⚠️ This overlay is a framework operationalization, not legal or audit advice. SOX compliance for AI is an emerging area — PCAOB and SEC guidance is still evolving. Your Internal Audit team, external auditor, and General Counsel must validate scope and obligations.
1. When this overlay applies
Apply this overlay per-agent if any of the following is true:
- The agent operates in a workflow that produces, modifies, or supports financial reporting data (general ledger, accounts payable, accounts receivable, revenue recognition, expense classification, financial close, consolidation, disclosures)
- The agent participates in an Internal Control over Financial Reporting (ICFR) activity — even tangentially (e.g., evidence gathering, control testing, anomaly detection in financial data)
- The agent's outputs feed into management's assessment of ICFR effectiveness (§404)
- The agent affects the completeness, accuracy, validity, or restricted access assertions for financial data
- The agent's failure could result in a material misstatement or material weakness in ICFR
Note: Not all financial agents are SOX-relevant. An AI that drafts internal finance memos is likely not SOX-relevant. An AI that routes invoices for AP posting might be. An AI that classifies transactions for revenue recognition almost certainly is.
When in doubt, involve Internal Audit before the agent is built.
2. Regulatory references
| Citation | Subject | Applies to |
|---|---|---|
| SOX §302 | CEO/CFO certification of disclosure controls | Quarterly + annual filings |
| SOX §404(a) | Management's assessment of ICFR | Annual report |
| SOX §404(b) | External auditor attestation of ICFR | Most public companies (small-cap exempt under certain conditions) |
| SOX §409 | Real-time disclosure of material changes | All material changes |
| SOX §802 | Document retention (7 years for accounting records) | All accounting records |
| SOX §906 | Criminal penalties for false certification | CEO/CFO |
| PCAOB AS 2201 | Audit of ICFR | External audit |
| 17 CFR §240.13a-15 | Disclosure controls + ICFR | Public companies |
3. The core SOX concern for AI: ITGCs + automated controls
AI agents participating in financial reporting workflows raise two layers of SOX scrutiny:
- IT General Controls (ITGCs) — the agent's deployment, change management, access controls, computer operations must meet the same ITGC bar as any other financial-reporting system.
- Automated controls — if the agent's output IS a control (e.g., "match invoice to PO and flag exceptions"), then the automated control itself must be tested for design and operating effectiveness during the audit period.
A SOX-relevant AI agent is treated like financial-reporting software:
- Change management requires evidence (who changed what, when, why, who approved)
- Access controls require evidence (who has access, segregation of duties, periodic recertification)
- Audit logs are subject to 7-year retention (§802)
- A material flaw in the agent's design or operation may constitute a material weakness in ICFR
4. Additions to each core template
templates/01-risk-appetite.md (Risk Appetite Statement)
Add to Section 2 (AI is approved for the following purposes):
SOX-relevant financial workflows: AI is approved for assistive roles (drafting, classifying, ranking) where a human in the ICFR process performs the final review and approval. AI is NOT approved for autonomous execution of any control over financial reporting, journal-entry posting, or audit-evidence generation without human review.
Add to Section 5 (Jurisdictions in scope):
SOX applies: Yes / Subsidiary of SOX-regulated parent / No. If yes, all AI agents touching financial-reporting workflows fall under this overlay.
PCAOB AS 2201 expectations: any AI agent identified as part of an ICFR control will be in-scope for the external auditor's testing.
§802 document retention: all SOX-relevant AI logs, change records, access logs, and supporting documentation retained 7 years from the relevant reporting period end.
templates/02-intake-form.md (Intake Form)
Add to Section 11 (Known constraints):
SOX check (mandatory if agent touches financial systems):
- Does the agent's workflow feed into financial reporting? [Yes / No / Unsure — escalate to Internal Audit]
- Is the agent's output a control or evidence in a SOX-relevant control? [Yes / No / Unsure]
- Has Internal Audit been consulted? [Yes — date / Not yet]
- ITGC implications identified? [Yes — describe / Not yet]
If Yes/Unsure on any of the first two questions, automatic Internal Audit consultation before approval at M8.
templates/03-agent-card.md (Agent Card)
Add new section after §13 (or after §14/§15 if other overlays present):
### §17 — SOX compliance map
| Requirement | Evidence in this Agent Card |
|---|---|
| ITGC: Change management | §12 references CI/CD with PR review (2 reviewers required); changes versioned in source control |
| ITGC: Access controls | §8 identity in IdP; least-privilege scopes; quarterly access recertification |
| ITGC: Computer operations | §9 monitoring + §11 alerting + on-call rotation |
| ITGC: Backup + recovery | §11 audit log retention + agent identity + credentials archived per template 11 |
| Automated control design (if the agent IS a control) | §3 scope + §9 HITL gates + §10 failure modes |
| Automated control operating effectiveness | §12 evaluation (template 08) + ongoing §11 monitoring + periodic re-eval |
| §802 retention (7 years) | §11 audit log retention extended to 7 years for SOX-relevant logs |
| Segregation of duties (SoD) | §8 identity is dedicated to the agent; humans approving (in §9 HITL) have separate identities + cannot be the same person who built/deploys |
### §18 — SOX control narrative (if agent IS or supports a key control)
[Narrative description of the control, the assertion(s) it addresses (Completeness / Accuracy / Validity / Restricted Access), how it operates, how exceptions are handled, how it is monitored.]
Control reference: [Internal Audit's control ID, e.g., F-AP-007]
Assertion(s): [list]
Frequency: [continuous / daily / per-transaction]
Manual review backup (HITL): [yes — describe]
templates/04-responsible-ai-checklist.md (RAI Checklist)
For SOX-scope agents:
- Item 8 (Accountability) — named owner must be a named individual in the Finance / Accounting org chart, with documented SoD (cannot be the same person who developed the agent).
- Item 9 (Audit retention) — minimum 7 years per §802. Override standard 6-month default.
Add new item 12:
| 12 | Internal Audit has reviewed the agent's SOX implications + signed off | [✅ / ❌] | [IA signature + date] |
templates/05-threat-model.md (Threat Model)
Section 2 (STRIDE) — Repudiation row becomes especially important: agent actions affecting financial data must have non-repudiable audit trail (immutable, attributable, time-stamped).
Section 6 (DLP plan) — must include financial-data exfiltration paths if agent has access to material non-public information (MNPI) embedded in financial workflows.
templates/07-pilot-to-prod-checklist.md (Pilot-to-Prod Gate)
For SOX-scope agents, add items 11–13:
| 11 | Internal Audit signed off on the agent as a SOX-relevant control / non-control | [✅ / ❌] | [IA sign-off + classification] |
| 12 | Audit log retention configured for 7 years (§802) | [✅ / ❌] | [Storage policy evidence] |
| 13 | SoD verified — Builder ≠ Agent Owner ≠ HITL Approver | [✅ / ❌] | [Identity mapping evidence] |
templates/08-evaluation-report.md (Evaluation Report)
For SOX-scope agents, the evaluation report becomes audit evidence. The external auditor may inspect it during ICFR testing. Implications:
- Golden set composition + version must be reproducible
- Eval results must be retained 7 years
- Material control deficiencies discovered during eval require notification to Internal Audit (and potentially the external auditor)
- Re-eval cadence must align with the audit period (typically annual fiscal-year coverage)
templates/10-post-mortem.md (Post-Mortem)
Section 9 (Regulatory considerations): material weakness or significant deficiency assessment required for any Sev-2+ involving a SOX-relevant agent.
- A material misstatement caused (or that could be caused) by the agent triggers §302 disclosure controls assessment at next quarterly cert
- Internal Audit must be notified within 5 business days of incident discovery
- Material weakness identification triggers external auditor notification
templates/15-quarterly-exec-readout.md (Quarterly Exec Readout)
For SOX-scope programs, add a compliance status row:
SOX ICFR status: All SOX-relevant agents tested in [reporting period]. [N] automated controls in-scope. [N] deficiencies identified (severity: [list]). External auditor coordination: [status].
5. New evidence artifacts required
When this overlay applies, the program must additionally maintain (and retain 7 years per §802):
- SOX-relevance log — for each agent in registry: is this agent SOX-relevant? Yes / No / Mixed. With Internal Audit signature.
- Control narratives — for any agent that IS or supports a key control, a written narrative describing the control's design.
- Change management evidence — pull requests, code reviews, deployment approvals, prompt change diffs.
- Access recertification records — quarterly recertification that the right people (and only the right people) have access to the agent and its data.
- Eval reports as audit evidence — retained for external auditor inspection.
- Material deficiency reports (if any) — formal write-up with Internal Audit.
6. New approver roles
When this overlay applies:
| Decision | Add to approver list |
|---|---|
| Risk appetite (template 01) | CFO + Internal Audit lead sign |
| Any agent flagged as SOX-relevant (M8) | Mandatory: Internal Audit lead + CFO designee |
| Material change to any SOX-relevant agent (re-deploy with material logic change) | Treated as a change to a financial-reporting system — full ITGC change management |
| Material deficiency determination after an incident | CFO + Internal Audit + General Counsel + (external auditor coordination) |
| Annual ICFR scoping | CFO + Internal Audit + external auditor |
7. Per-agent decision tree
For each new agent, walk this tree at triage (M7):
1. Does the agent touch any financial system, financial-reporting workflow, or general ledger data?
├── NO → SOX overlay does NOT apply
└── YES → continue
2. Is the agent's workflow material to ICFR — could a failure cause a material misstatement?
├── NO (de minimis) → light-touch: log in registry, no ITGC controls, but periodic re-check
└── YES OR UNSURE → continue
3. Consult Internal Audit before proceeding to M8 (approval)
└── IA determines: in-scope for ICFR / not in-scope / requires control design
4. If in-scope for ICFR:
- Automatic High tier in the framework
- SOX overlay sections applied to Agent Card + checklists
- 7-year retention configured
- SoD verified
- External auditor will test during audit period
- Quarterly review (template 15) includes SOX status row
5. Stage 3 (autonomous) for any ICFR-relevant control?
├── REJECT by default — human review required for any control producing financial-reporting evidence
└── Narrow exceptions only with CFO + external-auditor consultation
8. ITGC mapping (the standard four)
| ITGC area | Translation to AI agent |
|---|---|
| Logical access | Agent identity in IdP + least-privilege per Agent Card §6 + 8. Quarterly access recertification. SoD between Builder, Owner, and HITL Approver. |
| Change management | Source control + PR review + CI/CD with quality gates + audit trail of every prompt + tool change. Eval re-run on every change. |
| Computer operations | Monitoring (template 09 runbook + framework §21 signals) + on-call rotation + incident response + post-mortems (template 10) for Sev-2+. |
| Program development | Agent Card (template 03) + threat model (template 05) + eval report (template 08) + pilot-to-prod gate (template 07) — the framework's per-agent lifecycle IS the program development control. |
Internal Audit will map these to the company's existing ITGC framework (often COSO 2013).
9. Common pitfalls
| Pitfall | Reality |
|---|---|
| "Internal AI doesn't affect financial reporting" | If it touches AP, AR, revenue recognition, expense classification, journal entries, or close-process tasks, it likely affects financial reporting. |
| "We have HITL so SOX doesn't really apply" | HITL helps but doesn't exempt. The agent's design + change management + access controls are still ITGC-relevant. |
| "We'll figure out SoD later" | Builder = Owner = HITL Approver = same person is the most common SoD finding. Fix at Agent Card §1 and §9. |
| "Retention defaults are fine" | 30-day or 90-day defaults violate §802. Must be 7 years for SOX-relevant logs. |
| "Internal Audit doesn't need to see this yet" | Late IA involvement = late discovery of material issues. Bring IA in at triage, not after deployment. |
| "External auditor won't ask about AI" | They will. Big-4 auditors are training audit teams on AI ICFR. Expect questions about: how the agent was tested, how change management works, where the logs are. |
| "Prompt changes aren't really 'change management'" | Prompts ARE code for an LLM agent. Treat prompt edits as code changes. PR-review them. Eval them. Track them. |
| "Eval reports are internal — auditor doesn't need them" | They become audit evidence. Auditor will want to see how operating effectiveness was tested. |
10. References
- SOX statute (full): govinfo.gov — Sarbanes-Oxley Act of 2002
- PCAOB AS 2201: pcaobus.org/oversight/standards
- COSO 2013 framework: coso.org/sitepages/internal-control
- SEC Division of Corporation Finance — Disclosure Guidance: AI-related disclosures (emerging area, check current SEC statements)
- AICPA + Center for Audit Quality guidance on AI in audits (industry, supplemental)
framework.md§10 (risk classification — SOX-relevant agents are Medium-High minimum)framework.md§17 (privileged identities — SoD is built into identity model)