SOX Compliance¶
This guide maps SIX capabilities to Sarbanes-Oxley (SOX) requirements for organizations using AI in financial reporting, analysis, or decision-making processes.
Self-Attested Alignment
This mapping represents architectural alignment with SOX requirements, not formal certification. Your organization's external auditor and legal counsel make the final determination of SOX compliance. SIX provides cryptographic audit trail tools that support your internal controls framework.
Why SOX Matters for AI¶
When AI assists in financial reporting or decision-making, SOX requires that you can:
- Prove the AI output was not altered (Section 302 certification)
- Demonstrate effective internal controls over AI processes (Section 404)
- Maintain audit trails for AI-assisted decisions (Section 802)
- Detect and prevent fraud in AI-assisted processes (Section 906)
Traditional AI providers give you contractual assurances. SIX gives you cryptographic proof.
Section 302 -- Corporate Responsibility for Financial Reports¶
Requirement: CEO and CFO must certify that financial reports are accurate and that internal controls are effective.
| SOX 302 Concern | SIX Capability |
|---|---|
| AI outputs used in reports are authentic | Signed receipts prove execution integrity |
| AI outputs were not modified after generation | Tamper-evident commitments detect any alteration |
| The AI process can be audited | Receipt verification provides an independent check |
| Officers can certify with confidence | Mathematical proof replaces trust-based assurance |
How it helps: When an AI-assisted analysis contributes to a financial report, the SIX receipt proves that the output was generated by the specified model, on the specified infrastructure, at the specified time, and has not been altered since. An officer certifying the report can point to cryptographic proof rather than relying on vendor assurances.
Section 404 -- Management Assessment of Internal Controls¶
Requirement: Management must assess and report on the effectiveness of internal controls over financial reporting. External auditors must attest to management's assessment.
Internal Control Requirements¶
| Control Requirement | SIX Implementation |
|---|---|
| Process documentation | API call records + signed receipts document every AI interaction |
| Control testing | Receipt verification is a repeatable, automated control test |
| Evidence of effectiveness | Verification results prove controls worked for each transaction |
| Deficiency detection | Verification failures immediately indicate control breakdowns |
Control Testing with SIX¶
SIX receipts enable automated control testing for AI processes:
def sox_404_control_test(receipt_ids):
"""
Automated SOX 404 control test for AI inference integrity.
Run periodically (daily/weekly) and retain results.
"""
test_results = {
"test_name": "AI Inference Integrity Control",
"test_date": datetime.utcnow().isoformat(),
"total_tested": len(receipt_ids),
"passed": 0,
"failed": 0,
"failures": [],
}
for receipt_id in receipt_ids:
result = verify_receipt(receipt_id)
if result["status"] == "verified":
test_results["passed"] += 1
else:
test_results["failed"] += 1
test_results["failures"].append({
"receipt_id": receipt_id,
"status": result["status"],
"tested_at": datetime.utcnow().isoformat(),
})
test_results["control_effective"] = test_results["failed"] == 0
return test_results
Auditor-ready output
The control test output above is designed to be presented directly to external auditors. It documents what was tested, when, and the results -- with cryptographic proof backing each result.
Section 802 -- Criminal Penalties for Altering Documents¶
Requirement: Prohibits the destruction, alteration, or falsification of records related to federal investigations or bankruptcy.
| SOX 802 Concern | SIX Capability |
|---|---|
| Records cannot be altered | Cryptographic commitments make alteration detectable |
| Records cannot be destroyed without detection | Settlement anchoring creates an independent, immutable record |
| Alterations are detectable | Any modification breaks the cryptographic proof |
| Records are independently verifiable | Third parties can verify without trusting the record keeper |
How it helps: SIX receipts are anchored to an immutable ledger. Even if someone deleted the receipt from your local storage, the settlement anchor on the independent ledger would remain. This creates a tamper-evident, destruction-resistant audit trail for every AI-assisted financial process.
Section 906 -- Corporate Responsibility for Financial Reports (Criminal)¶
Requirement: CEO and CFO certify that periodic reports fully comply with SEC requirements and fairly present the financial condition. Violations carry criminal penalties.
| SOX 906 Concern | SIX Capability |
|---|---|
| AI outputs are genuine | Signed receipts with verifiable signatures |
| AI process is trustworthy | Independent verification proves integrity |
| Certification is defensible | Mathematical proof provides legal defensibility |
Audit Trail Architecture¶
For SOX compliance, build an audit trail that captures every AI interaction:
Financial Process
|
v
AI Inference (via SIX)
|
+---> Response (used in financial analysis)
|
+---> Receipt (stored in audit system)
|
+---> Verification (automated, periodic)
|
+---> Audit Report (for external auditors)
Recommended Audit Record¶
{
"transaction_id": "fin-2025-001234",
"timestamp": "2025-01-15T14:32:00Z",
"process": "quarterly_revenue_analysis",
"ai_interaction": {
"receipt_id": "rcpt_f8c505ce3a...",
"model": "default",
"routing": "sovereign",
"purpose": "Revenue forecast model input analysis"
},
"verification": {
"status": "verified",
"verified_at": "2025-01-15T14:32:05Z",
"method": "api",
"attestation_integrity": "valid",
"settlement_status": "anchored"
},
"control_owner": "finance_team",
"reviewed_by": "controller@company.com"
}
Material Weakness Prevention¶
A material weakness is a deficiency in internal controls that creates a reasonable possibility of material misstatement. AI-related material weaknesses include:
| Risk | Without SIX | With SIX |
|---|---|---|
| AI output altered before use in reports | No detection mechanism | Tamper-evident receipt -- any change breaks the proof |
| AI process undocumented | Manual documentation, often incomplete | Automatic receipt generation for every interaction |
| No evidence of AI process controls | Relies on policy documentation | Automated control testing with cryptographic proof |
| AI vendor substitutes model without notice | No detection | Routing attestation confirms execution environment |
External Auditor Engagement¶
When preparing for a SOX audit involving AI processes:
| Step | Action |
|---|---|
| 1 | Provide auditors with SIX receipt documentation |
| 2 | Demonstrate receipt verification (live or recorded) |
| 3 | Present automated control test results |
| 4 | Show the settlement anchor on the independent ledger |
| 5 | Offer auditors the ability to verify receipts independently |
Auditor Independence
SIX's verification model supports auditor independence. Auditors can verify receipts without relying on SIX or your organization -- they only need the receipt, the public key, and a standard cryptographic library.
SOX Compliance Checklist¶
| Item | Action | Status |
|---|---|---|
| AI processes inventoried | Document all AI-assisted financial processes | |
| Sovereign routing for financial data | Use privacy_tier: "sovereign" for financial workloads |
|
| Receipt storage integrated | Receipts stored alongside financial records | |
| Automated control testing | Periodic receipt verification running | |
| Audit trail complete | Every AI interaction has a verifiable receipt | |
| External auditor briefed | Auditors understand SIX receipt verification | |
| Control testing documented | Test procedures and results retained | |
| Settlement anchoring confirmed | Receipts show settlement: "anchored" |
Next Steps¶
- HIPAA Compliance -- Healthcare regulatory mapping
- GDPR Compliance -- Data sovereignty requirements
- Verification Guide -- Step-by-step verification
- Attestation Verification -- Execution integrity proof