On July 26, 2023 the U.S. Securities and Exchange Commission adopted the final rule on "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" (Release No. 33-11216), requiring public companies to disclose material cyber incidents on Form 8-K Item 1.05 within four business days and to provide annual disclosures on cyber risk management in Form 10-K Item 106. The rule became effective December 18, 2023 for the incident disclosure requirement and for fiscal years ending on or after December 15, 2023 for the Form 10-K disclosure. For internal control over financial reporting (ICFR), the effect is equally significant even if quieter: PCAOB AS 2201 "An Audit of Internal Control Over Financial Reporting" IT general controls are now being evaluated in light of software supply chain exposure, and the 2023 PCAOB staff inspection report highlighted ITGC deficiencies as the leading cause of control failures.
What Are SOX ITGCs and Why Do They Matter for Software?
Sarbanes-Oxley Section 404 requires management of public companies to assess, and external auditors to opine on, the effectiveness of internal control over financial reporting. IT general controls (ITGCs) — access to programs and data, program changes, program development, and computer operations — underpin nearly every application control. PCAOB AS 2201 and SEC Regulation S-X Rule 2-02(f) require the auditor to test ITGCs when they support a reliance-based audit approach, and when ITGCs fail, the auditor must either perform expanded substantive testing or report a material weakness. Open-source components are now part of the "program development" control objective because a single vulnerable library can flow into a financial-reporting system on the next deploy.
How Did the SEC's 2023 Cyber Rule Change SOX Practice?
The SEC's 2023 rule does not amend Section 404 directly, but Item 106 of Regulation S-K now requires disclosure of processes for assessing, identifying, and managing material risks from cybersecurity threats — including those arising from the company's use of any third-party service provider. The SEC staff has signalled that cyber risk disclosures should be consistent with ICFR assertions, so a company that tells investors its supply chain is managed must be able to show that its ITGCs evaluate open-source and commercial software components. The SolarWinds administrative proceeding (In the Matter of SolarWinds Corp., File No. 3-21784) filed October 30, 2023 is the first enforcement action to connect supply chain disclosure with securities fraud allegations, adding weight to the ICFR connection.
Which ITGCs Are Most Affected by Supply Chain?
The change management ITGC is the most directly affected: auditors now ask whether the change ticket captures the open-source libraries introduced, whether the pipeline enforces a vulnerability threshold, and whether an SBOM is produced. Program development ITGCs — secure coding standards, code review, and quality assurance — increasingly require evidence that the developer toolchain itself is controlled (signed dependencies, locked registries, no unreviewed script execution). Logical access ITGCs extend to the version control system, the package registry, and the CI/CD platform. Computer operations ITGCs now include monitoring of build-system integrity for tampering. The 2023 AICPA Audit Guide for IT Considerations added specific illustrative procedures for open-source component management.
What About PCAOB Staff Inspection Findings?
The PCAOB's 2023 Staff Preview of Observations from 2022 Inspections (Release 2023-007) and the 2024 Spotlight on ITGCs both highlight that auditors frequently failed to test the completeness and accuracy of information used in ITGC procedures, and that third-party software considerations were under-tested. The PCAOB's August 2023 enforcement action against Marcum LLP (File No. 105-2023-026) included ITGC testing deficiencies contributing to civil penalties of USD 3 million. The message from the PCAOB is consistent: testing that stops at the perimeter and ignores software components inside the perimeter is not sufficient.
How Should Companies Evidence Open-Source Controls for SOX?
Four artifacts matter most in a SOX walkthrough when the auditor asks about open-source exposure: an SBOM generated from the production build of every financially relevant application; a change-management ticket showing the SBOM was reviewed and vulnerability thresholds were met before deployment; evidence that the package registry is locked, signed, or both; and a quarterly reconciliation of open-source components to licenses and support status. Where the application is SaaS and the vendor is a third-party, a current SOC 2 Type II report and a recent SBOM or equivalent disclosure from the vendor generally close the gap when combined with a TPRM review.
What Penalties and Consequences Apply?
SOX Section 906 criminal penalties for willfully certifying a misleading CEO/CFO certification run to USD 5 million and 20 years imprisonment. Section 304 clawback provisions allow recovery of incentive compensation and stock profits following a material restatement caused by misconduct. The SEC's 2022 Universal Clawback rule (Rule 10D-1) strengthens clawback obligations across all listed issuers. Material weaknesses disclosed in Item 9A of Form 10-K have measurable capital-market effects: academic studies show average stock-price declines of 4% to 7% in the week following disclosure. The SEC penalty range under the 2023 cyber rule is case-dependent but SolarWinds sought disgorgement and civil penalties against individual officers.
How Safeguard Helps
Safeguard produces the SBOM evidence that SOX auditors increasingly demand, with per-build artifacts linked to the change-management ticket for clean walkthroughs. Griffin AI reachability analysis lets controls owners document why a latent CVE did not require immediate remediation — a defensible, evidence-backed answer to the auditor's "why didn't you patch?" question. TPRM workflows consolidate third-party attestations for in-scope service providers and map them to the SOX control catalogue, and policy gates enforce vulnerability, license, and provenance thresholds directly in CI/CD for auditor-ready evidence. Compliance mapping across COSO, COBIT 2019, SOC 2, and ISO 27001:2022 lets ICFR owners satisfy multiple framework obligations from one evidence source.