SOX and ICFR for AI Systems

Sarbanes-Oxley Act, Sections 302 and 404 · Internal Control over Financial Reporting · Applicable to SEC registrants and their consolidated subsidiaries.

What it covers

The Sarbanes-Oxley Act requires SEC registrants to establish and maintain effective internal control over financial reporting, including IT general controls (ITGCs) and IT application controls (ITACs) for systems supporting financial reporting. As AI systems increasingly support financial processes (underwriting, loan loss provisioning, fraud detection, customer onboarding), they fall within ICFR scope and require designed controls, documented evidence, and operating-effectiveness testing.

Most SOX programs do not yet have AI-specific ITGCs or ITACs. Building them is now a standard part of IPO readiness and post-IPO compliance maturation.

Who it applies to

SEC registrants of all sizes (with accelerated filer requirements applying to larger filers), their consolidated subsidiaries, and companies preparing for IPO. In practice, this includes nearly every late-stage fintech, public bank holding company, and US-listed insurer.

The AI-relevant control objectives

• AI system inventory in scope for ICFR
• Access controls on AI model training data
• Change management for prompts, model versions, and configurations
• Input validation for AI systems producing financial-reporting outputs
• Output reconciliation and exception handling
• Third-party AI vendor controls
• Evidence collection for external audit walkthroughs

How sitkastack maps to it

• AI system inventory templates → docs/phase-1/02-input-contract.md
• Third-party AI vendor controls → docs/phase-1/00-problem-definition.md
• Output reconciliation patterns → docs/phase-1/03-output-contract.md
• Audit-evidence runbook patterns → docs/phase-1/EXTENDING.md
• Risk-based AI classification → docs/phase-0/01-risk-classification.md

What sitkastack delivers under this framework

For SOX/ICFR readiness on AI systems, sitkastack engagements produce AI-specific ITGC and ITAC templates that drop into AuditBoard or your equivalent GRC platform, mapped to COSO control objectives. Typical engagements: AI Policy & Risk Pack (AI controls documentation for your SOX program), SOX Readiness Sprint (readiness assessment ahead of next SOX cycle), or 90-Day AI Build (production AI workflow with SOX-ready controls built in).

SOC 1 note

SOC 1 reports at AI service providers are reviewed within your SOX scope. When your AI vendor is itself a service organization (common for AI infrastructure providers), their SOC 1 attestation becomes part of your control evidence. sitkastack engagements producing third-party AI controls explicitly address how vendor SOC 1 reports get evaluated and what additional controls remain your responsibility.

Honest limitations

sitkastack produces SOX-ready AI control documentation and reference implementations. I do not perform SOX audits, replace your external auditor, or certify ICFR effectiveness. Your audit firm and management remain accountable for SOX attestations.

Talk to me

Questions about how this maps to your environment? Email me.