← Back to All Courses
Path A — SOX & Controls Analyst

You don't just study
SOX controls.
You perform them.

A 4-month practitioner simulation set inside a fictional NYSE-listed energy company. Every lesson produces a real deliverable. Every lab uses a live SAP S/4HANA system. You graduate with 23 completed workpapers and a portfolio that proves what you can do.

Enrol Now → See How It Works
What you graduate with
23
Completed professional workpapers — ITGC tests, RCMs, findings, walkthroughs
8
SOX modules covering every skill in IT Controls job descriptions
1
Complete SOX audit cycle worth of practitioner experience in NovaTech S.A.
37
Years of Big 4 SAP GRC practitioner experience behind every lesson

Why career changers
struggle to break in —
and why it isn't their fault.

Every IT SOX Analyst job description asks for 2–3 years of experience. But every training programme gives you theory and a certificate. There is a gap between what employers want and what most training delivers.

  • Courses teach what SOX is. They don't teach you to test a control end-to-end.
  • Certificates prove you attended. They don't prove you can produce a workpaper.
  • Generic labs don't simulate real SAP environments or real client scenarios.
  • No portfolio means every interview starts from zero — explaining what you know rather than showing what you've done.
  • No SAP system access means candidates have seen screenshots but never navigated SUIM or SU01.

What TIB Path A
does differently —
every single lesson.

  • Live SAP S/4HANA 2023 system. You execute real transactions — SUIM, SU01, SE10, SM37, RZ11, SM20 — not simulations.
  • NovaTech S.A. scenario throughout. Every lab is set inside a real fictional company with named characters, real risks, and real consequences.
  • Every lesson produces a deliverable. Workpapers, RCM extracts, findings, walkthrough memos — documents you can show in an interview.
  • Gold standard evidence requirements. Screenshots labelled to SARA standard, workpapers reviewed against external audit quality.
  • 37-year Big 4 practitioner. Not a course designer. Someone who has done this work on real SOX engagements at multinational scale.
How every lesson works

Four steps. One connected workflow.
Real output at every stage.

The lesson flow is not theory → quiz → next lesson. It is theory → SAP navigation → professional deliverable → portfolio addition. Every lesson leaves you with something tangible.

Step 01
📄
Lesson Notes
Practitioner-written theory grounded in the NovaTech S.A. scenario. You read about a real control, a real risk, and a real consequence — not abstract concepts.
Read & Understand
Step 02
🔬
Lab Exercise
You log into the live SAP S/4HANA system and execute the exact transactions described in the notes. Step-by-step instructions with screenshot evidence standards and red flag guidance.
Produce & Document
Step 03
📋
Project
You use your Lab output to produce a professional deliverable — a test workpaper, RCM entry, audit finding, or walkthrough memo — written as if Daniel Ferreira, your Controls Manager, will review it tomorrow.
Build Portfolio
Step 04
🏆
Feedback & Next
Your instructor reviews your submission against the gold standard worked example. You receive specific, practitioner-level feedback before advancing to the next lesson.
Refine & Advance
The NovaTech S.A. Scenario

You don't study controls in theory.
You work inside a company.

From Lesson 1 to your final project, you are a trainee IT Controls Analyst at NovaTech S.A. — a fictional NYSE-listed oil and gas services company headquartered in Port Meridian, Arcadia. The company is SOX-regulated, runs SAP S/4HANA 2023, employs 4,200 staff across 9 countries, and has an upcoming external audit window.

You report to Daniel Ferreira, Controls Manager. The external audit is being led by a Big 4 firm. The Audit Committee expects quarterly reporting. There are real characters, real risks, and — when you find them — real findings. The NovaTech scenario makes every lab feel like day one of a real engagement.

This is not a simulation for its own sake. It is designed so that when an interviewer asks "walk me through a control you've tested," you answer with a specific transaction, a specific finding, and a specific workpaper — not a general description of what ITGC testing involves.

"The NovaTech experience means graduates arrive at their first real engagement already knowing how to navigate the system, how to write a finding, and how to handle pushback. That shortens the ramp-up from months to weeks." — Managing Partner, TIB Systems Llc. | 37+ Years SAP Security & GRC | Big 4 Practitioner
NovaTech S.A. — Client Profile
CompanyNovaTech S.A.
LocationPort Meridian, Arcadia
IndustryOil & Gas Services
ExchangeNYSE Listed
SOX StatusSection 404(a) + 404(b)
SAP SystemS/4HANA 2023 FPS01
System SIDNTS
Employees4,200 · 9 countries
Your managerDaniel Ferreira
Your roleTrainee IT Controls Analyst
The 8-Module Programme

Every module builds on the last.
Every lesson produces something real.

Path A covers every skill that appears in IT SOX Analyst job descriptions. The sequence mirrors a real SOX programme cycle — from orientation through testing, documentation, business processes, SAP access, walkthroughs, and remediation.

Module 1 · Week 1
SAP & the Business Compliance Landscape
3 lessons · 12 hours
You StudyYou Produce
  • What SAP is and why large companies run it
  • SOX, PCAOB, COSO — why compliance exists
  • The controls team org structure and your role
  • NovaTech SAP Environment Profile
  • Regulatory Brief for Finance Director
  • NovaTech Controls Org Chart and Role Description
Module 2 · Weeks 1–2
IT General Controls — The Core of Every SOX Engagement
4 lessons · 26 hours
You StudyYou Produce
  • Logical access: provisioning, UAR, privileged access
  • Change management: DEV→QAS→PRD, transport SoD
  • IT operations: backup, job monitoring, incidents
  • ITGC testing: design vs. operating effectiveness, sampling
  • User Access Review Workpaper (full population)
  • Change Management Testing Workpaper
  • IT Operations Testing Workpaper
  • Password Policy ITGC Workpaper
Module 3 · Week 3
Controls Documentation — Writing Controls That Pass Audit
3 lessons · 16 hours
You StudyYou Produce
  • The 5 C's of a well-written control
  • Risk and Control Matrices — structure and rollforward
  • Evidence management — SARA standard and packaging
  • 5-control NovaTech RCM (Logical Access domain)
  • Full evidence package with index and SARA annotation
  • Controls rewrite — 3 deficient controls corrected
Module 4 · Week 4
Business Process Controls — P2P, O2C, and R2R
3 lessons · 16 hours
You StudyYou Produce
  • Procure-to-Pay: three-way match, SoD conflicts
  • Order-to-Cash: credit management, revenue cut-off
  • Record-to-Report: journal entries, reconciliations, period close
  • P2P walkthrough document (one transaction traced)
  • O2C Risk and Control Matrix (4 controls)
  • Journal Entry testing workpaper (7 risk criteria applied)
Module 5 · Weeks 5–6
SAP Access Risk — What Controls Professionals Must Know
3 lessons · 16 hours
You StudyYou Produce
  • SAP roles, profiles, and authorisation objects
  • Segregation of Duties — conflicts, reports, mitigating controls
  • Sensitive access, firefighter access, User Access Reviews
  • Role Assessment for one NovaTech Finance role
  • SoD Risk Register (5 users, conflict details, remediation)
  • Sensitive Access Review Workpaper
Module 6 · Weeks 6–7
Walkthroughs — How to Explain Controls to an Auditor
2 lessons · 11 hours
You StudyYou Produce
  • Purpose of walkthroughs vs. testing — what auditors look for
  • Leading a walkthrough: pacing, evidence, handling questions
  • Walkthrough preparation pack (P2P approval control)
  • Walkthrough documentation memo (narrative format)
Module 7 · Weeks 7–8
Issue Identification and Remediation
2 lessons · 11 hours
You StudyYou Produce
  • Three-level deficiency framework: deficiency → sig. def. → material weakness
  • Remediation planning, issue tracking, retest execution
  • Deficiency Assessment (3 NovaTech findings, 5 C's format)
  • Remediation Plan and Retest Workpaper
Module 8 · Week 8
Job Preparation — Resume, LinkedIn, Interview, Search
4 lessons · 18 hours
You StudyYou Produce
  • ATS-optimised resume — keywords and positioning
  • LinkedIn for SOX/Controls roles — headline and About
  • Interview preparation — STAR answers from training work
  • 30-company target list and 4-week application plan
  • Your complete SOX Controls Analyst resume
  • LinkedIn profile draft (headline, About, Experience)
  • 10 Q&A pairs with STAR answers from NovaTech work
  • 30-company target list with outreach calendar
Your Graduate Portfolio

You don't need to tell employers
what you can do. You show them.

Every completed deliverable goes into your portfolio. When an interviewer asks "have you ever written a controls workpaper?" you don't say "in my training we covered that." You say "yes — here it is."

23
Portfolio Documents
8
ITGC Workpapers
4
Business Process Docs
1
Complete Audit Cycle
M1 · L1
NovaTech SAP Environment Profile
System overview · interview ready
M1 · L2
Regulatory Brief — SOX at NovaTech
Compliance memo · professional format
M1 · L3
Controls Org Chart & Role Description
Org design · first 90 days plan
M2 · L1
User Access Review Workpaper
Full UAR · SUIM + SU01 evidence
M2 · L2
Change Management Testing Workpaper
SE10 · STMS · developer SoD test
M2 · L3
IT Operations Testing Workpaper
SM37 · backup log · SM21 analysis
M2 · L4
Password Policy ITGC Workpaper
RZ11 · design + operating effectiveness
M3 · L2
NovaTech Risk & Control Matrix
5-control RCM · Logical Access domain
M3 · L3
SARA Evidence Package
Indexed · annotated · audit-ready
M4 · L1
P2P Walkthrough Document
ME23N · MIGO · MIRO · traced end-to-end
M4 · L3
Journal Entry Testing Workpaper
7 risk criteria · FB03 · SE16N
M5 · L2
SoD Risk Register
5 users · SUIM · conflict + remediation
M5 · L3
Sensitive Access Review Workpaper
SAP_ALL · SAP_NEW · firefighter review
M6 · L2
Walkthrough Documentation Memo
P2P control · narrative format
M7 · L1
Deficiency Assessment
3 findings · 5 C's · severity rated
M7 · L2
Remediation Plan & Retest Workpaper
Action · owner · date · success criteria
M8 · L1
SOX Controls Analyst Resume
ATS-optimised · NovaTech experience
M8 · L3
Interview Answer Bank
10 Q&A pairs · STAR from training

Plus 5 additional deliverables across M1, M4, M5, M6, and M8. Full portfolio inventory available to enrolled students in the Career Intelligence Library.

Mentoring & Feedback

You are not learning alone.
A 37-year practitioner reviews your work.

TIB Path A is taught by a Managing Partner and Principal Consultant with over 37 years of Big 4 SAP GRC practitioner experience. Not a course designer. Someone who has led SAP Security implementations, GRC deployments, and compliance programmes across multiple industries and continents.

Your work is reviewed against the gold standard used in real Big 4 engagements — not against a multiple-choice answer key. When you submit a workpaper, the feedback tells you what would pass external audit review and what needs to change.

  • 📖
    Weekly Q&A sessions — live, recorded, open to all questions
  • ✍️
    Project feedback within 5 business days — specific, not generic
  • 🎯
    Gold standard worked examples included in every Project guide
  • 💼
    Interview preparation with real scenario walk-throughs
  • 📚
    Career Intelligence Library — updated weekly throughout your enrolment
Instructor-Led vs Self-Paced

Choose the intensity that fits your life.

Both tracks cover the same curriculum and produce the same portfolio. The difference is the level of live access and pacing.

Live SAP S/4HANA Access

The same system you'll
use on day one of your first job.

Every lab exercise is performed in a live SAP S/4HANA 2023 sandbox environment configured for the NovaTech S.A. scenario. This is not a simulation, a screenshot walkthrough, or a virtual lab. You log in with real credentials, navigate real menus, execute real transactions, and produce real output.

Candidates who have used SAP before an interview stand out immediately. The questions interviewers ask — "Have you run a SUIM report?" "Can you read a SU01 Roles tab?" "Have you navigated SE10?" — are questions Path A graduates can answer with specifics, not generalities.

Access is provisioned from Day 1 of your enrolment and remains active throughout your programme.

Transactions you will execute
SUIM
User Information System — population extracts, role searches
SU01
User Maintenance — individual user review and role inspection
SE10
Transport Organiser — change management evidence
STMS
Transport Management System — three-system landscape
RZ11
Profile Parameters — security parameter testing
SM20
Security Audit Log — login events, failed logons
SM37
Job Overview — batch job monitoring
PFCG
Profile Generator — role content review
FB03
Display FI Documents — financial transaction review
ME23N
Display Purchase Order — P2P cycle navigation
OB52
Posting Period Control — period close management
SE16N
Table Browser — database-level evidence extraction
Curriculum vs. Market

Every skill employers demand.
Every one covered in Path A.

Based on analysis of 50+ live IT SOX Analyst job descriptions across USA, UK, UAE, Australia, and India from TIB-MKT-JOB-003 (June 2026).

Skill Demanded in Job DescriptionsFrequencyPath A CoverageLesson
SOX 404 / ITGC knowledge98% of postings✦ Full moduleM1–M2
SAP S/4HANA familiarity82% of postings✦ Every labM1–M7
Logical access controls testing91% of postings✦ Full workpaperM2-L1
Change management controls88% of postings✦ Full workpaperM2-L2
Risk & Control Matrix (RCM)79% of postings✦ Build exerciseM3-L2
Control writing / documentation85% of postings✦ Dedicated lessonM3-L1
Evidence collection & management76% of postings✦ SARA frameworkM3-L3
Business process controls (P2P/O2C/R2R)72% of postings✦ Full moduleM4
Segregation of Duties (SoD)86% of postings✦ Dedicated lessonM5-L2
Audit walkthroughs68% of postings✦ Full moduleM6
Deficiency classification and escalation71% of postings✦ Framework + caseM7-L1
COSO 2013 / COBIT framework awareness65% of postings✦ Lesson contextM1-L2
Who Path A Is For

You don't need an SAP background.
You need the right starting point.

Path A was designed for career changers. The only prerequisite is that you are serious about making the transition — and prepared to do the work.

💼
Finance & Accounting Professionals
You understand financial reporting and period close. Path A adds the SAP technical layer and controls testing skill that moves you from Finance into a Controls Analyst role. Your existing knowledge of GL, AP, and AR gives you a significant advantage.
🔍
Internal Auditors Moving into IT
You know how to test and document. Path A adds the SAP system knowledge and ITGC technical depth that allows you to lead IT controls testing rather than supporting it. You will recognise the methodology — the SAP layer is what you're adding.
💻
IT Professionals Pivoting to Compliance
You understand systems and infrastructure. Path A teaches you the controls framework — SOX, ITGC, RCMs — that converts technical knowledge into compliance value. The SAP navigation will come naturally; the testing methodology is what you're building.
🎓
Recent Graduates with Finance or IT Degrees
You have the academic foundation. Path A gives you the practical layer — live SAP experience, completed workpapers, and a portfolio — that most entry-level candidates lack. You graduate from the programme ahead of peers with more years of generic experience.
🌍
International Professionals Entering New Markets
SOX compliance skills are globally portable — the market intelligence covers USA, UK, UAE, India, and Australia. Path A produces portfolio documents that demonstrate capability regardless of geography, and the NovaTech scenario reflects multinational corporate practice.
🔄
Career Changers from Any Professional Background
The controls profession values analytical thinking, attention to detail, and professional communication. If you have demonstrated these in any professional context, Path A provides the specific technical layer. No SAP background required to start.
Path A may not be right for you if: you are already working in an IT SOX Analyst role and primarily need SAP GRC deep-dive technical training. In that case, the TIB Controls Lead programme (90-procedure suite, Domains A–N) is a better fit.
Enrolment Investment

Path A Pricing

Both tracks cover the identical 8-module curriculum and produce the same 23-document portfolio. The difference is the level of live instructor access and cohort experience.

Self-Paced + Q&A Support
Path A — Self-Paced
Pay in Full
$597
or
Monthly
$199/mo × 4

4-month programme · enrol and start within 48 hours

  • Full 8-module curriculum with Lesson Notes
  • All 23 Lab Guides with step-by-step SAP instructions
  • All 23 Project templates with worked examples
  • Live SAP S/4HANA 2023 system access
  • Weekly Q&A sessions (recorded)
  • Career Intelligence Library — updated weekly
  • Resume templates and LinkedIn guide
  • 270+ interview questions with STAR narratives
Enrol — Self-Paced →
Most Comprehensive
Instructor-Led · Live Cohort
Path A — Instructor-Led
Pay in Full
$1,597
or
Monthly
$399/mo × 4

4-month programme · cohort-based · live sessions

  • Everything in Self-Paced, plus:
  • Live weekly Zoom/Teams sessions with lead instructor
  • Cohort peer group — go through together
  • Direct instructor access throughout
  • Workpaper review within 5 business days
  • Live walkthrough simulation with feedback
  • Priority career placement support
Enrol — Instructor-Led →
Not sure which track is right for you? Book a no-obligation enrolment consultation.  ·  Path B (IT Audit Analyst) is priced identically and covers the same modules from the auditor perspective.
Frequently Asked Questions

Everything you need to know
before you enrol.

No. Path A is designed for career changers with no prior SAP experience. Lesson 1 starts with "what SAP is" — in plain English, no jargon assumed. Every lab guide provides step-by-step navigation instructions, so you learn the system as you go. By Module 2 you will be running SUIM reports and reviewing user records independently.
You receive login credentials for a TIB-hosted SAP S/4HANA 2023 sandbox environment. You access it through your web browser — no installation required. The system is configured with NovaTech S.A. data and training users. You can log in, execute transactions, and extract reports exactly as you would in a real client engagement. Access is available 24/7 throughout your 4-month programme.
Full-Time track: approximately 15–20 hours per week over 8 weeks. Part-Time track: approximately 8–10 hours per week over 16 weeks. Most students complete the programme alongside full-time employment. The self-paced format means you control your weekly schedule — the only fixed commitment is the weekly Q&A session (also recorded if you cannot attend live).
Your portfolio is a collection of 23 completed professional documents — ITGC workpapers, RCM extracts, audit findings, walkthrough memos, and job preparation materials. These are documents you produced during your training, set inside the NovaTech S.A. scenario. In interviews, you share specific examples: "Here is the UAR workpaper I completed for the NovaTech Finance user population — I extracted the active user list from SUIM, reviewed each user in SU01, and documented two findings." This is the kind of specific, evidenced answer that career changers rarely have. Your portfolio gives you those answers for every area covered in the programme.
Path A (SOX & Controls Analyst) trains you to work inside a company, building and running controls — the controls team perspective. You report to management and present to auditors. Target roles: IT Controls Analyst, SOX Analyst, IT Compliance Analyst, GRC Analyst. Path B (IT Audit Analyst) trains you to work as an independent auditor — testing controls, writing findings, and communicating results to management. Target roles: IT Auditor, Internal Auditor, Technology Risk Analyst. Both use the NovaTech S.A. scenario and the same SAP system. In Path B you are the auditor reviewing the work of a Path A colleague.
Yes — you receive a TIB Systems Certificate of Completion for Path A upon completing all 8 modules. More importantly, you graduate with 23 portfolio documents that demonstrate practical capability. The certificate is the proof you completed the programme. The portfolio is the proof you can do the work. Both go on your LinkedIn profile and CV.
Based on TIB-MKT-JOB-003 (June 2026 market intelligence): entry-level IT SOX Analyst roles range from $55,000–$80,000/year in the USA, £35,000–£52,000 in the UK, and $60,000–$110,000 (tax-free) in the Gulf. S/4HANA experience commands a 15–25% premium over ECC-only roles. These are market figures, not guarantees — compensation depends on your location, prior experience, and the employer. Full salary data by region and role level is available in the Career Intelligence Library.
Yes — contact us at admin@tib-systems.com and we will arrange an upgrade. You pay the difference between the two tracks. All progress and submitted work is carried over. Switching is typically possible up to the end of Module 4 (the halfway point).

Your portfolio starts
with your first lesson.

Enrol in Path A today. Within 48 hours you will have access to the NovaTech S.A. SAP system, your first Lesson Notes, your first Lab Guide, and your first Project template. By the end of Week 1 you will have completed your first professional portfolio document.

Enrol in Path A → View Path B Instead ← All Courses
© 2026 TIB Systems Llc. · Path A — SOX & Controls Analyst · Atlanta · Hyderabad · RAK
All Courses Path B Library Contact