SOX-Style Product Security ITGC Finding Template

Title

Production deployment controls do not provide sufficient segregation of duties

Criteria

Document the expected control design, policy, or operating requirement.

Condition

Describe what was observed in the sample and how often it occurred.

Cause

Explain why the issue exists.

Risk / Effect

Explain the control failure in business terms:

unauthorized change risk
incomplete evidence risk
privileged misuse risk
integrity / availability / confidentiality impact

Recommendation

State the practical remediation steps.

Suggested fields

Severity / deficiency classification
In-scope systems
Sample size / sample IDs
Control owner
Due date
Compensating controls
Retest evidence