Cloud adoption has fundamentally changed how technology operates, but many SOX and ITGC frameworks are still anchored in assumptions built for on premise environments. While some advisory firms have recently highlighted the growing SOX risks associated with cloud migration, from our perspective at GNAW Resources, the real issue is not awareness, it’s execution.
Most organisations know that cloud changes SOX compliance. Far fewer have fully adjusted how controls are designed, owned, and evidenced.
The uncomfortable truth about SOX in the cloud
Traditional ITGC models assume stability, predictable infrastructure, controlled change cycles, and clearly defined system ownership. Cloud environments offer the opposite, elastic resources, continuous deployment, shared responsibility, and rapid configuration change.
PwC has rightly pointed out that SOX obligations do not disappear in the cloud. We agree, but we would go further, attempting to “lift and shift” legacy ITGCs into cloud platforms is often what creates audit risk in the first place.
Control ownership is still misunderstood
One of the most persistent issues we see is confusion around the shared responsibility model. Cloud providers manage infrastructure security, but organisations remain fully accountable for access, configuration, data integrity, and financial reporting controls.
In practice, this leads to two common failures:
- Over reliance on SOC reports without mapping them to internal controls
- Gaps where neither the provider nor the organisation clearly owns the control
From an audit perspective, ambiguity equals risk. Clear control ownership, mapped explicitly to SOX assertions, is non-negotiable.
Access governance is the new SOX battleground
In cloud environments, privileged access can be granted in seconds. Without automated provisioning, role based controls, and frequent access reviews, organisations quickly lose control visibility.
Identity and access management as a core risk area, however, our view is that access governance should be treated as a continuous SOX control, not a quarterly or annual compliance exercise. Manual access reviews simply cannot keep pace with cloud velocity.
Change management must evolve. or fail
Another friction point is change management. Traditional SOX controls often rely on manual approvals and after-the-fact reviews. In DevOps driven cloud environments, those approaches either slow delivery or are bypassed entirely.
The solution is not weaker control, it's embedded control. Automated approvals, version control, segregation enforced through tooling, and immutable logs provide stronger assurance than manual sign offs ever did. IT audit teams must adapt their testing approaches accordingly.
Evidence expectations are rising, not falling
Cloud platforms generate excellent evidence, but only if organisations know how to capture and govern it. Screenshots and ad hoc exports are no longer sufficient. Audit ready environments rely on repeatable reports, configuration baselines, and continuous monitoring dashboards that can be re-run on demand.
From our perspective, organisations that invest in evidence automation reduce audit effort, lower risk, and improve SOX confidence.
Our view: modernise now, or accept growing audit risk
Many services observations align with what we see daily: cloud has raised the bar for SOX compliance. The difference between organisations that succeed and those that struggle is not cloud maturity, it’s control maturity.
Professional Insight / Call to Action
If your SOX ITGC framework still assumes static systems, manual controls, and periodic testing, it is already out of date. Now is the time to redesign controls around cloud realities: shared responsibility, automation, continuous monitoring, and clear ownership. At GNAW Resources, we believe modern ITGCs should enable the business, not constrain it, while remaining fully audit-defensible.
