Access controls around financial data must be documented and tested. - Audit trails must be maintained for all changes to financial data. - Segregation of duties must be enforced (developers cannot have production access).