SOX, SOC & MRC COMPLIANCE
Owns the compliance automation framework across 60+ enterprise systems at a Nasdaq-listed public company — covering SOX-gated workflows, privileged access controls, audit trail automation, and annual review processes across three regulatory frameworks.
60+
Enterprise Systems
80%
Audit Prep Reduction
3
Audit Frameworks
SOX · SOC · MRC
280+
Hours Saved/Year
THE COMPLIANCE CONTEXT
Operating at a Nasdaq-listed public company means every access decision, system change, and employee lifecycle event is subject to regulatory scrutiny. SOX (Sarbanes-Oxley) mandates strict internal controls over financial systems. SOC 2 requires continuous evidence of security controls. MRC demands documented access reviews.
Without automation, compliance evidence collection is a months-long manual exercise before each audit. With it, every event is already documented, every change is already ticketed, and the evidence package practically assembles itself.
WHAT WAS BUILT
SOX-Gated Access Workflows
All SOX-scoped applications — financial systems, ERP, and reporting tools — are tagged within Freshservice and route through a dedicated change management path. Emergency changes that would bypass normal approval flows for non-SOX systems must still follow full change ticket procedures for SOX-scoped systems.
- • 60+ systems tagged and classified by SOX scope
- • Emergency change bypass disabled for all SOX-scoped systems
- • Every provisioning and de-provisioning event creates an auditable ticket
- • Catalog item visibility restricted — sensitive tools only visible to appropriate teams
Privileged Access Controls
Elevated access follows a three-tier model: standard access (auto-approved for appropriate roles), elevated access (requires manager + group owner dual approval), and administrative access (manual review with time-limited assignment). Time-limited Okta groups automatically revoke access after 2 hours with full success/failure logging.
- • Dual approval: manager + application owner required for elevated access
- • 2-hour time-limited Okta group assignment for administrative access
- • Automatic revocation with audit log on expiry
- • Failure cases generate immediate alert tickets
- • All privileged access events surfaced in compliance tracking dashboard
Automated Audit Trails
100% of employee lifecycle events, access changes, and system modifications create Freshservice tickets with structured audit evidence. The goal: when auditors request evidence, every piece is already documented with timestamps, effective dates, prior/new values, and approval chains.
- • Every hire, departure, and employee change creates a traceable ticket
- • Prior and new field values captured with effective dates
- • Manager confirmation workflows generate approval evidence
- • Access grant/revoke events timestamped and cross-referenced
- • Reduces annual audit prep time by ~80%
User Access Reviews (UAR)
Maintains a master compliance tracking spreadsheet across SOX, SOC 2, MRC, and ISO frameworks. Coordinates evidence collection across 60+ systems, tracks documentation status, and flags gaps before they become audit findings.
- • Master tracking sheet spans all four frameworks
- • Status tracking per system: evidence collected, gaps flagged, review complete
- • Cross-references access events with HR records for completeness
- • Automated reminders to system owners for outstanding reviews
Change Management Policy
Authored and enforces the full change management policy governing all catalog items and automation workflows — defining normal, fast-track, and emergency change types with corresponding approval requirements and notification chains. Maintains a meticulous developer changelog for all workflow modifications.
- • Three change types: normal (5-day lead), fast-track (2-day), emergency (same-day with manager approval)
- • SOX-scoped changes always require normal change process regardless of urgency
- • Developer changelog documents every workflow change with date, scope, and approver
- • Policy reviewed and updated annually as part of audit cycle