced without heroics. Most importantly, they should enable the organisation to move�while remaining audit-defensible.