External auditors are starting to ask a new question in SOX programs: “Is your data lake or data warehouse in scope?”

For many teams, the answer isn’t clear—and the implications are significant. As organizations modernize their data environments, Internal Audit and SOX leaders are being forced to rethink how data flows, reporting layers, and aggregation systems impact financial reporting and controls.

In this session, Jason Winter, Head of SOX at Expedia, will break down how leading teams are approaching this challenge using a practical, risk-based lens. He will walk through real-world examples of how to scope ITGCs across data pipelines, interfaces, and reporting environments—without over-scoping or creating unnecessary control burden.

Attendees will leave with a clearer framework for evaluating their own environments, aligning with external auditors, and confidently navigating one of the fastest-emerging areas in SOX compliance.

Learning Objectives
After attending this session, participants will be able to:

Explain why data lakes and data warehouses are increasingly relevant to SOX compliance and financial reporting

Apply a risk-based approach to scoping ITGCs, including identification of impacted FSLIs, processes, and data dependencies

Identify key control considerations across data flows, including upstream systems, interfaces, and reporting tools

Evaluate common SOX control expectations for data environments, including access, change management, and data integrity controls

Recognize common challenges (e.g., data quality, access, co-mingling) and leading practices to address them

Determine how to document and support scoping decisions for data lakes and warehouses in coordination with external auditors